Group Policy User Configuration Script only deploys MSI via local admin priviliges

Where did you put the script? logon or computer startup?
logon is user level, computer startup is the one you want.

oh really?  I think logon

So in my snapshot I have everything in user configuation.  Are you suggesting  computer configuration, policies, windows settings, scripts, startup?  Then browse...  computer configuration; drop in "machines, script, start up" and drop the script there?  Will there be any conflict with my other login scripts in user configuration?
Capture.PNG

The policy is applied but the script is not running under computer configuration.  However, the script user configuration is working within the same policy object.

apply the new computer policy on a computer OU as opposed to a user OU.

That is an OU with computers. i dont think you can apply on computers container as that is not an OU.

Does the computer account have rights to where you have put the msi files - if this is from a share then then it needs to have share and ntfs rights for authenticated users normally, assuming the script is running but not showin you anything?

Have you tried the application deployment abilities of group policy... not sure if the deploy ID entry is something you specifically need, and whether that could be put in off hand though...

sorry if any typos, typing one handed ... baby asleep in other arm :-)

I applied it to the workstation OU, added domain computers to the file server shared folder containing the msi with  read privileges.  Application deployment wasnt getting me anywhere either.  It's 5p.  THrow some suggestions over the weekend but I probably won't reply until Monday.  THank you for the assistance.

Dragon-it is right, test out by giving everyone read control one that share as a test.
Remember to add the same in ntfs.

Also please make sure you use different group policies for the different tasks you are doing. Dont mix this in with another policy that is supposed to be on a user level for example.
http://support.microsoft.com/kb/816102

I've got it.  I got rid of the batch file with misexec command and now I point directly to the logmein.msi file with the unique Deploy ID within the GPO.  It shows the script running on the workstation prior to login prompt and the actual program now is loaded in system tray.

I still don't understand what I could have done differently with the batch (cuz I confirmed permissions) file but it doesn't matter now.  Thanks all for your help.  Any last thoughts?
GPO.png

Can you post the batch file contents you used? I want to see what went wrong.
But this way is good as well.

So in the GPO "startup" we pointed to the as.bat below instead of pointing directly to the msi as we are doing now...
(as.bat)
call n:\xxxxxx\\scripts\logmein.bat

There was a shared server folder
(logmein.bat)
%windir%\system32\msiexec.exe /i n:\xxxxxx\scripts\logmein.msi DEPLOYID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /q /Liwea "n:\all xxx\lmi.log"

to fix your problem,
in the group policy you created

If it is a computer policy, use these steps.   If a user policy, then it is in pretty much the same place under user configuration

expand computer cofiguration
expand administrative templates
expand windows components
highlight windows installer
on the right side, should be second option, change it to Always instal with elevated privelegs.    Futher down you can also enable loging if you want for troubleshooting.

Hope this helps

I was looking at that the other day.  I was worried about the adverse effect of me elevating their privileges.  Pointing directly to the msi still seems like best practice.

THat's really cool but I thought since we are editing under "computer configuration" that any adjustment on user privileges would not be necessary?

if you dont use the elevated privelelages, it will use the priveleges of the local logged in user.

Your script did not work because you were running the batch file from an "N:" drive which does not exist for the computer when it runs the startup account, .e.g.

@Echo off
net use > C:\netuse.txt

and if you added that as a startup it would (should!) show no drives mapped.  You would do this using UNC paths, i.e.

\\server\share\scripts\logmein.bat

There was a shared server folder
(logmein.bat)
%windir%\system32\msiexec.exe /i \\server\share\scripts\logmein.msi DEPLOYID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /q /Liwea "\\server\share\all xxx\lmi.log"
etc.

Steve

nathanwilliams, he is not running it under user logon context.
It is under computer startup now.
That should run using the computer's credentials not the user.
What i see wrong with the batch file is that the computer account would not see a mapped N drive that was mapped under the user's credentials.

I just tried with another workstation OU to apply using the UNC and it did not work.   As far as what I can see, batch only works under user configuration not computer.  The app deployed fine once again as soon as I removed the batch and redirected the GPO to msi

We found an effective solution.  Thanks guys!