?
Solved

GPO .msi Push Issues

Posted on 2009-02-18
39
Medium Priority
?
668 Views
Last Modified: 2012-06-21
Morning all,

I am currently having issues pushing a .msi package to machines on my AD network (MS Windows Server 2003 pushing to XP SP2 machine). This is what I have done:

- Created a share on the network and added the Software package.
- Double checked that the user machine has all relevant share and security permissions to the folder, and also double clicked the Software package to check that it will install.
- Created an OU within AD.
- Added the relevant machines to that OU.
- Created a group policy on that OU and added the Software package located at \\192.168.50.1\Modified_msi\msxml6.msi
- Made sure that "Install this application at logon" is ticket.
- Enabled "Always wait for the netowrk at computer startup and logon".
- Ran gpupdate /force on the AD server and then rebooted the client machine.

Basically the client machine reboots and as it starts up the message pops up that the package is being installed, and then it stops and just asks you to logon. The package isnt installed and when I go to the event viewer this is the message I get:
"The install of application MSXML 6.0 Parser from policy Test Test failed.  The error was : The installation source for this product is not available.  Verify that the source exists and that you can access it."

I have tried this with 3-4 different packages, and also rebooted the machine upto 10 times and I always get this error on the client machines. Im pretty sure i've covered all avenues. Any ideas?

0
Comment
Question by:safekey
  • 12
  • 10
  • 5
  • +4
38 Comments
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 23669538
Here is what I would try. This should work for you I will explain my thinking after.

On your file server create a new folder called public and share it out. Give everyone full share permissions (full control, change, read). On the NTFS permissions grant everyone and anonymous full control. Then copy in your install. Create or modify your GPO to point to this location and then give it a shot.

As I understand it the group policies are being applied before the computer or user can authenticate to the file server. This may be why your getting the error message. Try it out and let me know how it works. This is how we have ours configured and it works.
0
 
LVL 6

Expert Comment

by:_etoptas
ID: 23669545
I would do:
- Create SDC folder and share the folder for authenticated users read only
- Please your folder in SDC
- Create GPO and disable user configuration and add the package to Computer computer configuration
- Make sure the security permissions has deny on admininistrators and servers.
- In Deployment tab, make sure it assigned (you can only assign it to computers anyway)

Test it with one pc and if it works, create a sec group and add other pc's to this group and apply necessary permissions to GPO security.

I dont see why this should not work.

Efem
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 23669608
Just a wired observation, why di you do a GPUPDATE on the server or was that a typo?

Are you deploying this per machine or when the user logs on?

Are you sure the permissions to the shared path are correct?

Can you post a screenshot of what your policy with the app looks like?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:safekey
ID: 23669763
xxdc - Just tried that. Same issue. Just to let you know I have the share on the AD server. This is ina  test domain, so I dont have a seperate file server.

Nappy - I meant I did gpupdate /force on the client machine sorry. That forces you to restart. I have the GPO setup to do the install on logon. The pemissions are definately correct. If I browse to that directory form any of the client machines I can get to the directory fine and and also run the installer.

Etopas - Not sure I fully understand what you've written, but i'll give it a go and see if I can do it that way.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 23669790
Yes but what are the permissions you have set?

Can you try deploying to a workstation rather than a user?

>>Verify that the source exists and that you can access it.  This indicates an issue with your path to the file or permissions.
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 23669829
One other thing you can try is setting the NTFS permissions for "Domain Computers" with full control.
0
 
LVL 27

Expert Comment

by:Lukasz Chmielewski
ID: 23669895
this is not the permissions issue, try to simply enter the path on the workstation after logging in then you'll know if the path is accessible. try to upgrade the installer on one of the workstations to
http://www.microsoft.com/downloads/details.aspx?familyid=5A58B56F-60B6-4412-95B9-54D056D6F9F4&displaylang=en
see if this works
0
 
LVL 27

Expert Comment

by:Lukasz Chmielewski
ID: 23669937
also, a question did you try to upgrade any previous version of msxml ?

additionally use the cleaner
http://support.microsoft.com/default.aspx?scid=kb;en-us;290301

then try again
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 23669989
Granted you may or many not have performed all of these steps but this could be a helpful checklist as far as the issues your facing.

http://support.microsoft.com/kb/816102
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 23670049
This is either his permissions or his UNC path.  Can the auther please post a scrnshot of his permissions on the App deployment and a screenshot of app deployed in the GPO?

0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 23670077
I agree ^^^^
0
 

Author Comment

by:safekey
ID: 23670399
Hi All,

I can access the msi file from all of my client machine using the same UNC path as i've set on the deployment settings for the software.

I have no other xml installed on the machine. It doesnt matter anyway, I have tried to push out five different msi packages and I get the same issue with all of them.

I have attached some screenshots.


depsettings.JPG
gposecsettings.JPG
secperms.JPG
shareperms.JPG
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 23670541
Can you please add a computer object directly to the GPO permissions for the app, reboot and see it if deploys?  I usually leave authenticated users in my app deployment policies but don't see it listed here.  It should not make a difference but thought I would mention this.
0
 
LVL 27

Expert Comment

by:Lukasz Chmielewski
ID: 23670657
As I mentioned way above:
1. upgrade msi installer to 4.5
2. additionally use the cleaner
http://support.microsoft.com/default.aspx?scid=kb;en-us;290301

then try again
0
 

Author Comment

by:safekey
ID: 23670841
Nappy - Just tried that, didnt work.

Roads - I will try this now.
0
 

Author Comment

by:safekey
ID: 23670925
Tried that Roads, exactly the same issues and errors.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 23670947
This TID from MS describes the problem.  Somewhere your NTFS and share permissions are not correct http://support.microsoft.com/kb/278472

What is the event id error number?
0
 

Author Comment

by:safekey
ID: 23671089
They are the errors I am getting Nappy, but the correct persmissions are set.

I have also set the share for full access for everyone.
computerobj.JPG
0
 
LVL 6

Expert Comment

by:_etoptas
ID: 23671574
can you also post the security of gpo object (not msi security tab)?

fm
0
 

Author Comment

by:safekey
ID: 23671716
Etopas - Here it is. Authenticated users, everyone & the computer object are all set to full control.
gpoobjectsec.JPG
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 23671759
Can you click on the computer ppdemo and show its permissions?
0
 
LVL 6

Expert Comment

by:_etoptas
ID: 23671883
I meant, open Group Policy Object Editor, click on Delegation tab on right hand side and click on advanced. Do authenticated users (you dont need to add everyone) have apply group policy check?
0
 
LVL 6

Expert Comment

by:_etoptas
ID: 23671901
sorry I just saw. ignore my last comment.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 23671936
Agreed, I eluded to that a few posts ago.. :)
0
 

Author Comment

by:safekey
ID: 23672105
PDdemo is set to allow full access.
0
 
LVL 6

Expert Comment

by:_etoptas
ID: 23672130
Can you let us know how did you packed the MSI file? Standard download from MS? Did you make any modifications to MSI File? maybe the error is coming from the file?
0
 

Author Comment

by:safekey
ID: 23672441
Etopas - I've tried fie different msi files. One of them was edited, and the rest were in their original state. All with the same result.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 23677658
Try adding Domain Computers to the  Authenticated Users group
0
 

Author Comment

by:safekey
ID: 23679012
Where can I find Authenticated Users as a group? If I double click on "Domain Computers" and try to add "Authenticated Users" it doesnt show as an option. I've put "Domain Computers" in the Admin group, but it wont allow me to add it to authenticated users that way.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 23679251
You should be able to type the group  name authenticate Users and it will ad the group to the security tab.
0
 

Author Comment

by:safekey
ID: 23679306
If I double lcikc on "Domain Computers" there is only a member of option, not a security option. If I click member of, it cant find "authenticated users". I can only find authenticated users if i'm in a security tab of a folder.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 23679370
You should be able to add it just like this in my screen shot

Picture-82.png
0
 

Author Comment

by:safekey
ID: 23679411
I must be trying this in the wrong bit, because I only get the choice to add groups or built in security principals.
other.JPG
0
 

Author Comment

by:safekey
ID: 23679563
Ok, I just changed the GPO to push the package out to the user rather than the computer object and it worked absolutely fine. Very weird. Any ideas, because i'd rather push them out via computer objects than users.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 23688352
You really need to have that group named authenticated users in the security.  Try this, create a group for your computers, add alll the computers to the group, add the group to the application deployment.  See if it deploys now...
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 23688357
Follow the guide and you should be good to go.
0
 

Accepted Solution

by:
ee_auto earned 0 total points
ID: 24783381
Question PAQ'd, 500 points refunded, and stored in the solution database.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question