Problem installing a .msi file with Group Policy Manager

I have Group Policy Manager running on my Windows Server 2003 machine.  It is currently handeling all group policies just fine.  I am trying to add a new one and I'm running into trouble.

The .msi file I am adding works just fine whenever you run it on a single computer like its an install program.  It was created with Advanced Installer v 6.1.1 freeware.

I made a GPO called "DCM" that contains the msi in question at the following location:
computer configuration > software settings > software installation

I put a link to the GPO in a Organizational Unit called "DCM".  This OU contains a group called "DCM Users" that has all of the usernames that will use this software.  The link is both Enabled and Enforced.  When you reboot one of the computers and login as a user in the OU, nothing installs.

I had a little bit of success when I attached the GPO to a OU that contained computers instead of users, but there is a problem with that.  We have our computers grouped in OUs based on their role in the company.  Inside three of those OUs we have computers that will need the DCM software I'm trying to install right now.  And its not all of the computers in the three OUs that need it.

Another note, when i had a little bit of success with the install I mean that it came up and said it was installing the managed software, but then there were no shortcuts and the program file didn't exist anywhere
magicspringsadminAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Matthew MillersCommented:
As you saw, you have create a GPO which affects computer objects.
It appears you are attempting to link this to OU which contains user objects.

I would suggest you create a new GPO, assign the MSI in the user section of the GPO
Link the GPO to a OU where users either exist in that OU or sub OUs
Then apply security filtering to the group (optional)
0
briancassinCommented:
Are you assigning the application or publishing it ?
You need to assign it publishing it will not install it
0
magicspringsadminAuthor Commented:
mattee76:
I created a new GPO that has the msi located in the User section of the GPO
User Configuration > Software Settings > Software Installation
This link is enabled and enforced.  I linked that to an OU that contains my username, and the software isn't installing.

briancassin:
the msi is set to assign.
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Matthew MillersCommented:
Have you run a "gpupdate /force"?
Do this, then reboot.
When you logon, it should indicate that a package is installing.
If this still does not work, issue the command "RSOP.MSC", check to see that the app is actually being assigned.
0
gobanCommented:
Usually, you want to install software on a per-machine basis due to licensing issues. Therefore I would suggest "Assigning" the MSI under Computer Configuration rather then User Configuration. You may also want to check the box "Uninstall this application when if falls out of the scope of management". This gives you an avenue for uninstalling the product by removing the computers from the scope of the GPO.

You can isolate which computers are assigned the package by using security filtering. I suggest creating a new group in AD and name it, for example "Install YourApplicationName", then add only the specific computers that should install the package. In security filtering remove the group "Authenticated Users" and any other entries, then add your newly created group.

Also, make sure that whatever USER or COMPUTER your have assigned the package to has the appropriate Read and Execute permissions on both the network share and the folder's NTFS security settings.
0
Brian PiercePhotographerCommented:
Make sure that you specify the path to the MSI file in the UNC format, ie
\\Server\Share\my.msi  -  the interface makes it easy to enter c:\share\my.msi
which will not work.

Also make sure that the share is shared with full control to Everyone and that users have read/execute permissions.
0
Vadim RappCommented:
suggestions:

1. run group policy results for the machine and user; look at the settings, and make sure your installation is indeed assigned. If not, look under the tab "general" if the policy applied or not.

2. if it's there, then re-logon the user that is supposed to install.

3. you say there are no shortcuts. But what about add-remove programs, is the application installed? if so, does it have the button "change", or only "remove"?

4. if at (1) the installation is assigned, but still it does not install, follow http://support.microsoft.com/kb/221833/ ,  enable logon debugging, and look in the log.



0
magicspringsadminAuthor Commented:
mattee76:
i used gpupdate /force before i rebooted to no avail.

kcts:
i am using UNC format.

goban & vadimrapp1:
i will give those a try and report back.

Dave
0
magicspringsadminAuthor Commented:
goban:
I now have the GPO set up with the install under Computer Configuration > Software Settings > Software Installation.  I linked that GPO to an OU that contains some of our computers (mine included).  Then I used security filtering to apply it only to users in the group I want.  Still nothing.  When I run gpresult I don't see it listed under Computer Settings > Applied GPOs or GPOs Not Installed.  I'm attaching the output of gpresult.

dave
gpresult.txt
0
magicspringsadminAuthor Commented:
btw, you will see "gminstall" in the GPOs applied.  thats a different piece of software.
0
magicspringsadminAuthor Commented:
this may be a stupid question, but is there any way the .msi file i made would work as a stand-alone install but not as a GP install?  maybe something needs to be configured different in the msi?

dave
0
Vadim RappCommented:
Dave,

if you don't see your policy in gpresult, then that's what you need to concentrate on. What's not visible, can't be installed.

Instead of running gpresult, why not to use group policy management console, it's much more user-friendly. And run "group policy results" in its wizard.

The policy itself has a setting "disable computer configuration settings"and "disable user configuration settings"- check if that's not the case.

> is there any way the .msi file i made would work as a stand-alone install but not as a GP install?

Absolutely, any user can just launch the msi file and install. No changes are required.
0
magicspringsadminAuthor Commented:
i'm not seeing that either setting is disabled.  in regards to the question about the .msi, i know they can run the file but is there any way that the .msi itself is the problem?  maybe it can run as just a setup but won't work in group policy?  i don't know a lot about .msi stuff, so i don't even know if thats possible.
0
Vadim RappCommented:
the installation may or may not have its own problems, but if the policy where it's assigned is not visible to the user, then it won't be even tried.

There must be some simple reason why it's not visible. Maybe you could delete it and then recreate, or explain here how you create and link it, with all details, step-by step. Also you could make a screenshot of the gp management console showing your policy linked, and another with "gp results wizard" results.
0
gobanCommented:
Here is one example of a working structure in ADUC (active directory users and computers). You don't have to follow this example exactly, just make sure that your GPO is linked to an OU that contains the computers and groups that you are trying to apply the policy to.

>Active Directory Users and Computers
>>your.domain.com
>>>Computers OU (make sure its an OU and not the default container) <---Link your GPO Here
>>>>InstallYourApplication Group (group contains M2, M3, A1, T1)
>>>>Marketing Computers OU
>>>>>M1
>>>>>M2
>>>>>M3
>>>>Admin Computers OU
>>>>>A1
>>>>>A2
>>>>Test Computers OU
>>>>>T1
0
magicspringsadminAuthor Commented:
ok, i'll try starting all over and give you my steps...

In Group Policy Management, right click on Group Policy Objects and select new.
Name it DCM Install.
Right click on DCM Install and click Edit.
Under Computer Configuration expand Software Settings.
Right click on Software installation, click New -> Package.
Select my msi file (using the UNC format).
Select Assigned.
---see screen1.jpg
Close Group Policy Object Editor.
Link DCM Install go the OU Computers - POS (which contains my machine).
Click on DCM Install under Computers - POS.
Set as Enabled and Enforced.
Set Security Filtering as my username only.
--see screen2.jpg
Run gpupdate /force on my machine.
It tells me it needs to reboot for some of the policies to work.
I run gpresult and get nothing about DCM
--see gpresult.txt

dave
screen1.JPG
screen2.jpg
gpresult.txt
0
Matthew MillersCommented:
Your trying to set a security filter to a user where the GPO is affecting computer objects. Try and set the security filter to a computer object.
0
magicspringsadminAuthor Commented:
i'll give that a shot, but restricting based on users was kinda the point.  this software will only need to be installed on users in the "DCM Users" group.  they move from computer to computer.
0
magicspringsadminAuthor Commented:
no luck setting the security filter to my machine instead of my username.
0
Matthew MillersCommented:
If you want this to occur per user, you will need to use the GPO affecting users which you created earlier.

Can you revert to this and attach the "gpresult /z" information please?
0
Vadim RappCommented:
You put the package under machine part, put the link under OU with machines, but authorized the user.

Add Domain Computers to "security filtering". Or put the package under User Configuration, and link it to the OU where the user belongs.
0
Vadim RappCommented:
> no luck setting the security filter to my machine instead of my username.

when you add an object to permissions, make sure to click "object types" and select computers.
0
magicspringsadminAuthor Commented:
i was able was able to use the machine as the filter, i was saying i had no luck getting that to work.  i have since reverted to linking to the OU with the computers and using the user group as the security filter.  anyways...here is the gpresult /z file.  i see DCM in there.  i got to looking and found DCM in the add/remove programs list.  so it appears its kinda working.  however, the icon is the msi file icon instead of the program icon that i get whenever i directly install the software.  i did a search for the files, and they're not there.  anywhere on the hard drive.
gpresult.txt
0
Vadim RappCommented:
it's because the installation is installed by computer account rather than user account. The files are not installed most likely because the product is only advertised, it's not fully installed.

The icon most likely does exist somewhere, since it's advertised. Search the machine for the shortcut file - MyProgram.lnk.

Also, note that the msi file itself has property ALLUSERS that tells if it should install for all users, or not. If you are installing for machine, it should be on.

I don't quite understand why you are trying to advertise it for computers if you said that the whole point is to have it for the users.
0
Matthew MillersCommented:
Can you actually "advertise" a applicaiton for a computer policy? I was always under the impression that you could only assign (due to lack of add/remove programs for the computer!).
0
magicspringsadminAuthor Commented:
i have it set to "assign" not "publish" (which is what i assume you mean by advertise).
0
Vadim RappCommented:
Yes, assign. I said "advertise" in the meaning of the installer, when certain feature is advertised on the machine rather than actually installed. Installer puts in place shortcuts and registry information, which allow later install-on-demand when demands occurs - click on shortcut, launching a file by extension association, etc.
0
magicspringsadminAuthor Commented:
ahh.  i see.  anyways.  i switched the GPO to use User Configuration instead of Computer Configuration, then linked it to an OU with my username.  I kept my username in as the security filter.  same result now.  it's in the add/remove programs, but no files for the program that i can find anywhere on my hardrive.  the only thing that shows up is:

C:\Documents and Settings\dbell\Application Data\Microsoft\Installer\{A3FFA119-EF64-43BF-B19B-EEF605A07CC0}\dcm.exe

i tried running that file to see what happened and it just went to a black screen and then it went away.
0
Vadim RappCommented:
in add/remove programs - does it have button "modify", or only "remove"? if only "remove", then it's only advertised, not ctually installed.

Try to check checkbox "install this application at logon" where you assign it.

Have you searched for the shortcut, the .lnk file?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Vadim RappCommented:
also, you can install it from add/remove programs if you click on the "add new programs" on the left, and click "add" button against the program. Then it will be fully installed. But of course the shortcut should be visible even without that, that's the whole point of install-on-demand - you should be able to demand.
0
magicspringsadminAuthor Commented:
the "install this application at logon" did the trick.  thank you!
0
briancassinCommented:
What exactly was the fix the fact that it was not assigned ?
0
Vadim RappCommented:
it was assigned, but not installed, only advertised.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Installation

From novice to tech pro — start learning today.