Software distribution fails on client computers, but works..

Archived from groups: microsoft.public.windows.group_policy,microsoft.public.win2000.group_policy (More info?)

Hi all,

I am having trouble with the software distribution feature of the Active
Directory.

I would like to assign a MSI-Package to all computers in the domain. I
did the following:
- I created a share containing the package. I granted
Read/Exec-Permissions to Everyone and Full COntrol to the
Administrators. I applied the same security settings to the folder. I
also tried granting anonymous users access.

- I registered the package in the default domain policy using
\\server\share\xx.msi as source path. I tried both granting
Authenticated Users or Everyone access to the GPO.

Now when I restart the domain controller, everything works fine - the
software is installed before the logon window apears. However, when I
restart a workstation, a event log entry "Changes to software
installation settings were applied successfully" is created, but the
software is not installed.
Furthermore, in the Add/Remove Programs tool, my package does not
appear. The category however is visible.
On the domain controller, both the category and the package appears.

My guess is that there is something wrong with my security settings. But
I do not know which ACL to adjust other than the ones of the folder, he
share and the GPO. I am also not sure which account the workstation uses
to access the share.

Any suggestions?

Thanks,
Jo
3 answers Last reply
More about software distribution fails client computers works
  1. Archived from groups: microsoft.public.windows.group_policy,microsoft.public.win2000.group_policy (More info?)

    Jo,

    I would suggest this:

    On the folder that holds the application I would grant Domain Admins 'Full
    Control' on both the Share and NTFS permissions. You might want to use
    Administrators instead of Domain Admins....your call. I would also grant
    Domain Computers simply 'Read' on both the Share and NTFS permissions.
    This should take care of things as far as that goes. Just a hint: I like
    to hide the shared folder when deploying software via GPO so that this
    shared folder does not show up when users are browsing the network. You
    accomplish this by appending the "$" at the end of the share name. So, if
    you have a folder called Office 2003 and you share it as OFF2K03 I would
    share it as OFF2K03$ so that it is hidden. Now, if you do a net share it
    will still show up....

    I am not sure what you mean by 'registered the package'...I can only assume
    that you mean that you created the deployment package as part of the Default
    Domain Policy. There are a couple of schools of thought about that. One
    school of thought suggests that you should leave the Default Domain Policy
    as-is and create any additional GPOs as new and separate GPOs. Another
    school of thought suggests that you should put all of the 'GPOs' that you
    will create to the computer configuration side of things inside of one GPO
    and that you should put all of the 'GPOs' that you will create to the user
    configuration side of things inside another GPO. Thus, you would have only
    four GPOs in your domain: the Default Domain Policy, the Default Domain
    Controller Policy and then the Computer Policy and the User Policy. There
    is yet another school of thought that suggests that you should create each
    GPO individually and then, after time has passed, combine them into one or
    two ( whatever the case might be ) larger GPOs. The thought process being
    that you can better troubleshoot any problems. After all the kinks have
    been worked out you could combine them into one big one. I am a fan of
    whatever works.

    But I digress.

    The software is indeed installed when you reboot a domain controller. But
    it does not when you reboot a workstation. It looks like it is and you get
    the message that it installed but it is not there. Have you looked on the
    workstation in the event logs? What type of errors do you see? There
    should be some.

    Do you change anything on the security tab of the GPO itself? The security
    group 'Authenticated Users' is generally given both the READ and APPLY GROUP
    POLICY rights. Do you have this group or did you change it to something
    else?

    What troubleshooting have you done? Have you used GPOTool or GPResults?

    What are the operating systems involved?

    HTH,

    Cary


    "Jo Siffert" <jo.siffert@gmx.net> wrote in message
    news:%23WCSiX$uEHA.3808@TK2MSFTNGP15.phx.gbl...
    > Hi all,
    >
    > I am having trouble with the software distribution feature of the Active
    > Directory.
    >
    > I would like to assign a MSI-Package to all computers in the domain. I
    > did the following:
    > - I created a share containing the package. I granted
    > Read/Exec-Permissions to Everyone and Full COntrol to the
    > Administrators. I applied the same security settings to the folder. I
    > also tried granting anonymous users access.
    >
    > - I registered the package in the default domain policy using
    > \\server\share\xx.msi as source path. I tried both granting
    > Authenticated Users or Everyone access to the GPO.
    >
    > Now when I restart the domain controller, everything works fine - the
    > software is installed before the logon window apears. However, when I
    > restart a workstation, a event log entry "Changes to software
    > installation settings were applied successfully" is created, but the
    > software is not installed.
    > Furthermore, in the Add/Remove Programs tool, my package does not
    > appear. The category however is visible.
    > On the domain controller, both the category and the package appears.
    >
    > My guess is that there is something wrong with my security settings. But
    > I do not know which ACL to adjust other than the ones of the folder, he
    > share and the GPO. I am also not sure which account the workstation uses
    > to access the share.
    >
    > Any suggestions?
    >
    > Thanks,
    > Jo
  2. Archived from groups: microsoft.public.windows.group_policy,microsoft.public.win2000.group_policy (More info?)

    Hi Cary,

    I found out that the reason for the software not beeing installed on the
    client machines was the language setting - my DC is German, my clients
    are English and the software was German again... when I used the Ignore
    Language-setting, everything worked fine.

    But thanks a lot for your hints though.

    Jo

    Cary Shultz [A.D. MVP] wrote:
    > Jo,
    >
    > I would suggest this:
    >
    > On the folder that holds the application I would grant Domain Admins 'Full
    > Control' on both the Share and NTFS permissions. You might want to use
    > Administrators instead of Domain Admins....your call. I would also grant
    > Domain Computers simply 'Read' on both the Share and NTFS permissions.
    > This should take care of things as far as that goes. Just a hint: I like
    > to hide the shared folder when deploying software via GPO so that this
    > shared folder does not show up when users are browsing the network. You
    > accomplish this by appending the "$" at the end of the share name. So, if
    > you have a folder called Office 2003 and you share it as OFF2K03 I would
    > share it as OFF2K03$ so that it is hidden. Now, if you do a net share it
    > will still show up....
    >
    > I am not sure what you mean by 'registered the package'...I can only assume
    > that you mean that you created the deployment package as part of the Default
    > Domain Policy. There are a couple of schools of thought about that. One
    > school of thought suggests that you should leave the Default Domain Policy
    > as-is and create any additional GPOs as new and separate GPOs. Another
    > school of thought suggests that you should put all of the 'GPOs' that you
    > will create to the computer configuration side of things inside of one GPO
    > and that you should put all of the 'GPOs' that you will create to the user
    > configuration side of things inside another GPO. Thus, you would have only
    > four GPOs in your domain: the Default Domain Policy, the Default Domain
    > Controller Policy and then the Computer Policy and the User Policy. There
    > is yet another school of thought that suggests that you should create each
    > GPO individually and then, after time has passed, combine them into one or
    > two ( whatever the case might be ) larger GPOs. The thought process being
    > that you can better troubleshoot any problems. After all the kinks have
    > been worked out you could combine them into one big one. I am a fan of
    > whatever works.
    >
    > But I digress.
    >
    > The software is indeed installed when you reboot a domain controller. But
    > it does not when you reboot a workstation. It looks like it is and you get
    > the message that it installed but it is not there. Have you looked on the
    > workstation in the event logs? What type of errors do you see? There
    > should be some.
    >
    > Do you change anything on the security tab of the GPO itself? The security
    > group 'Authenticated Users' is generally given both the READ and APPLY GROUP
    > POLICY rights. Do you have this group or did you change it to something
    > else?
    >
    > What troubleshooting have you done? Have you used GPOTool or GPResults?
    >
    > What are the operating systems involved?
    >
    > HTH,
    >
    > Cary
    >
    >
    >
    > "Jo Siffert" <jo.siffert@gmx.net> wrote in message
    > news:%23WCSiX$uEHA.3808@TK2MSFTNGP15.phx.gbl...
    >
    >>Hi all,
    >>
    >>I am having trouble with the software distribution feature of the Active
    >>Directory.
    >>
    >>I would like to assign a MSI-Package to all computers in the domain. I
    >>did the following:
    >>- I created a share containing the package. I granted
    >>Read/Exec-Permissions to Everyone and Full COntrol to the
    >>Administrators. I applied the same security settings to the folder. I
    >>also tried granting anonymous users access.
    >>
    >>- I registered the package in the default domain policy using
    >>\\server\share\xx.msi as source path. I tried both granting
    >>Authenticated Users or Everyone access to the GPO.
    >>
    >>Now when I restart the domain controller, everything works fine - the
    >>software is installed before the logon window apears. However, when I
    >>restart a workstation, a event log entry "Changes to software
    >>installation settings were applied successfully" is created, but the
    >>software is not installed.
    >>Furthermore, in the Add/Remove Programs tool, my package does not
    >>appear. The category however is visible.
    >>On the domain controller, both the category and the package appears.
    >>
    >>My guess is that there is something wrong with my security settings. But
    >>I do not know which ACL to adjust other than the ones of the folder, he
    >>share and the GPO. I am also not sure which account the workstation uses
    >>to access the share.
    >>
    >>Any suggestions?
    >>
    >>Thanks,
    >> Jo
    >
    >
    >
  3. Archived from groups: microsoft.public.windows.group_policy,microsoft.public.win2000.group_policy (More info?)

    Jo,

    Haette ich doch mal wissen muessen!

    Did not even think that there were multiple languages going on....

    Cary
    "Jo Siffert" <jo.siffert@gmx.net> wrote in message
    news:O0pKyyLvEHA.2804@TK2MSFTNGP14.phx.gbl...
    > Hi Cary,
    >
    > I found out that the reason for the software not beeing installed on the
    > client machines was the language setting - my DC is German, my clients
    > are English and the software was German again... when I used the Ignore
    > Language-setting, everything worked fine.
    >
    > But thanks a lot for your hints though.
    >
    > Jo
    >
    > Cary Shultz [A.D. MVP] wrote:
    > > Jo,
    > >
    > > I would suggest this:
    > >
    > > On the folder that holds the application I would grant Domain Admins
    'Full
    > > Control' on both the Share and NTFS permissions. You might want to use
    > > Administrators instead of Domain Admins....your call. I would also
    grant
    > > Domain Computers simply 'Read' on both the Share and NTFS permissions.
    > > This should take care of things as far as that goes. Just a hint: I
    like
    > > to hide the shared folder when deploying software via GPO so that this
    > > shared folder does not show up when users are browsing the network. You
    > > accomplish this by appending the "$" at the end of the share name. So,
    if
    > > you have a folder called Office 2003 and you share it as OFF2K03 I would
    > > share it as OFF2K03$ so that it is hidden. Now, if you do a net share
    it
    > > will still show up....
    > >
    > > I am not sure what you mean by 'registered the package'...I can only
    assume
    > > that you mean that you created the deployment package as part of the
    Default
    > > Domain Policy. There are a couple of schools of thought about that.
    One
    > > school of thought suggests that you should leave the Default Domain
    Policy
    > > as-is and create any additional GPOs as new and separate GPOs. Another
    > > school of thought suggests that you should put all of the 'GPOs' that
    you
    > > will create to the computer configuration side of things inside of one
    GPO
    > > and that you should put all of the 'GPOs' that you will create to the
    user
    > > configuration side of things inside another GPO. Thus, you would have
    only
    > > four GPOs in your domain: the Default Domain Policy, the Default Domain
    > > Controller Policy and then the Computer Policy and the User Policy.
    There
    > > is yet another school of thought that suggests that you should create
    each
    > > GPO individually and then, after time has passed, combine them into one
    or
    > > two ( whatever the case might be ) larger GPOs. The thought process
    being
    > > that you can better troubleshoot any problems. After all the kinks have
    > > been worked out you could combine them into one big one. I am a fan of
    > > whatever works.
    > >
    > > But I digress.
    > >
    > > The software is indeed installed when you reboot a domain controller.
    But
    > > it does not when you reboot a workstation. It looks like it is and you
    get
    > > the message that it installed but it is not there. Have you looked on
    the
    > > workstation in the event logs? What type of errors do you see? There
    > > should be some.
    > >
    > > Do you change anything on the security tab of the GPO itself? The
    security
    > > group 'Authenticated Users' is generally given both the READ and APPLY
    GROUP
    > > POLICY rights. Do you have this group or did you change it to something
    > > else?
    > >
    > > What troubleshooting have you done? Have you used GPOTool or GPResults?
    > >
    > > What are the operating systems involved?
    > >
    > > HTH,
    > >
    > > Cary
    > >
    > >
    > >
    > > "Jo Siffert" <jo.siffert@gmx.net> wrote in message
    > > news:%23WCSiX$uEHA.3808@TK2MSFTNGP15.phx.gbl...
    > >
    > >>Hi all,
    > >>
    > >>I am having trouble with the software distribution feature of the Active
    > >>Directory.
    > >>
    > >>I would like to assign a MSI-Package to all computers in the domain. I
    > >>did the following:
    > >>- I created a share containing the package. I granted
    > >>Read/Exec-Permissions to Everyone and Full COntrol to the
    > >>Administrators. I applied the same security settings to the folder. I
    > >>also tried granting anonymous users access.
    > >>
    > >>- I registered the package in the default domain policy using
    > >>\\server\share\xx.msi as source path. I tried both granting
    > >>Authenticated Users or Everyone access to the GPO.
    > >>
    > >>Now when I restart the domain controller, everything works fine - the
    > >>software is installed before the logon window apears. However, when I
    > >>restart a workstation, a event log entry "Changes to software
    > >>installation settings were applied successfully" is created, but the
    > >>software is not installed.
    > >>Furthermore, in the Add/Remove Programs tool, my package does not
    > >>appear. The category however is visible.
    > >>On the domain controller, both the category and the package appears.
    > >>
    > >>My guess is that there is something wrong with my security settings. But
    > >>I do not know which ACL to adjust other than the ones of the folder, he
    > >>share and the GPO. I am also not sure which account the workstation uses
    > >>to access the share.
    > >>
    > >>Any suggestions?
    > >>
    > >>Thanks,
    > >> Jo
    > >
    > >
    > >
Ask a new question

Read More

Policy Distribution Computers Microsoft Software Windows