?
Solved

GPO deploy application using computer configuration

Posted on 2010-08-17
35
Medium Priority
?
2,118 Views
Last Modified: 2013-12-12
Greetings,

I want to deploy msi applications using GPO. I want to deploy them per computer.

So I created an OU and put my domain computers into it. I created a network share on my Windows 2008 DC and set the share permission to
"Domain users - read"
"Domain computers - read"

I have also set my NTFS perms to domain users and domain computers read and execute.

I created my package in assign mode into "Computers configuration - Policies - Software Settings" using network path (\\Server\share\firefox.msi)

I activated the GPO "Always wait for the network at computer startup and logon"

I did a gpudate /force on my DC.

I rebooted a test computer to see if my gpo apply successfully. Of course it did not apply successfully.

When my computer boot up I saw that it try to install firefox but it ends up too rapidly and didn't install.

I have a log (event id 102) in my client computer that told me this :
"The install of application firefox from policy Installers
failed.  The error was : The installation source for this product is not
available.  Verify that the source exists and that you can access it."

If I try to install the software manually from the share on the client computer, it works.

I'm lost

Thank you
0
Comment
Question by:tblinc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 15
  • 9
  • 6
  • +3
35 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33455493
Are you using an .msi file for firefox?   I haven't used this but if you need an msi  for it   http://www.frontmotion.com/Firefox/

Thanks

Mike
0
 

Author Comment

by:tblinc
ID: 33455564
yes... firefox was just an exemple. I have already use it in GPO deployement in user configuration and it works perfectly.

0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 33455701
Have you tried to do an RSOP.MSC on the machine in question? Does this installation fail on all machines?
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 4

Expert Comment

by:added_flavour
ID: 33455705
it should work ideally! however have you tried Disabling third party softwares on the share server or may be change the location to any other server to check the status .

Additionally you can configure Userenv logs to check what exactly is going on in the background on client machine.

thanks .
0
 

Author Comment

by:tblinc
ID: 33455866
Spec01:

I only try this on one machine. It's currently a test. I don't have additionnal computer that I may use to test this. And by the way, the computer is a brand new laptop.

Also, you want me to do a rsop on the client computer or on the server ?

added_flavour:
I' not sure I understand want you want me to do.. I cannot really disable other third party software since that it's a production server. I don't have other Windows 2008 server.

I'll check the userenv
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 33455946
Please do RSOP.MSC on client computer. They is another method of retreiving GP information that can possible provide more information. It is possible that another GPO could be interfering.
0
 
LVL 1

Expert Comment

by:Jannie van der Walt
ID: 33459479
Try granting Everyone access to the share and NTFS (Everyone Read)

We still use GPO to deploy software and one of the settings I use is to configure the shares with Everyone?

Are you using a DFS? or just a straight share?
0
 

Author Comment

by:tblinc
ID: 33466362
The RSOP give me the following information.

It gives me some error notification on all the applications I try to deploy.

The install of application "application" from policy Installers
failed.  The error was : The installation source for this product is not
available.  Verify that the source exists and that you can access it

I'm using a straight share
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 33466554
How deep is this Share on your network drive? I have run into issues where if the shared folder is deep in the folder structure it has failed. This hasn't happened often but something to mention.
0
 

Author Comment

by:tblinc
ID: 33467348
My share is located there : e:\Public\GPOsoftware
0
 
LVL 4

Expert Comment

by:added_flavour
ID: 33468791
I can understand the limitations  in a production env. As this is the only computer you should check userenv for a bit more in depth details .

As per the RSOP message it looks like its finding it hard to locate the package but again as you said you can install it doing \\ to the server so for sure there is something from the group policy side which is causing some issues could be any other policy which this client is trying to read , a configuration mismatch or could be a registry problem .

Thanks .
0
 

Author Comment

by:tblinc
ID: 33474996
This is what I do.

I created a new OU at the root of my domain controller. Like this the only GPO that could interfere would be the default domain controller policy.

I assigned my application and did a gpupdate /force. Once my client computer rebooted, he still try to install the application and I thought that it fails.

I went to my start menu and saw that Firefox was installed. I launched it and it ask me my preference just like the first time launch.

When I look into the event viewer, I saw the same error message :

"The install of application firefox from policy Installers
failed.  The error was : The installation source for this product is not
available.  Verify that the source exists and that you can access it"

So I removed the application from my GPO and ask to delete the application. It did it successfully.

I create another application deploy using the same MSI.. this time it didn't work.

I also try this on another computer.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33490318
Confirm that the machine account for the workstation that is applying Group Policy has at least Read access to the source files for the package that is assigned with Group Policy. You can do this by assigning permissions directly to the machine accounts, or by assigning permissions to a Security group, such as the Domain Computers or Authenticated Users group that contains the machine account.
0
 

Author Comment

by:tblinc
ID: 33531044
Confirmed.. the machine have the read permission
0
 

Author Comment

by:tblinc
ID: 33535045
I just attached the userenv log in verbose mode.

Just take a look in the attachment.
LogUserENV.txt
0
 

Author Comment

by:tblinc
ID: 33535184
I found something intersting on another forum:

"USERENV(270.714) 14:24:44:176 ProcessGPOs: Extension Installation de logiciel ProcessGroupPolicy failed, status 0x64c."

Convert 0x64c to DEC= 1612

Net helpmsg 1612 = The installation source for this product is not
available. Verify that the source exists and that you can access it.

so......

Basically 1 of 3 things thjat I can think of,

1- We are trying to hit a server that is not available for the source.

2. The computer account(?) doesn't have access to the source.

3. The policy is processing before the network is fully functional on this
machine.

As a test what happened if you give Everyone full control on the share and
NTFS permissions? Also are the permissions propogated all the way down the
share? Also are you specifying Fully Qualified or Netbios name in the UNC
path?

For item 3 try to disable XPs Fast Logon Optimization:"

----------------
In response of the questions:
1- I'm able to reach the server
2- The computer account have read and execute access...
3- it's probably the issue because my router dhcp server is very long to give ip address.

I already give domain users and domain computers full access to the share and ntfs. I'm using the netbiso name in the unc path.

And for the "disable XPs fast logon" it's already done. (GPO wait for connexion)

I'm completely out of solution....
0
 
LVL 33

Expert Comment

by:digitap
ID: 33535315
Install the user profile hive cleaner from microsoft.  Restart and see if the issue persists.  Here's the link:

http://www.microsoft.com/downloads/details.aspx?FamilyId=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en
0
 

Author Comment

by:tblinc
ID: 33535624
Just to let you know, I have tested the GPO on another computer and I have the same issue.

I'll test the tool right now.
0
 

Author Comment

by:tblinc
ID: 33535657
Still no luck
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 532 total points
ID: 33535709
ok....guess i didn't realize that this was across multi workstations.  did you enable the verbose logging on the XP workstation....is that how you got the userenv.log file?  Here are those steps:

Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
Name: VerboseStatus
Type: REG_DWORD
Value: 1 default=0
Note: Status messages will not display if the following key is present and the value is set to 1: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages

2) Reboot disconnected.  Note the time.  Watch the status messages to see where it is hanging.
3) After it finally boots, check the Event Log for relevant messages that were logged during the boot process and post them here if you can't identify the problem from the verbose messages and Event log errors.


Having problems with login scripts and Group Policies? You can enable verbose logging to track all changes and settings applied using Group Policy and its extension to the local computer and to users who log on to the computer. The log file, userenv.log, will be written into the %windir%\debug folder. This folder is a hidden folder. To enable verbose logging (Userenv.log):

Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\Windows NT\Current Version\Winlogon
Name: UserenvDebugLevel
Type: REG_DWORD
Set UserenvDebugLevel=30002 is for verbose logging, UserenvDebugLevel=30001 is for errors and warnings only, and UserenvDebugLevel=30000 logs nothing.
0
 

Author Comment

by:tblinc
ID: 33535824
For the first part.. I don't see anything. the message came to fast. I've nothing new in my event viewer except the exact same error message

I already did the last part of you message about the UserenDebugLevel. If you look at the post 33535045 you'll see a log file.

0
 
LVL 4

Expert Comment

by:added_flavour
ID: 33535856
can you ping  servername -f -l 1472  from the client machine ?
0
 

Author Comment

by:tblinc
ID: 33535920
It works successfully ... see attached
ping.jpg
0
 
LVL 33

Expert Comment

by:digitap
ID: 33535940
Yeah...I know you had a userenv.log, but I didn't know if you'd used verbose with it.  Sorry...I'll look through the log and see if anything jumps out.
0
 
LVL 4

Assisted Solution

by:added_flavour
added_flavour earned 1468 total points
ID: 33536099
thats good your router seems to be working fine and not a case of blackhole router here .... well i think Software Installation CSE  logging would be more helpful here .. wot you say digitap ?

http://technet.microsoft.com/en-us/library/cc775423(WS.10).aspx
0
 
LVL 33

Expert Comment

by:digitap
ID: 33536197
@add_flavour :: The link certainly offers more logging capabilities than what I suggested.  It would provide more information for sure.
0
 

Author Comment

by:tblinc
ID: 33536239
With the Software installation CSE logging I have the following error:

Failed installation of WinZip 14.5 InstallationApp strategy. The error was:% 1612
0
 
LVL 4

Accepted Solution

by:
added_flavour earned 1468 total points
ID: 33536349
0
 
LVL 4

Expert Comment

by:added_flavour
ID: 33536357
might be helpful !!!
0
 

Author Comment

by:tblinc
ID: 33536442
@added_flavour.. this seems very intersting. The only trouble is to find the correct AAS file. Where can I find the correct one ?

I have multiple active GPO right now and I don't want to flush the wrong one.

Thank you very much, it's very appreciated.
0
 
LVL 4

Assisted Solution

by:added_flavour
added_flavour earned 1468 total points
ID: 33536537
please check following :

http://geekswithblogs.net/derekf/archive/2006/12/28/102149.aspx

http://technet.microsoft.com/en-us/library/cc782152(WS.10).aspx

i am really sorry but its 2:17 AM  right now in india ... got office tomorrow but ill surely check this thread tomorrow  ....

meanwhile i hope u can get most of it ..

Thanks .
0
 
LVL 4

Expert Comment

by:added_flavour
ID: 33540749
Any update on this ?
0
 

Author Closing Comment

by:tblinc
ID: 33560926
Thank you very much added_flavour and digitap. Your help was really appreciated.

I removed the AAS file and delete the OU and recreated it.

It works like a charm.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33560992
Great!  I'm glad we could help and thanks for the points!
0
 
LVL 4

Expert Comment

by:added_flavour
ID: 33564914
Thats Great !!   :)
0

Featured Post

Percona Live Europe 2017 | Sep 25 - 27, 2017

The Percona Live Open Source Database Conference Europe 2017 is the premier event for the diverse and active European open source database community, as well as businesses that develop and use open source database software.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question