GP and MSI installation for Conficker Removal

I'm trying to follow http://www.sophos.com/support/knowledgebase/article/67398.html
to help a customer with the removal of Conficker. I'm testing this in a VM setup right now to run a simple batch file that runs msiexec /qn /i \\[servername]\SophosCleanup\[Sophos Cleanup Tool.msi] STARTCLI=1 REBOOT=1 UNINSTALL=1. I created an OU a put a XP test pc in it and applied the conficker policy there. When the pc reboots I get a message saying the Windows installer package is invalid or it can't be accessed. I can run the batch file from the pc. I even tried adding an xcopy statment that creates a local folder on the pc then runs the installation from there. I still get the same thing. I've doublechecked permissions and etc on the share that the MSI sits in. What am I missing.

Thanks

bciengineerAsked:
Who is Participating?
 
cantorisConnect With a Mentor Commented:
"Domain computers" will need access to the fileshare when installed through a Startup Script.  That GPO setting about waiting for the network might need a couple of reboots before it takes effect so don't ditch it until you're sure.

Try assigning the batch file as a login script instead of a startup script and ensure your test user account is in that OU just as a troubleshooting step.

Are you able to paste your batch file here?

Can you not assign the MSI to computers via Group Policy software distribution?
0
 
cantorisCommented:
Where's this running from?
Computer Startup Script?
User Login Script?
Scheduled Task?

Does the account under whose context it is installing have access to the shared folder - check both NTFS and Share permissions.  Try adding "/l <logfilename.txt>" to the command line to get more info.

One more thought, try enabling the Group Policy option "Always wait for the network at computer startup and logon" (Computer - Administrative Templates - System - Logon) on your test OU.  It may be logging in with cached credentials before the network is ready and therefore unable to reach the server.  Be careful with this policy setting against wireless machines.
0
 
bciengineerAuthor Commented:
I'm trying to get it running as a computer startup script. I've tried domain administrator, domain admin which all have access to the share. I added everyone fullaccess, domain computers, system, network etc. Also added those permissions to the GPO. I can run the same bat file from the pc and all is well. I'll check on the always wait for network at computer start. That could be it.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
bciengineerAuthor Commented:
Still not working. I enabled Always wait for a network connection and enabled logging in the bat file. This is all I'm getting.

=== Verbose logging started: 5/9/2011  19:42:32  Build type: SHIP UNICODE 3.01.4001.5512  Calling process: C:\WINDOWS\system32\msiexec.exe ===
MSI (c) (CC:D4) [19:42:32:413]: Resetting cached policy values
MSI (c) (CC:D4) [19:42:32:413]: Machine policy value 'Debug' is 0
MSI (c) (CC:D4) [19:42:32:413]: ******* RunEngine:
           ******* Product: avtool.msi
           ******* Action:
           ******* CommandLine: **********
MSI (c) (CC:D4) [19:42:32:413]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (CC:D4) [19:42:32:413]: Grabbed execution mutex.
MSI (c) (CC:D4) [19:42:32:491]: Cloaking enabled.
MSI (c) (CC:D4) [19:42:32:491]: Attempting to enable all disabled priveleges before calling Install on Server
MSI (c) (CC:D4) [19:42:32:507]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (E0:F0) [19:42:32:522]: Grabbed execution mutex.
MSI (s) (E0:00) [19:42:32:522]: Resetting cached policy values
MSI (s) (E0:00) [19:42:32:522]: Machine policy value 'Debug' is 0
MSI (s) (E0:00) [19:42:32:522]: ******* RunEngine:
           ******* Product: C:\avtool\avtool.msi
           ******* Action:
           ******* CommandLine: **********
MSI (s) (E0:00) [19:42:32:522]: Note: 1: 2203 2: C:\avtool\avtool.msi 3: -2147287038
MSI (s) (E0:00) [19:42:32:522]: MainEngineThread is returning 2
MSI (c) (CC:D4) [19:42:32:538]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
MSI (c) (CC:D4) [19:42:32:538]: MainEngineThread is returning 2
=== Verbose logging stopped: 5/9/2011  19:42:32 ===

0
 
canaliConnect With a Mentor Commented:
Startup scripts run with NT Authority\System privileges on the local machine and the permissions of the computer object elsewhere in the domain. Grant rights to the computer object or to a group like Domain Computers.

OR put the file in the sysvol share that have computer object read permission

This directory can be accessed by startup script
\\your.Domain.Name\sysvol\your.Domain.Name\scripts
\\your.domain.controller\NETLOGON


Bye Gastone
0
 
bciengineerAuthor Commented:
I just tried putting the msi file in the sysvol directory where the script is located. I double checked that domain computers has full rights along with this test pc. I'm still getting the MainEngineThread is returning 2 at the end of the log which basically means access denied. I'm fixing to try it as a login script.
Here's the batch file info
msiexec /qb /i \\X.X.X.X\sysvol\domain.com\Policies\{2787F521-6E40-48D2-846B-6A880E192959}\Machine\Scripts\Startup STARTCLI=1 /l*v c:\conficker.txt

0
 
bciengineerConnect With a Mentor Author Commented:
I just moved the MSI file to a share on a member server running file share services. I created a new share gave domain computers,everyone,authusers,network,system full access changed my startup script to point to the new location and rebooted the test pc and what do you know it WORKS! I had the same same permissions on the share I created on the DC. I haven't a clue why it would work there.
0
 
bciengineerAuthor Commented:
Just got lucky with moving it to another file server and it works from there so I'm happy. Not sure why it wasn't working on the DC.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.