Published install works for one user but fails for another. Both have same rights

[Steve Stormont]

I used my administrator account to publish a software installation
package (ArcGIS Desktop which uses a MSI file) to our Windows 2000 Native
mode domain. Security for this package is:

Authenticated Users = Read (Allow)
Creator Owner = Read, Write (Allow)
Domain Admins = Full Control, Read, Write (Allow)
Enterprise Admins = Read, Write (Allow)
System = Full Control, Read, Write (Allow)

NTFS Permissions for the folder/files on the network where the
installation is located are:

Domain Admins = Full Control (Allow)
Domain Users = Read & Execute, List Folder Contents, Read (Allow)
My user account (not admin account) = Full Control (Allow)
Another specified user = Full Control (Allow)

There are no "Deny" permissions specified anywhere. The owner of the
policy and the Folder/Files is "Domain Adminstrators"

If a member of the Domain Users group tries to install the package, they
get the error: "The system cannot find the file specified." So I thought
maybe they needed more than the limited permissions given to them by that
group, so I specified a user and gave them Full Control on the
folders/files. That specified user got the same error. But if I log on
with my non-admin account to any PC on which the installation has failed for
a user, I can install that same package fine, so the policy does see it.
This error happens on multiple machines, but other published packages
install fine.

If you look at Event Viewer when the error comes up, the message that is
listed is:

Source: Application Management
Category: None
Type: Error
Event ID: 101
Description: The assignment of application ArcGIS Desktop from policy
Default Domain Policy failed. The error was The system cannot find the file
specified. .

Each user does have administrative privileges on their desktop. Why
can I install it, when a user with the same permissions cannot?

Steve

 

[Cary Shultz [A.D. MVP]]

Steve,

I am not sure that you are trying to deploy this application via GPO. Not
sure what your first sentence means.

Anyway, here is a quick rundown on what you need to do to publish or assign
software via GPO:

1) you need to typically do an Administrative Installation ( not always the
case, though ). I typically create a folder called APPLICATIONS and then
create shared folders inside that. So, I would have Office 2000 ( shared as
OFF2K$ ) and Office XP ( shared as OFFXP$ ) and Office 2003 ( shared as
OFF2K3$ ), Adobe Reader 601 ( shared as ADOBE601$ ) and the like.

2) on the shared folder I like to assign as few permissions as possible (
again, this is a general suggestion ). I like to give Administrators Full
Control on both the Share and NTFS permissions and then either Domain Users
or Domain Computers ( depending if assigned to the user or computer
configuration side of things ) Read on both the Share and NTFS permissions.

3) create the GPO, which usually means creating the Organizational Unit and
then moving either the user account objects or computer account objects to
that OU, right clicking that OU and creating a GPO. Give it a friendly
name, go in and disable it ( so that part of the GPO is not processed during
the 'background processing' process ) and then edit it ( well, that is what
it technically is as we pretty much created an empty GPO. We are now
filling it in! ). One of the big things is that you have to use the UNC
method when telling AD about the location of the .msi file. So, you would
use \\servername\sharename\file.msi instead of a mapped network drive.

Users typically do not need to be a member of the local Administrators group
when software is assigned / published.

What troubleshooting have you done? Have you looked at GPOTool? Have you
looked at GPRESULT?

HTH,

Cary

 

[Steve Stormont]

I performed a network installation using the /A switch and deployed the
package using GPO.

We have 20 other pieces of software that have been deployed the exact
same way (using all of the steps you have listed) and they can be installed
fine. It's just this one that is causing problems. I'll look at GPOTool
and GPResult. I did not know those tools existed.

Steve