[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Software Install with GPO

Posted on 2008-02-01
17
Medium Priority
?
409 Views
Last Modified: 2010-04-21
I am trying to install Office 2003 on domain computers by using GPO.  I created an OU and security group for the Security Filtering.  I have added 10 computers to the OU and the security group.  It works fine for 7 of the computers and the other 3 it does not.  I have tried gpupdate /force. Removing the computer from the domain and adding it back. Force Replication on the DC's.  I don't know what else to try.  I am relatively new to GPO; therefore some guidance would be greatly appreciated.

Thanks
0
Comment
Question by:vbchewie
  • 8
  • 5
  • 3
  • +1
17 Comments
 
LVL 9

Expert Comment

by:discgman
ID: 20801934
download gpmc.msi from www.microsoft.com. Its a good tool to see what specific group policies are running withing a specific part of the AD. There might be a conflict somewhere.
0
 
LVL 1

Author Comment

by:vbchewie
ID: 20801970
Yes gpmc.msi is what I used to create the Policies.  How can I tell if there is a conflict?
0
 
LVL 9

Expert Comment

by:discgman
ID: 20802072
You should then click on the specific OU you are having a problem with, then click on the Group Policy Inheritance tab and see which gpo's are being pushed down.
0
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 
LVL 1

Author Comment

by:vbchewie
ID: 20802107
I have a
1(Enforce) IAS Certificate Autoenrollment (This if for wireless users)
2 Office 2003
3 Adobe Reader
ect..
Do I need to move office so that it has 1st precedence?
0
 
LVL 9

Expert Comment

by:discgman
ID: 20802223
It should also tell you which branch it is coming from, like office 2003, location admin (for the parent ou).
0
 
LVL 1

Author Comment

by:vbchewie
ID: 20802245
Location is Desktops and Desktops is where I put the computers.
0
 
LVL 3

Expert Comment

by:drchristophe
ID: 20804956
Additionaly to the other good comments I would try using the Group Policy Results Wizard in GPMC.

You can run a query against the offending pc's and it will tell you what policies are appliying and which are not. Good diagnostic tool.

Here is a link that may help you a little further:

http://technet2.microsoft.com/windowsserver/en/library/b8af2303-dac9-4fd5-9717-c3a7f553c6271033.mspx?mfr=true

Please also check event viewer on the offending ps's. If the policy is applying there will be logs with a source of "Software Installation Policy".

Good luck!
0
 
LVL 1

Author Comment

by:vbchewie
ID: 20816646
drchristophe:  through the use of gpresult I found that the machines that it works on belong to these security groups:
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        VM001$
        Domain Computers
        sgAdobeReader
        sgOffice2003
And the computer that it does not work on belongs to these security groups:
        BUILTIN\Administrators
        Everyone
        NT AUTHORITY\Authenticated Users
My policy says you have to be a member of sgOffice2003 to have the policy applied.  I check Active Directory and the offend computers are in sgOffice2003.  I have also forced replication in sites and services but for some reason the offending computers are not pick up all of there security groups.  How do I fix this?
0
 
LVL 3

Expert Comment

by:drchristophe
ID: 20818012
Excellent trouble shooting!

I take it you have more than one DC in your enviroment as you mentioned sites and services...

1) Can we make sure the offending pc's are in the sgOffice2003 group on all DC's. Take out put back in again.

2) In the gpresult under "denied gpo's" is the sgOffice2003 policy listed?

3) Take offending pc's out of domain and back in again. Make sure you remove thier Computer account in AD before you join them back into the domain.

Keep Going!
0
 
LVL 1

Author Comment

by:vbchewie
ID: 20819386
I take it you have more than one DC in your environment as you mentioned sites and services...

Yes, I have 3 DCs

1) Can we make sure the offending pc's are in the sgOffice2003 group on all DC's. Take out put back in again.

I remove the computer from sgOffice2003.  To check all DCs I went to AD Comp & User and connected to each DC and checked to make sure it was out of sgOffice2003.  I then added it back to sgOffice2003 and check each DC to make sure the computer was a member of sgOffice2003

2) In the gpresult under "denied gpo's" is the sgOffice2003 policy listed?

There are no denied gpos in gpresults.

3) Take offending pc's out of domain and back in again. Make sure you remove thier Computer account in AD before you join them back into the domain.

I removed the offending pc from the domain and deleted their Computer account and rejoined them.  I also removed them and joined the domain with a new name.  I also tried changing the SID, and rejoined the domain.  None of these gave me a different result.  I am having a hard time understanding how the offending computers dont even show that they are part of the Domain Computer security group.  Doesnt every computer that joins the domain become a Domain Computer?  
0
 
LVL 3

Expert Comment

by:drchristophe
ID: 20827853
I agree this problem is very strange.

Now we have done the above can you run a GPUPDATE /Force from the command line on the pc's and restart. Then we need to run Gpresult and see what we get.

Also can the pc's talk to the Primary Domian Controller? I would do a test to each DC from run like \\servername\c$. See what you get. Also try from run \\domain name\sysvol.

Have the pc's got latest serive packs and hotfixes the same as the working pc's?

And lastly is there any errors on the pc's in Event Viewer?
0
 
LVL 3

Expert Comment

by:drchristophe
ID: 20836115
Also have you checked to see if the GPO has replicated to the other DC's?

These pc's may be using DC3 as it is defined as their Domain Controller in Sites and Services.

DC3 may have not got a copy of the GPO or the GPO may not have the correct settings. I have seen this before.

When in GPMC (Group Policy Managment Console) can you right click the domain tree and change domain controller and check if the policy is present and fullly populated with settings. Please repeat this for all 3 DC's.

Thanks.
0
 
LVL 1

Author Comment

by:vbchewie
ID: 20837940
Yes the computer can get to all the \\dc's\c$ and \\domain\sysvol.
Oh ya!  The event logs, I always check them on the servers but manage to forget them on the clients.  I think we might have found the problem the offending PC's have this error in there event log on startup.
Event Type: Error
Event Source:   Userenv
Event Category: None
Event ID:   1054
Date:       2/5/2008
Time:       12:59:33 PM
User:       NT AUTHORITY\SYSTEM
Computer:   VM001$
Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
________
I know at some point they are contacting the domain controllers, because the user is logging into the network without any problems.
 
0
 
LVL 3

Accepted Solution

by:
drchristophe earned 1200 total points
ID: 20843653
That event looks promising.

I have seen issues like this in the past. It turned out to be driver problems on the LAN card. Please can you update drivers on the offending pc's. Also if the working pc's have the same LAN card can we compare driver versioins.

Also I have found the following technet link for this error.

http://support.microsoft.com/kb/840669
0
 
LVL 1

Author Comment

by:vbchewie
ID: 20847556
It was the NIC's I updated the drivers and vwala, they all got their software installs.  Thank you for all the trouble shooting help.  I really learned a lot.  You were very helpful.
0
 
LVL 1

Author Closing Comment

by:vbchewie
ID: 31427404
Thank you for all the troubleshooting help this was a very valuble experiance for me.  I really appriciate it.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
Native ability to set a user account password via AD GPO was removed because the passwords can be easily decrypted by any authenticated user in the domain. Microsoft recommends LAPS as a replacement and I have written an article that does something …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question