We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

GPO .msi Push Issues

Medium Priority
689 Views
Last Modified: 2012-06-21
Morning all,

I am currently having issues pushing a .msi package to machines on my AD network (MS Windows Server 2003 pushing to XP SP2 machine). This is what I have done:

- Created a share on the network and added the Software package.
- Double checked that the user machine has all relevant share and security permissions to the folder, and also double clicked the Software package to check that it will install.
- Created an OU within AD.
- Added the relevant machines to that OU.
- Created a group policy on that OU and added the Software package located at \\192.168.50.1\Modified_msi\msxml6.msi
- Made sure that "Install this application at logon" is ticket.
- Enabled "Always wait for the netowrk at computer startup and logon".
- Ran gpupdate /force on the AD server and then rebooted the client machine.

Basically the client machine reboots and as it starts up the message pops up that the package is being installed, and then it stops and just asks you to logon. The package isnt installed and when I go to the event viewer this is the message I get:
"The install of application MSXML 6.0 Parser from policy Test Test failed.  The error was : The installation source for this product is not available.  Verify that the source exists and that you can access it."

I have tried this with 3-4 different packages, and also rebooted the machine upto 10 times and I always get this error on the client machines. Im pretty sure i've covered all avenues. Any ideas?

Comment
Watch Question

CERTIFIED EXPERT

Commented:
Here is what I would try. This should work for you I will explain my thinking after.

On your file server create a new folder called public and share it out. Give everyone full share permissions (full control, change, read). On the NTFS permissions grant everyone and anonymous full control. Then copy in your install. Create or modify your GPO to point to this location and then give it a shot.

As I understand it the group policies are being applied before the computer or user can authenticate to the file server. This may be why your getting the error message. Try it out and let me know how it works. This is how we have ours configured and it works.

Commented:
I would do:
- Create SDC folder and share the folder for authenticated users read only
- Please your folder in SDC
- Create GPO and disable user configuration and add the package to Computer computer configuration
- Make sure the security permissions has deny on admininistrators and servers.
- In Deployment tab, make sure it assigned (you can only assign it to computers anyway)

Test it with one pc and if it works, create a sec group and add other pc's to this group and apply necessary permissions to GPO security.

I dont see why this should not work.

Efem
Irwin W.There are a 1000 ways to skin the technology cat.
CERTIFIED EXPERT

Commented:
Just a wired observation, why di you do a GPUPDATE on the server or was that a typo?

Are you deploying this per machine or when the user logs on?

Are you sure the permissions to the shared path are correct?

Can you post a screenshot of what your policy with the app looks like?

Author

Commented:
xxdc - Just tried that. Same issue. Just to let you know I have the share on the AD server. This is ina  test domain, so I dont have a seperate file server.

Nappy - I meant I did gpupdate /force on the client machine sorry. That forces you to restart. I have the GPO setup to do the install on logon. The pemissions are definately correct. If I browse to that directory form any of the client machines I can get to the directory fine and and also run the installer.

Etopas - Not sure I fully understand what you've written, but i'll give it a go and see if I can do it that way.
Irwin W.There are a 1000 ways to skin the technology cat.
CERTIFIED EXPERT

Commented:
Yes but what are the permissions you have set?

Can you try deploying to a workstation rather than a user?

>>Verify that the source exists and that you can access it.  This indicates an issue with your path to the file or permissions.
CERTIFIED EXPERT

Commented:
One other thing you can try is setting the NTFS permissions for "Domain Computers" with full control.
this is not the permissions issue, try to simply enter the path on the workstation after logging in then you'll know if the path is accessible. try to upgrade the installer on one of the workstations to
http://www.microsoft.com/downloads/details.aspx?familyid=5A58B56F-60B6-4412-95B9-54D056D6F9F4&displaylang=en
see if this works
also, a question did you try to upgrade any previous version of msxml ?

additionally use the cleaner
http://support.microsoft.com/default.aspx?scid=kb;en-us;290301

then try again
CERTIFIED EXPERT

Commented:
Granted you may or many not have performed all of these steps but this could be a helpful checklist as far as the issues your facing.

http://support.microsoft.com/kb/816102
Irwin W.There are a 1000 ways to skin the technology cat.
CERTIFIED EXPERT

Commented:
This is either his permissions or his UNC path.  Can the auther please post a scrnshot of his permissions on the App deployment and a screenshot of app deployed in the GPO?

CERTIFIED EXPERT

Commented:
I agree ^^^^

Author

Commented:
Hi All,

I can access the msi file from all of my client machine using the same UNC path as i've set on the deployment settings for the software.

I have no other xml installed on the machine. It doesnt matter anyway, I have tried to push out five different msi packages and I get the same issue with all of them.

I have attached some screenshots.


depsettings.JPG
gposecsettings.JPG
secperms.JPG
shareperms.JPG
Irwin W.There are a 1000 ways to skin the technology cat.
CERTIFIED EXPERT

Commented:
Can you please add a computer object directly to the GPO permissions for the app, reboot and see it if deploys?  I usually leave authenticated users in my app deployment policies but don't see it listed here.  It should not make a difference but thought I would mention this.
As I mentioned way above:
1. upgrade msi installer to 4.5
2. additionally use the cleaner
http://support.microsoft.com/default.aspx?scid=kb;en-us;290301

then try again

Author

Commented:
Nappy - Just tried that, didnt work.

Roads - I will try this now.

Author

Commented:
Tried that Roads, exactly the same issues and errors.
Irwin W.There are a 1000 ways to skin the technology cat.
CERTIFIED EXPERT

Commented:
This TID from MS describes the problem.  Somewhere your NTFS and share permissions are not correct http://support.microsoft.com/kb/278472

What is the event id error number?

Author

Commented:
They are the errors I am getting Nappy, but the correct persmissions are set.

I have also set the share for full access for everyone.
computerobj.JPG

Commented:
can you also post the security of gpo object (not msi security tab)?

fm

Author

Commented:
Etopas - Here it is. Authenticated users, everyone & the computer object are all set to full control.
gpoobjectsec.JPG
Irwin W.There are a 1000 ways to skin the technology cat.
CERTIFIED EXPERT

Commented:
Can you click on the computer ppdemo and show its permissions?

Commented:
I meant, open Group Policy Object Editor, click on Delegation tab on right hand side and click on advanced. Do authenticated users (you dont need to add everyone) have apply group policy check?

Commented:
sorry I just saw. ignore my last comment.
Irwin W.There are a 1000 ways to skin the technology cat.
CERTIFIED EXPERT

Commented:
Agreed, I eluded to that a few posts ago.. :)

Author

Commented:
PDdemo is set to allow full access.

Commented:
Can you let us know how did you packed the MSI file? Standard download from MS? Did you make any modifications to MSI File? maybe the error is coming from the file?

Author

Commented:
Etopas - I've tried fie different msi files. One of them was edited, and the rest were in their original state. All with the same result.
DonNetwork Administrator
CERTIFIED EXPERT

Commented:
Try adding Domain Computers to the  Authenticated Users group

Author

Commented:
Where can I find Authenticated Users as a group? If I double click on "Domain Computers" and try to add "Authenticated Users" it doesnt show as an option. I've put "Domain Computers" in the Admin group, but it wont allow me to add it to authenticated users that way.
Irwin W.There are a 1000 ways to skin the technology cat.
CERTIFIED EXPERT

Commented:
You should be able to type the group  name authenticate Users and it will ad the group to the security tab.

Author

Commented:
If I double lcikc on "Domain Computers" there is only a member of option, not a security option. If I click member of, it cant find "authenticated users". I can only find authenticated users if i'm in a security tab of a folder.
Irwin W.There are a 1000 ways to skin the technology cat.
CERTIFIED EXPERT

Commented:
You should be able to add it just like this in my screen shot

Picture-82.png

Author

Commented:
I must be trying this in the wrong bit, because I only get the choice to add groups or built in security principals.
other.JPG

Author

Commented:
Ok, I just changed the GPO to push the package out to the user rather than the computer object and it worked absolutely fine. Very weird. Any ideas, because i'd rather push them out via computer objects than users.
DonNetwork Administrator
CERTIFIED EXPERT

Commented:
Irwin W.There are a 1000 ways to skin the technology cat.
CERTIFIED EXPERT

Commented:
You really need to have that group named authenticated users in the security.  Try this, create a group for your computers, add alll the computers to the group, add the group to the application deployment.  See if it deploys now...
DonNetwork Administrator
CERTIFIED EXPERT

Commented:
Follow the guide and you should be good to go.
Commented:
Question PAQ'd, 500 points refunded, and stored in the solution database.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.