M
Marv
Hello,
I've been working on trying to get a certain application installed via
GPO
and can't seem to get it right.
Basically, the manual way to get it working is as follows:
1) Install the application as administrator (uses standard window
installer).
2) Set permissions on c:\program files\ngi to give user write
permissions (we usually just give everyone write to this folder).
Without these permissions, the user, not having local admin rights,
cannot even open the application.
So, using the old Veritas WinInstall LE, we created an .msi package,
and then moved the entire folder structure to a share on a file server
that gives full read rights to everyone. This all goes well, and when
double-clicking on the .msi package (as administrator) the install
goes through fine with no user intervention.
Now the problem.
We create a group policy that does the following:
1) Assigns the package via user (not computer) settings.
2) Make the login synchronous via a policy (don't remember the exact
one off hand) so that the explorer interface waits for all scripts to
run. This is done in user settings.
3) Give the directory c:\program files\ngi everyone write permissions
via computer settings.
Next we place both the computer account and user account in the OU
that has this GPO applied.
What happens is that after login by the user, you can see that the
application is installing, then when the user gets to the desktop, the
icon for the application is there, and the start menu shows that a new
application is installed. When the user double clicks on the icon,
then it goes through another install process and finally fails. It
fails because of the fact that the user does not have local admin and
the write permissions have not been assigned to the program directory
(c:\program files\ngi).
I've determined that the reason the policy could not assign the write
permissios at this point, is because the directory did not exist.
Anyway, if you reboot once or twice it seems like sometimes the
program folder gets the appropriate write permissions, but then if you
click on the program icon, it starts the install and keeps going
through the install a few times until it finally states that you must
reboot. After reboot, and clicking on the icon, you get the same
install process in an endless loop, asking to reboot. If you click
cancel 5 to10 times, the application actually comes up and runs!! But
if you close it, the next time you open you go through the same
routine.
If I give the user local admin rights then the GPO and package work
perfectly! It seems when it's done this way, the application just
comes up when double-clicked, rather than going through another
install process. Unfortunately, we cannot give everyone local admin
rights.
So here are my questions to any GPO gurus:
1) Could this application be writing something to the registry?
2) Based on question 1, I actually thought that the package is being
installed using administrators rights since it is being assigned? And
if it shows to be installing during the login process, why does it
then install again when double-clicking the program icon?
3) How can I get this to work?? There must be a way.
Thanks,
Max
I've been working on trying to get a certain application installed via
GPO
and can't seem to get it right.
Basically, the manual way to get it working is as follows:
1) Install the application as administrator (uses standard window
installer).
2) Set permissions on c:\program files\ngi to give user write
permissions (we usually just give everyone write to this folder).
Without these permissions, the user, not having local admin rights,
cannot even open the application.
So, using the old Veritas WinInstall LE, we created an .msi package,
and then moved the entire folder structure to a share on a file server
that gives full read rights to everyone. This all goes well, and when
double-clicking on the .msi package (as administrator) the install
goes through fine with no user intervention.
Now the problem.
We create a group policy that does the following:
1) Assigns the package via user (not computer) settings.
2) Make the login synchronous via a policy (don't remember the exact
one off hand) so that the explorer interface waits for all scripts to
run. This is done in user settings.
3) Give the directory c:\program files\ngi everyone write permissions
via computer settings.
Next we place both the computer account and user account in the OU
that has this GPO applied.
What happens is that after login by the user, you can see that the
application is installing, then when the user gets to the desktop, the
icon for the application is there, and the start menu shows that a new
application is installed. When the user double clicks on the icon,
then it goes through another install process and finally fails. It
fails because of the fact that the user does not have local admin and
the write permissions have not been assigned to the program directory
(c:\program files\ngi).
I've determined that the reason the policy could not assign the write
permissios at this point, is because the directory did not exist.
Anyway, if you reboot once or twice it seems like sometimes the
program folder gets the appropriate write permissions, but then if you
click on the program icon, it starts the install and keeps going
through the install a few times until it finally states that you must
reboot. After reboot, and clicking on the icon, you get the same
install process in an endless loop, asking to reboot. If you click
cancel 5 to10 times, the application actually comes up and runs!! But
if you close it, the next time you open you go through the same
routine.
If I give the user local admin rights then the GPO and package work
perfectly! It seems when it's done this way, the application just
comes up when double-clicked, rather than going through another
install process. Unfortunately, we cannot give everyone local admin
rights.
So here are my questions to any GPO gurus:
1) Could this application be writing something to the registry?
2) Based on question 1, I actually thought that the package is being
installed using administrators rights since it is being assigned? And
if it shows to be installing during the login process, why does it
then install again when double-clicking the program icon?
3) How can I get this to work?? There must be a way.
Thanks,
Max