Deploying Software with Computer GPO Errors

[Guest]

Hello,
Sorry for the long post but I need to explain this I think.
In our office we have been trying to experiment with deploying software via
Group Policies in the Computer Policy. We have tried using WinInstall to
create MSI packages and we thought we did something wrong, but we just tried
to deploy office 2003 pro. We created a MST, set it up via a computer
policy, set the permissions on the share with Administrators having full
control, everyone and SYSTEM having read only, and Domain Computers with
Change/Read. inside that share is the Office 2003 folder, permissions:
Adminstrators - Full, CREATOR OWNER - Full, SYSTEM - Full, and Users -
Read/Execute. Setup the Software Installation default location to the share,
created a package for Office with MST. When PC in the test OU boots, it says
installing managed software Office 2003 Professional, however it only tries
for about a minute and gives an error:
Event Type: Error
Event Source: Application Management
Event Category: None
Event ID: 102
Date: 9/24/2004
Time: 5:07:22 PM
User: NT AUTHORITY\SYSTEM
Computer: MCRAIG2
Description:
The install of application Microsoft Office Professional Edition 2003 from
policy Office 2003 Admin Install failed. The error was : The installation
source for this product is not available. Verify that the source exists and
that you can access it.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Now If I do the samer thing via a User Install it seems to work fine.
Does anyone know what I am doing wrong? I figure it might be permissions,
but I am not sure.

Thank you,
Nathan

 

[Chriss3 [MVP]]

Hello Nathan,
When you deploy software within a GPO at the Computer Configuration Level,
The package is about to be installed during computer startup, then the
computer use it's own account to access the package on the network share.
You may change permission and grant Domain Computers group or some thing
that allows the client to use its computer account to access the package.
--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup

 

[Guest]

Chris,
Thank you for replying. Since your message, I have added the Domain
Computers to both the share and folder permissions as well as the individual
computer accounts for the two PC's I am testing. Both still give the Cannot
find installation source message. Strangely enough, one of the PC's is
returning the following error right before it starts to run the managed
software install:
Event Type: Warning
Event Source: EventSystem
Event Category: (52)
Event ID: 4356
Date: 9/27/2004
Time: 4:00:24 PM
User: N/A
Computer: REGSN75SH701
Description:
The COM+ Event System failed to create an instance of the subscriber
partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{6295DF2D-35EE-11D1-8707-00C04FD93327}. CoGetObject returned HRESULT 8000401A.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Also, on the PC that doesn't give that error, it seems to be creating the
Microsoft Office Folder in the start menu with fake icons, but when you click
on one I get a message along the line of that action is not valid. I do have
the package set to advanced. Should that be changed to assigned? And would
you have any more ideas?

Thanks.

 

[Chriss3 [MVP]]

Nathan I recommend you to try with Share Permission everyone full control
and see what happens.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup

 

[Cary Shultz [A.D. MVP]]

Good evening, Chris! I hope that you are dreaming of Active Directory ( and
not still working! ).

Nathan,

I am going to take a stab at this: Have you entered the path to the .msi
file as a mapped network drive? You need to use the UNC path! So, instead
of entering F:\applications\office2003\file.msi you would need to enter
\\servername\sharename\file.msi.

I would try this. Assuming that this is what you did, then I might work on
the Share and NTFS permissions. All you really need ( and this is simply a
matter of opinion ) is Administrators @ Full Control and Domain Computers @
Read. Now, if this is on a DC this will work just fine. If this is on a
File Server then I might use Domain Admins @ Full Control instead of
Administrators....

HTH,

Cary

 

[Cary Shultz [A.D. MVP]]

Nathan,

I typically create a folder called APPLICATIONS that contains all of the
shared folders ( Office 2000, Office XP, Office 2003, Adobe Reader, etc. ).
The folders inside of the APPLICATIONS folder are the folders that are
actually shared. I like to deploy Office to the user configuration side of
things - but that does not always happen due to requirements - so I
typically give either Administrators ( if on a Domain Controller that is
also the File Server ) or Domain Admins ( if on a member server that is the
File Server ) Full Control on both the Share and NTFS permissions and either
Domain Users or Domain Computers simply Read. This is all you really need.
I would not bother with any other permissions.....Unless there are specific
reasons.

Once you have set up the directory structure and set the share and ntfs
permissions, you should do the Administrative Installation. This is simply
a matter of dropping in the CD-ROM drive and using setup.exe /a and then
entering the PID and a path to the AIP ( so, OFF2K if you are doing Office
2000 or, in your case, OFF2K3 for Office 2003 ). This is the second part of
the process.

The third and final part of the process is creating the GPO. This might
require that you create an OU and then move the appropriate account objects
to that OU. Remember, GPOs apply to user or computer account objects that
are directly located in the OU to which the GPO is linked. So, you create
the OU and move the desired computer account objects into that OU. You can
then create the GPO. When you create the package you want to make sure that
you use the UNC path to the *.msi file ( data1.msi in Office 2000 ). So,
you would enter something like \\dc01\off2k3\file.msi...... You would need
to make sure that you do Advanced Assign ( since you are doing this to the
computer configuration side of things this [Assign ] is the only option.
Were you doing this to the user configuration side of things both Assign and
Publish would be available to you ). Don't forget to add the path to the
..mst file on the appropriate tab. And you need to use the UNC method here
as well.

In fact, for troubleshooting purposes I would suggest that you do not use
the .mst file for the time being. This should have absolutely nothing to do
with your problem but let's remove as much as possible so that we are
dealing with the bare bones...

Give everything time to replicate ( should you have multiple DCs ) and the
restart the computers in question. What happens? If nothing happens, then
I would suggest that you take a look at GPOTOOL and GPRESULT and possibly
even your replication ( via replmon and repadmin ). However, if there is
only one DC then we probably do not need to worry about AD Replication or
FRS Replication, do we?

Make sure that the clients have the correct DNS information ( if they joined
the domain then the probably do.......but let's just make sure ). They
should be pointing to your internal DNS Server(s) only!

Also, do not forget that there are EventIDs on both the Server and the
client....

You might want to take a look at the following link:

http://www.eventid.net/display.asp?eventid=102

HTH,

Cary