CCLCLS
asked on
assigning MSI using group policy
Using 2003 server, and XP pro, sp3.
I've setup computer OU, placed test pc in the OU, created new GPO, applied policy to group "domain computers", created new package, etc.
I've created a share, placed a flash, version 10.MSI package in the share. Gave the group "domain computers" read, execute to the share and file security.
When i reboot the test pc, after "applying computer settings" on startup, it says "installing assigned msi package, flash version 10," something close to that phrasing. So it appears the policy is applied, and it doesn't error or anything, completes startup, i login, go to adobe.com, verify the version, and i'm still running version 7 on the test pc, not version 10.
Does anyone know why it appears to be installing, but is not and how to troubleshoot?
I've setup computer OU, placed test pc in the OU, created new GPO, applied policy to group "domain computers", created new package, etc.
I've created a share, placed a flash, version 10.MSI package in the share. Gave the group "domain computers" read, execute to the share and file security.
When i reboot the test pc, after "applying computer settings" on startup, it says "installing assigned msi package, flash version 10," something close to that phrasing. So it appears the policy is applied, and it doesn't error or anything, completes startup, i login, go to adobe.com, verify the version, and i'm still running version 7 on the test pc, not version 10.
Does anyone know why it appears to be installing, but is not and how to troubleshoot?
ASKER
i'll try it later this evening. it seems this GP method of pushing out apps is very limited. If i have several hundred computers, i have to login to each one to verify the installation was actually successful, it doesn't report?
thanks for reply
thanks for reply
In my experience it's not the best, no. Having said that, I have installed UPHC service to hundreds of machines via GPO and not one failed. But Adobe Reader and Adobe Flash has always given me problems. Whether that's a fault with the Adobe MSI's or just a coincidence, I don't know.
Instead of using GPO, I now install the apps using msiexec (Windows Installer command line tool) within the logon script (it just means rebooting all PC's, getting them to logon and then once all have installed, removing the msiexec line from the logon script to prevent it installing again).
More about msiexec commands here:
http://technet.microsoft.com/en-us/library/cc759262.aspx
Instead of using GPO, I now install the apps using msiexec (Windows Installer command line tool) within the logon script (it just means rebooting all PC's, getting them to logon and then once all have installed, removing the msiexec line from the logon script to prevent it installing again).
More about msiexec commands here:
http://technet.microsoft.com/en-us/library/cc759262.aspx
> it doesn't report?
it does not. SMS does. But in most cases, if you do it right, it gets installed everywhere without a problem.
First look into the event log, and maybe into the machine %temp% folder (usually \windows\temp) for a file MSI*.log.
it does not. SMS does. But in most cases, if you do it right, it gets installed everywhere without a problem.
First look into the event log, and maybe into the machine %temp% folder (usually \windows\temp) for a file MSI*.log.
ASKER
I'm getting event 102. The install of application Adobe Flash Player 10 ActiveX from policy MSI failed. The error was : The installation source for this product is not available. Verify that the source exists and that you can access it.
event 108: Failed to apply changes to software installation settings. Software changes could not be applied. A previous log entry with details should exist. The error was : The installation source for this product is not available. Verify that the source exists and that you can access it.
event 1085: The Group Policy client-side extension Software Installation failed to execute. Please look for any errors reported earlier by that extension.
the security/share settigns have been given to the AD group "domain computers" which the test pc is a member. and the GPO is being applied to "domain computers." what am i missing? thanks
event 108: Failed to apply changes to software installation settings. Software changes could not be applied. A previous log entry with details should exist. The error was : The installation source for this product is not available. Verify that the source exists and that you can access it.
event 1085: The Group Policy client-side extension Software Installation failed to execute. Please look for any errors reported earlier by that extension.
the security/share settigns have been given to the AD group "domain computers" which the test pc is a member. and the GPO is being applied to "domain computers." what am i missing? thanks
try to give permissions to domain users as well. I know that the assignment is per computer, but still.
ASKER
will try tomorrow
sorry, not to Domain Users but to Authenticated Users.
> The installation source for this product is not available.
I assume you definitely have the correct source path stipulated within the GPO?
I assume you definitely have the correct source path stipulated within the GPO?
ASKER
tried domain users and authenticated users no help.
everything i've read says the domain computer group is sufficient and that group has read/execute and has the policy being applied...
yesthe path is correct.. \\server\share\file.msi
nothing in add/remove programs
also tried windows installer cleanup utility
same proble, it says it is installing on boot, buy i get the same event log errors and flash version 7 is still the version
everything i've read says the domain computer group is sufficient and that group has read/execute and has the policy being applied...
yesthe path is correct.. \\server\share\file.msi
nothing in add/remove programs
also tried windows installer cleanup utility
same proble, it says it is installing on boot, buy i get the same event log errors and flash version 7 is still the version
look in the security event log on the server, maybe enable object access audit on the server for this directory - see http://technet.microsoft.com/en-us/library/cc787268.aspx - or run filemon. The purpose is to see whether the workstation is trying to get the file, and what happens.
also, is the server real, or hosted on vmware or such?
also, is the server real, or hosted on vmware or such?
But have you uninstalled Flash 7 (and run Windows Installer cleanup after to make sure it's gone) and then rebooted and seen if version 10 installs fine? Just want to rule out it's not 7 refusing to uninstall prior to 10 installing.
ASKER
it is a snap server, i don't think i can setup auditing to my knowledge...
yes, uninstalled flash 7, ran cleanup, rebooted, it says it is installing 10 but doesn't, so actually 7 is gone, and i have no version installed now...
yes, uninstalled flash 7, ran cleanup, rebooted, it says it is installing 10 but doesn't, so actually 7 is gone, and i have no version installed now...
one possibility is that this is not a full self-contained msi, but should be accompanied by external files, like in administrative installation.
Can you copy this msi to a local directory and run from there; will it work?
Can you copy this msi to a local directory and run from there; will it work?
ASKER
yes, the MSI installs all by itself with no problems or external files
I think the only way is to monitor what file it's trying to get and what fails. If you can't do it on server side, then another way is to use sysinternals' process monitor and initiate boot logging.
ASKER
probably going to look at using something other the group policy. it simply isnt working, everything is set correctly, and it gives no useful information to try to resolve the problem.
i realize i can't access the MSI file, but why? all security is set for domain computers to read/execute. this system sucks.
i realize i can't access the MSI file, but why? all security is set for domain computers to read/execute. this system sucks.
another option for deploying is to do a remote push to all clients. This is what we currently use instead of depending of group policy for software installs. Just download psexec and drop in your System32 folder, then create a text file with all the computers listed on each line (i usually do a export from AD), then run the command below.
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
I have been able to deploy flash with this method with no problems.
psexec @computerlist.txt -u domain\Admin -p Password msiexec /i "\\Software\Installation Software\Flash\install_fla sh_player_ active_x.m si" /qn
I would do a test deploy on your own machine to ensure it works.. This way you can at least rule out whether it's an issue with Group Policy itself or perhaps an issue with the security rights of the network folder, where you've placed the flash MSI. Check event logs after this runs on your machine.
psexec \\computer1,computer2 -u domain\Admin -p Password msiexec /i "\\Software\Installation Software\Flash\install_fla sh_player_ active_x.m si" /qn
Also note that there's 2 diff installs.. the plugin and activex.. activex for IE and plugin for Mozilla.
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
I have been able to deploy flash with this method with no problems.
psexec @computerlist.txt -u domain\Admin -p Password msiexec /i "\\Software\Installation Software\Flash\install_fla
I would do a test deploy on your own machine to ensure it works.. This way you can at least rule out whether it's an issue with Group Policy itself or perhaps an issue with the security rights of the network folder, where you've placed the flash MSI. Check event logs after this runs on your machine.
psexec \\computer1,computer2 -u domain\Admin -p Password msiexec /i "\\Software\Installation Software\Flash\install_fla
Also note that there's 2 diff installs.. the plugin and activex.. activex for IE and plugin for Mozilla.
The only other thing to check is to ensure that you have the proper msi to do a mass deploy.. Adobe has this thing with ensuring you fill out a request and license info to get the distributable version of the install. It usually takes a couple days before you get a reply from Adobe with a link of where to download the distributable MSI.
> Adobe has this thing with ensuring you fill out a request and license info to get the distributable version of the instalL
on the other hand, you might even not that this thing and license exist if you go straight to their anonymous ftp.
on the other hand, you might even not that this thing and license exist if you go straight to their anonymous ftp.
ASKER
i followed the licensing steps given by adobe, and was sent an email linking me to the download for the distributable MSI package.
it is not a licensing issue.
i am going to setup a standard windows share and attempt to install the MSI from there, bypassing the snap server...not sure what difference it will make as the security settings are set correctly just like the other hundered shares we have...
it is not a licensing issue.
i am going to setup a standard windows share and attempt to install the MSI from there, bypassing the snap server...not sure what difference it will make as the security settings are set correctly just like the other hundered shares we have...
ASKER
i am also using the active x package for IE....everything is correct....GP sucks
sneaky... =)
> GP sucks
We have here dozens of applications, all distributed by GP, including Flash, Reader, MS Office, other 3rd parties, our own stuff, repackaged stuff... all works fine. There was certain learning curve with mistakes and revelations, but not harder than I guess any other technique would be.
We have here dozens of applications, all distributed by GP, including Flash, Reader, MS Office, other 3rd parties, our own stuff, repackaged stuff... all works fine. There was certain learning curve with mistakes and revelations, but not harder than I guess any other technique would be.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok so can you close this question or do i?
the points don't actually cost me anything right? I just pay a yearly fee.
the points don't actually cost me anything right? I just pay a yearly fee.
1. you do. The above is only comment :-)
2. right
2. right
glad you got it solved =)
First, check the event logs on this machine. Also check Add/Remove programs to see if that thinks it is installed. If there are errors in event viewer, you can install and run Windows Installer CleanUp Utility which you can use to forcibly remove the old version of Flash. You can then reboot and let GPO try to install Flash 10 again, and once you log in, have a look and see if it's installed properly this time.
Download it here: http://support.microsoft.com/kb/290301