snoopaloop
asked on
Group Policy User Configuration Script only deploys MSI via local admin priviliges
I am trying to deploy a logmein msi file (www.logmein.com/logmein.msi) with the following script:
%systemdirectory%\system32 \msiexec.e xe /q /i [path]/logmein.msi DEPLOYID=[deployID]
The deployment is currently tested with one department and it actually runs because logmein central shows that these machines authenticated with their site. However, the actual msi is never installed unless I up the local user to local admin privileges. This can't be, right? Do I have to up their privileges?
%systemdirectory%\system32
The deployment is currently tested with one department and it actually runs because logmein central shows that these machines authenticated with their site. However, the actual msi is never installed unless I up the local user to local admin privileges. This can't be, right? Do I have to up their privileges?
ASKER
oh really? I think logon
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So in my snapshot I have everything in user configuation. Are you suggesting computer configuration, policies, windows settings, scripts, startup? Then browse... computer configuration; drop in "machines, script, start up" and drop the script there? Will there be any conflict with my other login scripts in user configuration?
Capture.PNG
Capture.PNG
ASKER
The policy is applied but the script is not running under computer configuration. However, the script user configuration is working within the same policy object.
apply the new computer policy on a computer OU as opposed to a user OU.
That is an OU with computers. i dont think you can apply on computers container as that is not an OU.
Does the computer account have rights to where you have put the msi files - if this is from a share then then it needs to have share and ntfs rights for authenticated users normally, assuming the script is running but not showin you anything?
Have you tried the application deployment abilities of group policy... not sure if the deploy ID entry is something you specifically need, and whether that could be put in off hand though...
sorry if any typos, typing one handed ... baby asleep in other arm :-)
Have you tried the application deployment abilities of group policy... not sure if the deploy ID entry is something you specifically need, and whether that could be put in off hand though...
sorry if any typos, typing one handed ... baby asleep in other arm :-)
ASKER
I applied it to the workstation OU, added domain computers to the file server shared folder containing the msi with read privileges. Application deployment wasnt getting me anywhere either. It's 5p. THrow some suggestions over the weekend but I probably won't reply until Monday. THank you for the assistance.
Dragon-it is right, test out by giving everyone read control one that share as a test.
Remember to add the same in ntfs.
Remember to add the same in ntfs.
Also please make sure you use different group policies for the different tasks you are doing. Dont mix this in with another policy that is supposed to be on a user level for example.
http://support.microsoft.com/kb/816102
http://support.microsoft.com/kb/816102
ASKER
I've got it. I got rid of the batch file with misexec command and now I point directly to the logmein.msi file with the unique Deploy ID within the GPO. It shows the script running on the workstation prior to login prompt and the actual program now is loaded in system tray.
I still don't understand what I could have done differently with the batch (cuz I confirmed permissions) file but it doesn't matter now. Thanks all for your help. Any last thoughts?
GPO.png
I still don't understand what I could have done differently with the batch (cuz I confirmed permissions) file but it doesn't matter now. Thanks all for your help. Any last thoughts?
GPO.png
Can you post the batch file contents you used? I want to see what went wrong.
But this way is good as well.
But this way is good as well.
ASKER
So in the GPO "startup" we pointed to the as.bat below instead of pointing directly to the msi as we are doing now...
(as.bat)
call n:\xxxxxx\\scripts\logmein .bat
There was a shared server folder
(logmein.bat)
%windir%\system32\msiexec. exe /i n:\xxxxxx\scripts\logmein. msi DEPLOYID=xxxxxxxxxxxxxxxxx xxxxxxxxxx xxxxxxxxxx xx /q /Liwea "n:\all xxx\lmi.log"
(as.bat)
call n:\xxxxxx\\scripts\logmein
There was a shared server folder
(logmein.bat)
%windir%\system32\msiexec.
to fix your problem,
in the group policy you created
If it is a computer policy, use these steps. If a user policy, then it is in pretty much the same place under user configuration
expand computer cofiguration
expand administrative templates
expand windows components
highlight windows installer
on the right side, should be second option, change it to Always instal with elevated privelegs. Futher down you can also enable loging if you want for troubleshooting.
Hope this helps
in the group policy you created
If it is a computer policy, use these steps. If a user policy, then it is in pretty much the same place under user configuration
expand computer cofiguration
expand administrative templates
expand windows components
highlight windows installer
on the right side, should be second option, change it to Always instal with elevated privelegs. Futher down you can also enable loging if you want for troubleshooting.
Hope this helps
ASKER
I was looking at that the other day. I was worried about the adverse effect of me elevating their privileges. Pointing directly to the msi still seems like best practice.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
THat's really cool but I thought since we are editing under "computer configuration" that any adjustment on user privileges would not be necessary?
if you dont use the elevated privelelages, it will use the priveleges of the local logged in user.
Your script did not work because you were running the batch file from an "N:" drive which does not exist for the computer when it runs the startup account, .e.g.
@Echo off
net use > C:\netuse.txt
and if you added that as a startup it would (should!) show no drives mapped. You would do this using UNC paths, i.e.
\\server\share\scripts\log mein.bat
There was a shared server folder
(logmein.bat)
%windir%\system32\msiexec. exe /i \\server\share\scripts\log mein.msi DEPLOYID=xxxxxxxxxxxxxxxxx xxxxxxxxxx xxxxxxxxxx xx /q /Liwea "\\server\share\all xxx\lmi.log"
etc.
Steve
@Echo off
net use > C:\netuse.txt
and if you added that as a startup it would (should!) show no drives mapped. You would do this using UNC paths, i.e.
\\server\share\scripts\log
There was a shared server folder
(logmein.bat)
%windir%\system32\msiexec.
etc.
Steve
nathanwilliams, he is not running it under user logon context.
It is under computer startup now.
That should run using the computer's credentials not the user.
What i see wrong with the batch file is that the computer account would not see a mapped N drive that was mapped under the user's credentials.
It is under computer startup now.
That should run using the computer's credentials not the user.
What i see wrong with the batch file is that the computer account would not see a mapped N drive that was mapped under the user's credentials.
ASKER
I just tried with another workstation OU to apply using the UNC and it did not work. As far as what I can see, batch only works under user configuration not computer. The app deployed fine once again as soon as I removed the batch and redirected the GPO to msi
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We found an effective solution. Thanks guys!
logon is user level, computer startup is the one you want.