Software distribution fails on client computers, but works..

[Guest]

Archived from groups: microsoft.public.windows.group_policy,microsoft.public.win2000.group_policy (More info?)

Hi all,

I am having trouble with the software distribution feature of the Active
Directory.

I would like to assign a MSI-Package to all computers in the domain. I
did the following:
- I created a share containing the package. I granted
Read/Exec-Permissions to Everyone and Full COntrol to the
Administrators. I applied the same security settings to the folder. I
also tried granting anonymous users access.

- I registered the package in the default domain policy using
\\server\share\xx.msi as source path. I tried both granting
Authenticated Users or Everyone access to the GPO.

Now when I restart the domain controller, everything works fine - the
software is installed before the logon window apears. However, when I
restart a workstation, a event log entry "Changes to software
installation settings were applied successfully" is created, but the
software is not installed.
Furthermore, in the Add/Remove Programs tool, my package does not
appear. The category however is visible.
On the domain controller, both the category and the package appears.

My guess is that there is something wrong with my security settings. But
I do not know which ACL to adjust other than the ones of the folder, he
share and the GPO. I am also not sure which account the workstation uses
to access the share.

Any suggestions?

Thanks,
Jo

 

[Guest]

Archived from groups: microsoft.public.windows.group_policy,microsoft.public.win2000.group_policy (More info?)

Jo,

I would suggest this:

On the folder that holds the application I would grant Domain Admins 'Full
Control' on both the Share and NTFS permissions. You might want to use
Administrators instead of Domain Admins....your call. I would also grant
Domain Computers simply 'Read' on both the Share and NTFS permissions.
This should take care of things as far as that goes. Just a hint: I like
to hide the shared folder when deploying software via GPO so that this
shared folder does not show up when users are browsing the network. You
accomplish this by appending the "$" at the end of the share name. So, if
you have a folder called Office 2003 and you share it as OFF2K03 I would
share it as OFF2K03$ so that it is hidden. Now, if you do a net share it
will still show up....

I am not sure what you mean by 'registered the package'...I can only assume
that you mean that you created the deployment package as part of the Default
Domain Policy. There are a couple of schools of thought about that. One
school of thought suggests that you should leave the Default Domain Policy
as-is and create any additional GPOs as new and separate GPOs. Another
school of thought suggests that you should put all of the 'GPOs' that you
will create to the computer configuration side of things inside of one GPO
and that you should put all of the 'GPOs' that you will create to the user
configuration side of things inside another GPO. Thus, you would have only
four GPOs in your domain: the Default Domain Policy, the Default Domain
Controller Policy and then the Computer Policy and the User Policy. There
is yet another school of thought that suggests that you should create each
GPO individually and then, after time has passed, combine them into one or
two ( whatever the case might be ) larger GPOs. The thought process being
that you can better troubleshoot any problems. After all the kinks have
been worked out you could combine them into one big one. I am a fan of
whatever works.

But I digress.

The software is indeed installed when you reboot a domain controller. But
it does not when you reboot a workstation. It looks like it is and you get
the message that it installed but it is not there. Have you looked on the
workstation in the event logs? What type of errors do you see? There
should be some.

Do you change anything on the security tab of the GPO itself? The security
group 'Authenticated Users' is generally given both the READ and APPLY GROUP
POLICY rights. Do you have this group or did you change it to something
else?

What troubleshooting have you done? Have you used GPOTool or GPResults?

What are the operating systems involved?

HTH,

Cary



"Jo Siffert" <jo.siffert@gmx.net> wrote in message
news:%23WCSiX$uEHA.3808@TK2MSFTNGP15.phx.gbl...
> Hi all,
>
> I am having trouble with the software distribution feature of the Active
> Directory.
>
> I would like to assign a MSI-Package to all computers in the domain. I
> did the following:
> - I created a share containing the package. I granted
> Read/Exec-Permissions to Everyone and Full COntrol to the
> Administrators. I applied the same security settings to the folder. I
> also tried granting anonymous users access.
>
> - I registered the package in the default domain policy using
> \\server\share\xx.msi as source path. I tried both granting
> Authenticated Users or Everyone access to the GPO.
>
> Now when I restart the domain controller, everything works fine - the
> software is installed before the logon window apears. However, when I
> restart a workstation, a event log entry "Changes to software
> installation settings were applied successfully" is created, but the
> software is not installed.
> Furthermore, in the Add/Remove Programs tool, my package does not
> appear. The category however is visible.
> On the domain controller, both the category and the package appears.
>
> My guess is that there is something wrong with my security settings. But
> I do not know which ACL to adjust other than the ones of the folder, he
> share and the GPO. I am also not sure which account the workstation uses
> to access the share.
>
> Any suggestions?
>
> Thanks,
> Jo

 

[Guest]

Archived from groups: microsoft.public.windows.group_policy,microsoft.public.win2000.group_policy (More info?)

Hi Cary,

I found out that the reason for the software not beeing installed on the
client machines was the language setting - my DC is German, my clients
are English and the software was German again... when I used the Ignore
Language-setting, everything worked fine.

But thanks a lot for your hints though.

Jo

Cary Shultz [A.D. MVP] wrote:
> Jo,
>
> I would suggest this:
>
> On the folder that holds the application I would grant Domain Admins 'Full
> Control' on both the Share and NTFS permissions. You might want to use
> Administrators instead of Domain Admins....your call. I would also grant
> Domain Computers simply 'Read' on both the Share and NTFS permissions.
> This should take care of things as far as that goes. Just a hint: I like
> to hide the shared folder when deploying software via GPO so that this
> shared folder does not show up when users are browsing the network. You
> accomplish this by appending the "$" at the end of the share name. So, if
> you have a folder called Office 2003 and you share it as OFF2K03 I would
> share it as OFF2K03$ so that it is hidden. Now, if you do a net share it
> will still show up....
>
> I am not sure what you mean by 'registered the package'...I can only assume
> that you mean that you created the deployment package as part of the Default
> Domain Policy. There are a couple of schools of thought about that. One
> school of thought suggests that you should leave the Default Domain Policy
> as-is and create any additional GPOs as new and separate GPOs. Another
> school of thought suggests that you should put all of the 'GPOs' that you
> will create to the computer configuration side of things inside of one GPO
> and that you should put all of the 'GPOs' that you will create to the user
> configuration side of things inside another GPO. Thus, you would have only
> four GPOs in your domain: the Default Domain Policy, the Default Domain
> Controller Policy and then the Computer Policy and the User Policy. There
> is yet another school of thought that suggests that you should create each
> GPO individually and then, after time has passed, combine them into one or
> two ( whatever the case might be ) larger GPOs. The thought process being
> that you can better troubleshoot any problems. After all the kinks have
> been worked out you could combine them into one big one. I am a fan of
> whatever works.
>
> But I digress.
>
> The software is indeed installed when you reboot a domain controller. But
> it does not when you reboot a workstation. It looks like it is and you get
> the message that it installed but it is not there. Have you looked on the
> workstation in the event logs? What type of errors do you see? There
> should be some.
>
> Do you change anything on the security tab of the GPO itself? The security
> group 'Authenticated Users' is generally given both the READ and APPLY GROUP
> POLICY rights. Do you have this group or did you change it to something
> else?
>
> What troubleshooting have you done? Have you used GPOTool or GPResults?
>
> What are the operating systems involved?
>
> HTH,
>
> Cary
>
>
>
> "Jo Siffert" <jo.siffert@gmx.net> wrote in message
> news:%23WCSiX$uEHA.3808@TK2MSFTNGP15.phx.gbl...
>
>>Hi all,
>>
>>I am having trouble with the software distribution feature of the Active
>>Directory.
>>
>>I would like to assign a MSI-Package to all computers in the domain. I
>>did the following:
>>- I created a share containing the package. I granted
>>Read/Exec-Permissions to Everyone and Full COntrol to the
>>Administrators. I applied the same security settings to the folder. I
>>also tried granting anonymous users access.
>>
>>- I registered the package in the default domain policy using
>>\\server\share\xx.msi as source path. I tried both granting
>>Authenticated Users or Everyone access to the GPO.
>>
>>Now when I restart the domain controller, everything works fine - the
>>software is installed before the logon window apears. However, when I
>>restart a workstation, a event log entry "Changes to software
>>installation settings were applied successfully" is created, but the
>>software is not installed.
>>Furthermore, in the Add/Remove Programs tool, my package does not
>>appear. The category however is visible.
>>On the domain controller, both the category and the package appears.
>>
>>My guess is that there is something wrong with my security settings. But
>>I do not know which ACL to adjust other than the ones of the folder, he
>>share and the GPO. I am also not sure which account the workstation uses
>>to access the share.
>>
>>Any suggestions?
>>
>>Thanks,
>> Jo
>
>
>

 

[Guest]

Archived from groups: microsoft.public.windows.group_policy,microsoft.public.win2000.group_policy (More info?)

Jo,

Haette ich doch mal wissen muessen!

Did not even think that there were multiple languages going on....

Cary
"Jo Siffert" <jo.siffert@gmx.net> wrote in message
news:O0pKyyLvEHA.2804@TK2MSFTNGP14.phx.gbl...
> Hi Cary,
>
> I found out that the reason for the software not beeing installed on the
> client machines was the language setting - my DC is German, my clients
> are English and the software was German again... when I used the Ignore
> Language-setting, everything worked fine.
>
> But thanks a lot for your hints though.
>
> Jo
>
> Cary Shultz [A.D. MVP] wrote:
> > Jo,
> >
> > I would suggest this:
> >
> > On the folder that holds the application I would grant Domain Admins
'Full
> > Control' on both the Share and NTFS permissions. You might want to use
> > Administrators instead of Domain Admins....your call. I would also
grant
> > Domain Computers simply 'Read' on both the Share and NTFS permissions.
> > This should take care of things as far as that goes. Just a hint: I
like
> > to hide the shared folder when deploying software via GPO so that this
> > shared folder does not show up when users are browsing the network. You
> > accomplish this by appending the "$" at the end of the share name. So,
if
> > you have a folder called Office 2003 and you share it as OFF2K03 I would
> > share it as OFF2K03$ so that it is hidden. Now, if you do a net share
it
> > will still show up....
> >
> > I am not sure what you mean by 'registered the package'...I can only
assume
> > that you mean that you created the deployment package as part of the
Default
> > Domain Policy. There are a couple of schools of thought about that.
One
> > school of thought suggests that you should leave the Default Domain
Policy
> > as-is and create any additional GPOs as new and separate GPOs. Another
> > school of thought suggests that you should put all of the 'GPOs' that
you
> > will create to the computer configuration side of things inside of one
GPO
> > and that you should put all of the 'GPOs' that you will create to the
user
> > configuration side of things inside another GPO. Thus, you would have
only
> > four GPOs in your domain: the Default Domain Policy, the Default Domain
> > Controller Policy and then the Computer Policy and the User Policy.
There
> > is yet another school of thought that suggests that you should create
each
> > GPO individually and then, after time has passed, combine them into one
or
> > two ( whatever the case might be ) larger GPOs. The thought process
being
> > that you can better troubleshoot any problems. After all the kinks have
> > been worked out you could combine them into one big one. I am a fan of
> > whatever works.
> >
> > But I digress.
> >
> > The software is indeed installed when you reboot a domain controller.
But
> > it does not when you reboot a workstation. It looks like it is and you
get
> > the message that it installed but it is not there. Have you looked on
the
> > workstation in the event logs? What type of errors do you see? There
> > should be some.
> >
> > Do you change anything on the security tab of the GPO itself? The
security
> > group 'Authenticated Users' is generally given both the READ and APPLY
GROUP
> > POLICY rights. Do you have this group or did you change it to something
> > else?
> >
> > What troubleshooting have you done? Have you used GPOTool or GPResults?
> >
> > What are the operating systems involved?
> >
> > HTH,
> >
> > Cary
> >
> >
> >
> > "Jo Siffert" <jo.siffert@gmx.net> wrote in message
> > news:%23WCSiX$uEHA.3808@TK2MSFTNGP15.phx.gbl...
> >
> >>Hi all,
> >>
> >>I am having trouble with the software distribution feature of the Active
> >>Directory.
> >>
> >>I would like to assign a MSI-Package to all computers in the domain. I
> >>did the following:
> >>- I created a share containing the package. I granted
> >>Read/Exec-Permissions to Everyone and Full COntrol to the
> >>Administrators. I applied the same security settings to the folder. I
> >>also tried granting anonymous users access.
> >>
> >>- I registered the package in the default domain policy using
> >>\\server\share\xx.msi as source path. I tried both granting
> >>Authenticated Users or Everyone access to the GPO.
> >>
> >>Now when I restart the domain controller, everything works fine - the
> >>software is installed before the logon window apears. However, when I
> >>restart a workstation, a event log entry "Changes to software
> >>installation settings were applied successfully" is created, but the
> >>software is not installed.
> >>Furthermore, in the Add/Remove Programs tool, my package does not
> >>appear. The category however is visible.
> >>On the domain controller, both the category and the package appears.
> >>
> >>My guess is that there is something wrong with my security settings. But
> >>I do not know which ACL to adjust other than the ones of the folder, he
> >>share and the GPO. I am also not sure which account the workstation uses
> >>to access the share.
> >>
> >>Any suggestions?
> >>
> >>Thanks,
> >> Jo
> >
> >
> >