Deploying an msi application via group policy

[Guest]

Hi
I am trying to deploy an msi application via group policy to a user group,
but it doesnt seem to be working. The users dont have any rights to the local
machine, do they need to be administrators in order for the application to
install?
any help would be great.

ta

 

[Cary Shultz [A.D. MVP]]

Mikal,

You do not deploy applications via GPO to groups. This is your first
problem! You deploy applications either to user account objects or to
computer account objects which directly reside in the OU ( assuming that we
are talking about this level; it is possible that we are talking about
another level...possibly the Site level? ) to which the GPO has been linked.

You have to make sure that the user account objects ( or computer account
objects, but since you are trying to deploy this to user account
objects.... ) have both the Share and NTFS permissions to the shared folder
in which the .msi file is located.

You have to make sure that you tell Active Directory where the .msi file is
via the UNC method ( \\servername\sharename\file.msi ) and not via a mapped
network drive ( n:\someserver\somefolder\file.msi ).

Now, in reference to my first point: it is possible that you are using
Security Group Filtering. This is - on the Security tab of the GPO itself -
where you would remove the group 'Authenticated Users' from the security and
add your own security group. If you have done this you need to make sure
that this group has both the READ and APPLY GROUP POLICY rights.

What troubleshooting have you done? What would the OS on the clients be?

Also, you need to make sure that your clients are pointing O*N*L*Y to your
internal DNS Servers ( and not to any external DNS Servers - such as your
ISP's ) in their TCP/IP configuration settings.

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Guest]

Hi Cary thanks for your reply
I should have been a bit more clearer - i am appling the group policy to OU
containers in Active Directory - im am pushing out a logon script to users to
install the msi, the OS is win2k - I am using a login script to push the msi
on win2k machines as if I use group policy it just sits in add/remove
programs

as trouble shooting I have made sure there anre any local policies affecting
installation and have made sure that the msi works (which it does under admin
account) I have run the script (batch file) from the command prompt and that
works fine

I also tried assigning the policy to a machine but this failed too, i'm
assuming it failed as it was unable to get a network connection. hence find
the path of the msi

 

[Adam Drayer]

If you publish the MSI, it will just sit in add/remove programs waiting for
the user to install it. You need to assign it. You can, however, only
assign MSIs to computer accounts, not to user accounts. Therefore, if you
wish for the program to install itself on startup, you'll need to move the
GPO to an OU that contains the computer accounts, not the user accounts.

 

[Cary Shultz [A.D. MVP]]

Adam,

I would like to respectfully disagree with what you have written....well, in
part.

You can indeed publish and assign GPOs to user account objects while you can
O*N*L*Y assign GPOs to computer account objects. When you assign the
application via GPO to the user account side then it will be automagically
installed ( assuming that everything is in place ) when the user logs on.
When you assign the application via GPO to the computer account side then it
will be automagically installed when the computer reboots. However, when
you publish the application via GPO to the user side ( NOTE: this is not
available to the computer side ) then the application will appear in the
Add/Remove Software and will only be installed once the user goes there and
selects it.

So, the original poster can keep the software GPO on the user side and
either assign it or publish it. Were the original poster to move it to the
computer side then he would have but one choice - to assign it.

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Cary Shultz [A.D. MVP]]

Mikal,

I am sorry but I am still confused with what it is exactly that you have
tried.

What is the application that you are trying to deploy via Group Policy?
Does it come with a 'native' .msi file? or are you creating a .msi file (
there are several ways )?

Not sure that pushing it out via logon script is the correct way! But that
all depends on what you are trying to install.

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Guest]

Hi Cary
thanks for your help on this
What I am trying to do is to deploy trend office scan to various PC's on an
Active Directory network. the PC's are running both windows XP and windows
2000. Trend office scan has a tool for creating a MSI - I have used this tool
and have run the MSI on a local PC logged in as administrator and it works.
When I go to assign the MSI to a computer through group policy it doesnt
work - I'm assiming its because the computer is unable to find the path which
in my case is eg \\server\data\file.msi when i assign it to a user i get a
message saying that the user doesnt have rights to install the application so
I'm assuming that the user needs to be an administrator
so i guess what I want to know is if u assign a policy to deploy a msi to a
user should it deploy regardless of user rights on the local machine?
(regardless of OS win2k or XP) cause at the moment it doesnt seem to be
working

 

[Cary Shultz [A.D. MVP]]

Mikal,

Does Trend Micro not have a built-in ability to push the client software
down to the computers? Thus, there should be no need to use GPO at all,
right?

Now, assuming that you are using a version with which I am not familiar (
more than probable ) I would suggest that this would be something that you
would be deploying to the computer side of things! This would make the most
sense to me. It really has nothing to do with the user side of things at
all so I do not see the rationale for using the user side.

Assuming that Trend Micro does not have the ability to push the client
software down to the computers I would suggest linking this GPO to the OU
that contains the computer account objects.

What version of Trend Micro are you using? Have you contacted their support
team for help deploying this. It is a really nice piece of software that
does a lot of things well.....

And you are most welcome for any help that I might be able to give you.
Always glad to help!

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Guest]

Thanks again cary

when I assign the policy to computer accounts it doesnt work, when I check
event viewer it says that the netowrk path could not be found - I'm assuming
this is becuase the network card hasnt kicked in yet while the computer
script is running?
is this normal?

I am using trend 7.0 and yes you are righ it does have a deploy tool, but im
required to login as an admin when I deploy it - however i do need to need to
investigate this further?

ta

 

[Cary Shultz [A.D. MVP]]

No problem!

Have you tried running it as a start up script instead of a logon script?
That might make more sense, assuming that you are going to not use the
built-in ability ( not sure why you would not do that, but this is your
baby, not mine! ). I might strongly suggest that you get on the phone with
the Support Team at Trend Micro and figure out how to use it 'the right
way'. Sorry, that is a bit judgmental on my part. But, it will really help
you out and reduce your 'Administrative Overhead'.

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Guest]

Thanks Cary for all your help

I think I will give Trend Micro a call and see what they can suggest for
deployment

thanks again

Mikal

 

[Adam Drayer]

No problem. I don't know how I got that backwards! Back to the books for
me it seems. Sorry bout that Mikal