• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1467
  • Last Modified:

assigning MSI using group policy

Using 2003 server, and XP pro, sp3.

I've setup computer OU, placed test pc in the OU, created new GPO, applied policy to group "domain computers", created new package, etc.

I've created a share, placed a flash, version 10.MSI package in the share. Gave the group "domain computers" read, execute to the share and file security.

When i reboot the test pc, after "applying computer settings" on startup, it says "installing assigned msi package, flash version 10," something close to that phrasing. So it appears the policy is applied, and it doesn't error or anything, completes startup, i login, go to adobe.com, verify the version, and i'm still running version 7 on the test pc, not version 10.

Does anyone know why it appears to be installing, but is not and how to troubleshoot?
0
CCLCLS
Asked:
CCLCLS
  • 11
  • 9
  • 4
  • +1
1 Solution
 
Jon WinterburnCommented:
I had a similar problem with upgrading from Acrobat Reader 8.1.1 to 9. Version 8.1.1 had been installed by GPO msi, so I simply added version 9. However, only some machines did it correctly - many machines did not. I'd get the same "installing assigned app" message, but when I looked in event viewer, there was an error in uninstalling the old version, so version 9 only half-installed.

First, check the event logs on this machine. Also check Add/Remove programs to see if that thinks it is installed. If there are errors in event viewer, you can install and run Windows Installer CleanUp Utility which you can use to forcibly remove the old version of Flash. You can then reboot and let GPO try to install Flash 10 again, and once you log in, have a look and see if it's installed properly this time.

Download it here: http://support.microsoft.com/kb/290301
0
 
CCLCLSAuthor Commented:
i'll try it later this evening. it seems this GP method of pushing out apps is very limited. If i have several hundred computers, i have to login to each one to verify the installation was actually successful, it doesn't report?

thanks for reply
0
 
Jon WinterburnCommented:
In my experience it's not the best, no. Having said that, I have installed UPHC service to hundreds of machines via GPO and not one failed. But Adobe Reader and Adobe Flash has always given me problems. Whether that's a fault with the Adobe MSI's or just a coincidence, I don't know.

Instead of using GPO, I now install the apps using msiexec (Windows Installer command line tool) within the logon script (it just means rebooting all PC's, getting them to logon and then once all have installed, removing the msiexec line from the logon script to prevent it installing again).

More about msiexec commands here:
http://technet.microsoft.com/en-us/library/cc759262.aspx
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
Vadim RappCommented:
> it doesn't report?

it does not. SMS does. But in most cases, if you do it right, it gets installed everywhere without a problem.

First look into the event log, and maybe into the machine %temp% folder (usually \windows\temp) for a file MSI*.log.
0
 
CCLCLSAuthor Commented:
I'm getting event 102. The install of application Adobe Flash Player 10 ActiveX from policy MSI failed.  The error was : The installation source for this product is not available.  Verify that the source exists and that you can access it.

event 108: Failed to apply changes to software installation settings.  Software changes could not be applied.  A previous log entry with details should exist.  The error was : The installation source for this product is not available.  Verify that the source exists and that you can access it.

event 1085: The Group Policy client-side extension Software Installation failed to execute. Please look for any errors reported earlier by that extension.

the security/share settigns have been given to the AD group "domain computers" which the test pc is a member. and the GPO is being applied to "domain computers."  what am i missing? thanks
0
 
Vadim RappCommented:
try to give permissions to domain users as well. I know that the assignment is per computer, but still.
0
 
CCLCLSAuthor Commented:
will try tomorrow
0
 
Vadim RappCommented:
sorry, not to Domain Users but to Authenticated Users.
0
 
Jon WinterburnCommented:
> The installation source for this product is not available.

I assume you definitely have the correct source path stipulated within the GPO?
0
 
CCLCLSAuthor Commented:
tried domain users and authenticated users no help.

everything i've read says  the domain computer group is sufficient and that group has read/execute and has the policy being applied...

yesthe path is correct.. \\server\share\file.msi

nothing in add/remove programs

also tried windows installer cleanup utility

same proble, it says it is installing on boot, buy i get the same event log errors and flash version 7 is still the version
0
 
Vadim RappCommented:
look in the security event log on the server, maybe enable object access audit on the server for this directory - see http://technet.microsoft.com/en-us/library/cc787268.aspx - or run filemon. The purpose is to see whether the workstation is trying to get the file, and what happens.

also, is the server real, or hosted on vmware or such?
0
 
Jon WinterburnCommented:
But have you uninstalled Flash 7 (and run Windows Installer cleanup after to make sure it's gone) and then rebooted and seen if version 10 installs fine? Just want to rule out it's not 7 refusing to uninstall prior to 10 installing.
0
 
CCLCLSAuthor Commented:
it is a snap server, i don't think i can setup auditing to my knowledge...

yes, uninstalled flash 7, ran cleanup, rebooted, it says it is installing 10 but doesn't, so actually 7 is gone, and i have no version installed now...
0
 
Vadim RappCommented:
one possibility is that this is not a full self-contained msi, but should be accompanied by external files, like in administrative installation.

Can you copy this msi to a local directory and run from there; will it work?
0
 
CCLCLSAuthor Commented:
yes, the MSI installs all by itself with no problems or external files
0
 
Vadim RappCommented:
I think the only way is to monitor what file it's trying to get and what fails. If you can't do it on server side, then another way is to use sysinternals' process monitor and initiate boot logging.
0
 
CCLCLSAuthor Commented:
probably going to look at using something other the group policy. it simply isnt working, everything is set correctly, and it gives no useful information to try to resolve the problem.

i realize i can't access the MSI file, but why? all security is set for domain computers to read/execute. this system sucks.
0
 
ThinkPaperCommented:
another option for deploying is to do a remote push to all clients. This is what we currently use instead of depending of group policy for software installs. Just download psexec and drop in your System32 folder, then create a text file with all the computers listed on each line (i usually do a export from AD), then run the command below.
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

I have been able to deploy flash with this method with no problems.

psexec @computerlist.txt -u domain\Admin -p Password msiexec /i "\\Software\Installation Software\Flash\install_flash_player_active_x.msi" /qn

I would do a test deploy on your own machine to ensure it works.. This way you can at least rule out whether it's an issue with Group Policy itself or perhaps an issue with the security rights of the network folder, where you've placed the flash MSI. Check event logs after this runs on your machine.

psexec \\computer1,computer2 -u domain\Admin -p Password msiexec /i "\\Software\Installation Software\Flash\install_flash_player_active_x.msi" /qn

Also note that there's 2 diff installs.. the plugin and activex.. activex for IE and plugin for Mozilla.
0
 
ThinkPaperCommented:
The only other thing to check is to ensure that you have the proper msi to do a mass deploy.. Adobe has this thing with ensuring you fill out a request and license info to get the distributable version of the install. It usually takes a couple days before you get a reply from Adobe with a link of where to download the distributable MSI.
0
 
Vadim RappCommented:
> Adobe has this thing with ensuring you fill out a request and license info to get the distributable version of the instalL

on the other hand, you might even not that this thing and license exist if you go straight to their anonymous ftp.

0
 
CCLCLSAuthor Commented:
i followed the licensing steps given by adobe, and was sent an email linking me to the download for the distributable MSI package.

it is not a licensing issue.

i am going to setup a standard windows share and attempt to install the MSI from there, bypassing the snap server...not sure what difference it will make as the security settings are set correctly just like the other hundered shares we have...
0
 
CCLCLSAuthor Commented:
i am also using the active x package for IE....everything is correct....GP sucks
0
 
ThinkPaperCommented:
sneaky... =)
0
 
Vadim RappCommented:
> GP sucks

We have here dozens of applications, all distributed by GP, including Flash, Reader, MS Office, other 3rd parties, our own stuff, repackaged stuff... all works fine. There was certain learning curve with mistakes and revelations, but not harder than I guess any other technique would be.
0
 
CCLCLSAuthor Commented:
ok so let me replace "sucks" with "stinks" to be less offensive.

Then then me replace "GP" with "snap server"

so, "snap server stinks"

it works fine from the windows share. I have many other shares on the snap server, i also have other install points from the snap server, and have manually run MSI packages from it before also. so, i'm not really sure why it wouldn't work to have it as the distribution point...security/share settings were correct on the snap server. same settings were used on the windows share (domain computers, read and execute...that's it)

thanks for sticking with this question. not sure how to assign points...suggestions?
0
 
CCLCLSAuthor Commented:
ok so can you close this question or do i?

the points don't actually cost me anything right? I just pay a yearly fee.
0
 
Vadim RappCommented:
1. you do. The above is only comment :-)
2. right
0
 
ThinkPaperCommented:
glad you got it solved =)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 11
  • 9
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now