Software Install with GPO

I am trying to install Office 2003 on domain computers by using GPO.  I created an OU and security group for the Security Filtering.  I have added 10 computers to the OU and the security group.  It works fine for 7 of the computers and the other 3 it does not.  I have tried gpupdate /force. Removing the computer from the domain and adding it back. Force Replication on the DC's.  I don't know what else to try.  I am relatively new to GPO; therefore some guidance would be greatly appreciated.

Thanks
LVL 1
vbchewieAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

discgmanCommented:
download gpmc.msi from www.microsoft.com. Its a good tool to see what specific group policies are running withing a specific part of the AD. There might be a conflict somewhere.
0
vbchewieAuthor Commented:
Yes gpmc.msi is what I used to create the Policies.  How can I tell if there is a conflict?
0
discgmanCommented:
You should then click on the specific OU you are having a problem with, then click on the Group Policy Inheritance tab and see which gpo's are being pushed down.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

vbchewieAuthor Commented:
I have a
1(Enforce) IAS Certificate Autoenrollment (This if for wireless users)
2 Office 2003
3 Adobe Reader
ect..
Do I need to move office so that it has 1st precedence?
0
discgmanCommented:
It should also tell you which branch it is coming from, like office 2003, location admin (for the parent ou).
0
vbchewieAuthor Commented:
Location is Desktops and Desktops is where I put the computers.
0
drchristopheCommented:
Additionaly to the other good comments I would try using the Group Policy Results Wizard in GPMC.

You can run a query against the offending pc's and it will tell you what policies are appliying and which are not. Good diagnostic tool.

Here is a link that may help you a little further:

http://technet2.microsoft.com/windowsserver/en/library/b8af2303-dac9-4fd5-9717-c3a7f553c6271033.mspx?mfr=true

Please also check event viewer on the offending ps's. If the policy is applying there will be logs with a source of "Software Installation Policy".

Good luck!
0
vbchewieAuthor Commented:
drchristophe:  through the use of gpresult I found that the machines that it works on belong to these security groups:
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        VM001$
        Domain Computers
        sgAdobeReader
        sgOffice2003
And the computer that it does not work on belongs to these security groups:
        BUILTIN\Administrators
        Everyone
        NT AUTHORITY\Authenticated Users
My policy says you have to be a member of sgOffice2003 to have the policy applied.  I check Active Directory and the offend computers are in sgOffice2003.  I have also forced replication in sites and services but for some reason the offending computers are not pick up all of there security groups.  How do I fix this?
0
drchristopheCommented:
Excellent trouble shooting!

I take it you have more than one DC in your enviroment as you mentioned sites and services...

1) Can we make sure the offending pc's are in the sgOffice2003 group on all DC's. Take out put back in again.

2) In the gpresult under "denied gpo's" is the sgOffice2003 policy listed?

3) Take offending pc's out of domain and back in again. Make sure you remove thier Computer account in AD before you join them back into the domain.

Keep Going!
0
vbchewieAuthor Commented:
I take it you have more than one DC in your environment as you mentioned sites and services...

Yes, I have 3 DCs

1) Can we make sure the offending pc's are in the sgOffice2003 group on all DC's. Take out put back in again.

I remove the computer from sgOffice2003.  To check all DCs I went to AD Comp & User and connected to each DC and checked to make sure it was out of sgOffice2003.  I then added it back to sgOffice2003 and check each DC to make sure the computer was a member of sgOffice2003

2) In the gpresult under "denied gpo's" is the sgOffice2003 policy listed?

There are no denied gpos in gpresults.

3) Take offending pc's out of domain and back in again. Make sure you remove thier Computer account in AD before you join them back into the domain.

I removed the offending pc from the domain and deleted their Computer account and rejoined them.  I also removed them and joined the domain with a new name.  I also tried changing the SID, and rejoined the domain.  None of these gave me a different result.  I am having a hard time understanding how the offending computers dont even show that they are part of the Domain Computer security group.  Doesnt every computer that joins the domain become a Domain Computer?  
0
drchristopheCommented:
I agree this problem is very strange.

Now we have done the above can you run a GPUPDATE /Force from the command line on the pc's and restart. Then we need to run Gpresult and see what we get.

Also can the pc's talk to the Primary Domian Controller? I would do a test to each DC from run like \\servername\c$. See what you get. Also try from run \\domain name\sysvol.

Have the pc's got latest serive packs and hotfixes the same as the working pc's?

And lastly is there any errors on the pc's in Event Viewer?
0
drchristopheCommented:
Also have you checked to see if the GPO has replicated to the other DC's?

These pc's may be using DC3 as it is defined as their Domain Controller in Sites and Services.

DC3 may have not got a copy of the GPO or the GPO may not have the correct settings. I have seen this before.

When in GPMC (Group Policy Managment Console) can you right click the domain tree and change domain controller and check if the policy is present and fullly populated with settings. Please repeat this for all 3 DC's.

Thanks.
0
vbchewieAuthor Commented:
Yes the computer can get to all the \\dc's\c$ and \\domain\sysvol.
Oh ya!  The event logs, I always check them on the servers but manage to forget them on the clients.  I think we might have found the problem the offending PC's have this error in there event log on startup.
Event Type: Error
Event Source:   Userenv
Event Category: None
Event ID:   1054
Date:       2/5/2008
Time:       12:59:33 PM
User:       NT AUTHORITY\SYSTEM
Computer:   VM001$
Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
________
I know at some point they are contacting the domain controllers, because the user is logging into the network without any problems.
 
0
drchristopheCommented:
That event looks promising.

I have seen issues like this in the past. It turned out to be driver problems on the LAN card. Please can you update drivers on the offending pc's. Also if the working pc's have the same LAN card can we compare driver versioins.

Also I have found the following technet link for this error.

http://support.microsoft.com/kb/840669
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
vbchewieAuthor Commented:
It was the NIC's I updated the drivers and vwala, they all got their software installs.  Thank you for all the trouble shooting help.  I really learned a lot.  You were very helpful.
0
vbchewieAuthor Commented:
Thank you for all the troubleshooting help this was a very valuble experiance for me.  I really appriciate it.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.