Group Policy User Configuration Script only deploys MSI via local admin priviliges

I am trying to deploy a  logmein msi file (www.logmein.com/logmein.msi) with the following script:

%systemdirectory%\system32\msiexec.exe /q /i [path]/logmein.msi DEPLOYID=[deployID]

The deployment is currently tested with one department and it actually runs because logmein central shows that these machines authenticated with their site.  However, the actual msi is never installed unless I up the local user to local admin privileges.  This can't be, right?  Do I have to up their privileges?
LVL 1
snoopaloopAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

abelenkiyCommented:
Where did you put the script? logon or computer startup?
logon is user level, computer startup is the one you want.
0
snoopaloopAuthor Commented:
oh really?  I think logon
0
abelenkiyCommented:
Just move the script to computer startup.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

snoopaloopAuthor Commented:
So in my snapshot I have everything in user configuation.  Are you suggesting  computer configuration, policies, windows settings, scripts, startup?  Then browse...  computer configuration; drop in "machines, script, start up" and drop the script there?  Will there be any conflict with my other login scripts in user configuration?
Capture.PNG
0
snoopaloopAuthor Commented:
The policy is applied but the script is not running under computer configuration.  However, the script user configuration is working within the same policy object.
0
abelenkiyCommented:
apply the new computer policy on a computer OU as opposed to a user OU.
0
abelenkiyCommented:
That is an OU with computers. i dont think you can apply on computers container as that is not an OU.
0
Steve KnightIT ConsultancyCommented:
Does the computer account have rights to where you have put the msi files - if this is from a share then then it needs to have share and ntfs rights for authenticated users normally, assuming the script is running but not showin you anything?

Have you tried the application deployment abilities of group policy... not sure if the deploy ID entry is something you specifically need, and whether that could be put in off hand though...

sorry if any typos, typing one handed ... baby asleep in other arm :-)
0
snoopaloopAuthor Commented:
I applied it to the workstation OU, added domain computers to the file server shared folder containing the msi with  read privileges.  Application deployment wasnt getting me anywhere either.  It's 5p.  THrow some suggestions over the weekend but I probably won't reply until Monday.  THank you for the assistance.
0
abelenkiyCommented:
Dragon-it is right, test out by giving everyone read control one that share as a test.
Remember to add the same in ntfs.
0
abelenkiyCommented:
Also please make sure you use different group policies for the different tasks you are doing. Dont mix this in with another policy that is supposed to be on a user level for example.
http://support.microsoft.com/kb/816102
0
snoopaloopAuthor Commented:
I've got it.  I got rid of the batch file with misexec command and now I point directly to the logmein.msi file with the unique Deploy ID within the GPO.  It shows the script running on the workstation prior to login prompt and the actual program now is loaded in system tray.

I still don't understand what I could have done differently with the batch (cuz I confirmed permissions) file but it doesn't matter now.  Thanks all for your help.  Any last thoughts?
GPO.png
0
abelenkiyCommented:
Can you post the batch file contents you used? I want to see what went wrong.
But this way is good as well.
0
snoopaloopAuthor Commented:
So in the GPO "startup" we pointed to the as.bat below instead of pointing directly to the msi as we are doing now...
(as.bat)
call n:\xxxxxx\\scripts\logmein.bat

There was a shared server folder
(logmein.bat)
%windir%\system32\msiexec.exe /i n:\xxxxxx\scripts\logmein.msi DEPLOYID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /q /Liwea "n:\all xxx\lmi.log"
0
nathanwilliamsCommented:
to fix your problem,
in the group policy you created

If it is a computer policy, use these steps.   If a user policy, then it is in pretty much the same place under user configuration

expand computer cofiguration
expand administrative templates
expand windows components
highlight windows installer
on the right side, should be second option, change it to Always instal with elevated privelegs.    Futher down you can also enable loging if you want for troubleshooting.

Hope this helps
0
snoopaloopAuthor Commented:
I was looking at that the other day.  I was worried about the adverse effect of me elevating their privileges.  Pointing directly to the msi still seems like best practice.
0
nathanwilliamsCommented:
it only elevates the privelege for that one software gpo install, It does not elevate the priveleges of the user.     similar to the runas command if you want to think of it in that respect.
0
snoopaloopAuthor Commented:
THat's really cool but I thought since we are editing under "computer configuration" that any adjustment on user privileges would not be necessary?
0
nathanwilliamsCommented:
if you dont use the elevated privelelages, it will use the priveleges of the local logged in user.
0
Steve KnightIT ConsultancyCommented:
Your script did not work because you were running the batch file from an "N:" drive which does not exist for the computer when it runs the startup account, .e.g.

@Echo off
net use > C:\netuse.txt

and if you added that as a startup it would (should!) show no drives mapped.  You would do this using UNC paths, i.e.

\\server\share\scripts\logmein.bat

There was a shared server folder
(logmein.bat)
%windir%\system32\msiexec.exe /i \\server\share\scripts\logmein.msi DEPLOYID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /q /Liwea "\\server\share\all xxx\lmi.log"
etc.

Steve
0
abelenkiyCommented:
nathanwilliams, he is not running it under user logon context.
It is under computer startup now.
That should run using the computer's credentials not the user.
What i see wrong with the batch file is that the computer account would not see a mapped N drive that was mapped under the user's credentials.
0
snoopaloopAuthor Commented:
I just tried with another workstation OU to apply using the UNC and it did not work.   As far as what I can see, batch only works under user configuration not computer.  The app deployed fine once again as soon as I removed the batch and redirected the GPO to msi
0
Steve KnightIT ConsultancyCommented:
Batch scripts DO work as startup, accessing network resources gets more tricky but it should be possible to work.  I imagine if you did a batch file asking:

@echo off
net use n: \\server\share > C:\test.txt 2>&1
dir N: >> c:\test.txt

it may give an idea of what is going wrong.

Anyway, as you have it working now I guess this is just academic and it is heading to 1am here with an early start tomorrow so I am off now and good luck with the method you are using now!

Steve
0
snoopaloopAuthor Commented:
We found an effective solution.  Thanks guys!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.