Solved

WIN 2008 - BEST WAY TO UNINSTALL GPO DEPLOY SOFTWARE

Posted on 2011-09-08
92
828 Views
Last Modified: 2012-06-27
Ive successfully installed some software via GPO as a test!

What is the recommended way to remove the software ?

No expert appears to be able to answer this one and 'youtub' only shows installing software and mentions about 'add/remove programs', surely that can't be the preferred method?

It took me 3 weeks to resolve how to install and I hope I can resolve how to install today if anyone is listening!!

please please
0
Comment
Question by:mikey250
  • 58
  • 26
  • 8
92 Comments
 
LVL 11

Accepted Solution

by:
Ove earned 417 total points
ID: 36506909
you may simply remove the msi-file from your gpo.
When removing the msi-file inside your gpo you're asked if the software should be removed from the clients or if it may remain on the clients. There you may simply select "remove"

Ove
0
 

Author Comment

by:mikey250
ID: 36508630
Hi Ove,  Ok, yes I realise this as I added it in there, but if there was a whole host of apps to be installed and rather than deleting all I thought there was a way of selecting 'Disabled' to do this or something!!!

So when I selected 'Computer configurations - Disabled' - what does this do then?
0
 

Author Comment

by:mikey250
ID: 36509042
Hi Ove, software has simply been removed from GPO although GPO still there obviously unless I delete that too, but software is still located on host pc!!!!!!!!

Yes when I removed software from GPO on server it gave me 2 options and I selected to uninstall it.

I also ran a: gpupdate /force and rebooted server and host pc, still to no avail!!
0
 

Author Comment

by:mikey250
ID: 36509137
This Win 2008 GPO is a complete joke!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Ive now removed completely the GPO, ran: gpupdate /force and also rebooted the server fully while host pc was switched off but still host pc holds software!!!!!!!!!!!!!
0
 
LVL 11

Assisted Solution

by:Ove
Ove earned 417 total points
ID: 36509232
the normal way you described in your 2nd answer (ID: 36509042): remove the msi-software-installation-packets from the gpo but don't delete the gpo itself. Then - normally the client pc's should uninstall the software after the next reboot.

Due to the fact that you know have deleted the whole GPO we don't have any chance to use this normal feature of uninstallation.

The only solution i do NOW see is to create a MSI-Packet which uninstalls your software.

There is a tool available for free which helps you in such cases. Unfortunately this is only available in german language - so documentation (which is SIMPLE) is only available in german language.
The tool is named "Silent2MSI" and is available here:
http://www.realschule-ehingen.de/index.php?menuid=77&reporeid=88
With this tool you are able to put the uninstallation-code into a MSI-package which you may distribute via GPO :-)

The only configuration needed for this procedure is ONE line inside the s2m.ini under the following line :
[install]
msiexec /x {Package | ProductCode}

*********************************************
For help of msiexec read:
To uninstall a product
Syntax
msiexec /x {Package | ProductCode}

Parameters
/x
uninstalls a product.
Package
Name of the Windows Installer package file.
ProductCode
Globally unique identifier (GUID) of the Windows Installer package.
Remarks
Windows Installer command-line options are not case-sensitive.

For more information about the Windows Installer command-line options, see Related Topics.

Examples
To remove or uninstall a package, type:

msiexec /x Example.msi
*********************************************

So if this is an option for you i may provide you further help for this problem :-)

Ove
0
 

Author Comment

by:mikey250
ID: 36509324
Ok well what I will do as this is just a test server, I will just access 'Add/Remove programs' and delete that way.
- Once done i will create another gpo and install like before - Then get back to you if that is ok in about 10 mins and then I wouldn't mind trying out your 2nd suggestion?
0
 
LVL 11

Assisted Solution

by:Ove
Ove earned 417 total points
ID: 36509408
you might test the "normal" way.
- Install msi via gpo
- remove msi from gpo
- reboot (maybe try gpupdate /force on the client)
- may be 2nd / 3rd reboot needed before updated gpo is applied
- gpresult (see if the new gpo (without msi) is applied

If the automatic uninstallation isn't working you should try to find the reason for that...

Have a look into the event-logs of the client.

Ove
0
 

Author Comment

by:mikey250
ID: 36510044
Hi Ove,  I have always done as you say: As per previous thread I have already uninstalled software from host pc and re-created a fresh GPO again ensuring all 'domain users' is added within GPO tabs etc then carried out the following:

install msi via gpo
removed msi from gpo - As you suggested earlier so I installed back as per previous thread
Ive checked Eventviewer on host pc - Which shows a GPO error so I do a: gpupdate /force on client which corrects GPO.   I then reboot host pc but still software not installed.

I think I will have to reboot my server at least 3 times before switching host pc back on, as always when Im messing about it always does eventually install software, BUT CAN NEVER FIGURE OUT HOW I DID IT!!!!!!!!!!!!!!!

I have looked in the Software specific GPO and clicked on 'Details tab' which shows a report and everything looks ok as glanced at this before!!!!!!!!

I have just ran: gpresult /r - and scrolling down Ive noticed it states:

RSOP data for Domain name\Administrator on Servername : logging mode:
- Connected over slow link? - No - Even though I have also selected this option in GPO\Edit activating instead of default 500 but changed anyway to 1000. - So this does not make sense to me?

Computer settings:
- Group policy slow link threshold: 500 kbps - But I thought above was set and not as it states here?
- Domain type: Windows 2000 - My OS is Windows 2008 only no others attached - ?

The following GPOs were not appliedbecause they were filtered out:

Software:
- Filtering: Not Applied (Empty)
Local Gp Policy
- Filtering: Not Applied (Empty)
Software Users
Filtering: Denied (Security)

I do not know why this above says what it does as NOT the case as I have successfully installed yesturday.  I am going to switch off host pc and reboot server 3 times or so!!!!!!!

And get back to you as these results above are a mess!!!!!!!!!!
0
 
LVL 11

Assisted Solution

by:Ove
Ove earned 417 total points
ID: 36516173
Hi!

one moment :-)

A GPO consists of two parts (computer-configuration and user-configuration).
In which part did you add your msi-package as "softwareinstallation" ?

Normally i do install Software inside the computer-part. And then you will not have to add "Domain-Users" but "Domain-Computers" - or (better) create a new group inside your active-directory named "Softwareinstallation-XYZ" (with XYZ being the name of your software). And then add the Domaincomputers/Computeraccounts which should get the software as "members" of the group.
Then add this new group to your GPO instead of "Domain-Users".
Via this way you're able to granulary add software only to special computers - and not to everybody inside your environment. But if you're planning to install software to EVERY computer inside the AD-OrganisationUnit then you should add "Domain-computers" to your GPO.

And:
If you added the softwareinstallation inside the user-part of your gpo then you should be aware that "Domain-Administrators" are normally exept from overtaking the gpo by default. So gpo's are normally NOT applied when logging in as administrator. This behaviour is for security-reasons.

Ove

0
 

Author Comment

by:mikey250
ID: 36516246
Software was added in Computer configuration only!

Ok Not Domain Users but Domain Controller - Ok I will remove Domain users and add Domain Controller!!

In AD I created a group and I then added the Domain Users in that group - but does the name of the AD Gp need to be the exact name although I presume no so presumably what I have done is ok ?

Note:  The only reason why I added as 'Domain Users' was just for the purposes of knowing how to successfully install the software which has worked last week once, but since removing from Add/remove programs on Host pc, I then created a new GPO etc but for some reason cant get it to install again, so Ive obviously missed something...!!!

You use the word 'granular' so if you mean it 'ENSURES' it works then OK

If I wish to add software to all users within AD then I should add Domain computers - OK

I created a Domain user account instead of using Admin account to install - because as you suggest gpo's are normally NOT applied when logging in as administrator.

I will try in an hour or so today!!

Thanks for your comments.

Ive done what I did before when installing software BUT NOT SURE WHERE I HAVE GONE WRONG!!!!!!!!!!  As in Eventviewer on server it showing for example, even after 6-7 restarts of server and then I restarted completely host pc but still no software installed.

Software:
- Filtering: Not Applied (Empty)
Local Gp Policy
- Filtering: Not Applied (Empty)
Software Users
Filtering: Denied (Security)

Why are the above changing Denied to Allow etc ?????????
0
 
LVL 11

Expert Comment

by:Ove
ID: 36516306
you're mixing up things...so we should start from the beginning.

Do you want to install software to clients, or domain-controllers ?

Above you're talking about domain-controllers...that puzzles me...

So..slow from the beginning :-)

Ove
0
 

Author Comment

by:mikey250
ID: 36516326
Hi Ove,

Yes I wish to install to software clients hence created a user domain account.......hence adding domain users only just to test!!!

No I am referring to domain users..!!
0
 

Author Comment

by:mikey250
ID: 36516328
Dont forget I have already done it twice before over the last couple of weeks, but in between doing 'gpupdate /force' on server, then restarting host pc still did not allow install this time round!!!!!!!
0
 
LVL 11

Expert Comment

by:Ove
ID: 36516329
ok...did you put the Computer-Account(s) of your client(s) into a new added OrganizationUnint inside Active Directory, or are they still located under "computers" inside the "Domain Users and Computers" mmc ?

Ove
0
 

Author Comment

by:mikey250
ID: 36516330
What if i send images of AD and then GPO stage by stage?
0
 
LVL 11

Expert Comment

by:Ove
ID: 36516334
yep..pls do so

Ove
0
 

Author Comment

by:mikey250
ID: 36516342
I decided not to create an OU for the time being just created a 'group'

I then created in AD Users folder a 'group folder'...
I then created in AD Users folder a user account...
I then added the user account to the 'group folder...
I have not added this into the Computer container where the host pc is sitting..
0
 

Author Comment

by:mikey250
ID: 36516344
Just switching server back on..
0
 

Author Comment

by:mikey250
ID: 36516360
My 3 days has run out as was going to add the 'product keys' I have but now it states 'restricted access'......:(

There was a reason for leaving it for the 3 days as I appeared to be losing services/stopping hence nightmare with GPO.  I should have done it this morning.... Unless you know how to allow me to try these product keys i have?

I did not want to have to use - 'slmgr.vbs -rearm'........
0
 
LVL 11

Expert Comment

by:Ove
ID: 36516392
?
Why not add your product key now ?
Do you only want a TEST-Server without activation ?

Ove
0
 

Author Comment

by:mikey250
ID: 36516416
Hi I would normally do start, right click 'computers', properties and in there I would be able to click to change 'product key' if the 2 I have work, but it says now access restricted so dont know how now...

Ive just done 'slmgr.vbs -rearm' thinking this would resolve this after the reboot but it did not but Im hoping this command will not stop intermitantly services so Im trying to hurry up now and send you the pics..

Yes this is just for test purposes so I practically know what to do..
0
 

Author Comment

by:mikey250
ID: 36516603
Hi Ove,  apologies for taking so long had problems copying them and putting in Winzip see attache images!

thanks!!!!!!!!!!!!!
gpo-images.zip
0
 
LVL 21

Assisted Solution

by:yo_bee
yo_bee earned 83 total points
ID: 36516664
You can run a script also if for whatever reason removing the MSI from the GPO (Not the GPO completely) does not work.

You will need to find the Installer Hash  and run MSIEXEC /X "{IdentifyingNumber}" /qb

Put that in a startup script or shutdown  and you should be successful.

To find the hash run WMIC CMD from a computer that has the installed program.

c:\wmic
Type Product  
This will give you a list of all applications installed on the computer.
Find the application and scroll to the right and when you he the Product hash Mark it and paste it into your startup script.



Example: msiexec /x "{9842DA33-4DCD-4AFC-8C4B-29AC751E50AC}" /qb
 
0
 
LVL 11

Expert Comment

by:Ove
ID: 36516723
so..
0
 
LVL 11

Assisted Solution

by:Ove
Ove earned 417 total points
ID: 36516755
so...

pic1.docx: your client MICK-PC should NOT be a member of "Domain-Users"...only "Domain Computers"
pic4.docx: your gpo's do not need to be "Enforced: Yes"...it should be "Enforce: No"
pic9.docx: remove "Domain-Users" and add "Domain Computers"

then - on reboot - MICK-PC should install your Word Viewer Application.
Then - if you remove die word-viewer.msi (pic11.docx) then it should be uninstalled from MICK-PC on the next reboot(s).

Ove
0
 

Author Comment

by:mikey250
ID: 36516832
Hi yo_bee, I would like to get this GPO working normally without scripts first of all so at least I know the basic way.  Scripts is something I wish to know more about at a later date but thanks!
0
 

Author Comment

by:mikey250
ID: 36517051
Hi Ove,  I made those changes and rebooted server 4 times and checked 'Eventviewer', but still the 'software' added is still showing as denied.   Ive double checked to see Ive made your changes and they are still there!! I will come back to this tomorrow morning!!! Not sure if you will be up at that time!!!

I will keep at it anyway as not giving up til I know at least one way of doing things before I even move onto 'Scripting'!!!

Most appreciated for your time anyway!!!!!!!!!!!!!!!!!!!

0
 
LVL 11

Expert Comment

by:Ove
ID: 36517095
we#ll get it up and running - even if it takes some time :-)

Ove
0
 

Author Comment

by:mikey250
ID: 36518692
Morning Ove,  just switching on server now to have another look and check of all settings but at least you appear to be happy after looking at my images and providing I made those changes of yours you suggested yesturday!

Is it the case that depending on changes and confusion within the system/cache or whatever that it may take a series amount of rebooting or should I just leave the server onto adjust itself and untangle itself?

I presume the 'Eventviewer' should actually state: allowed and not Denied?
0
 

Author Comment

by:mikey250
ID: 36518694
I would like to know why this command does not work on the server:  'gpupdate /target:mick-pc | jfoster' - ?
0
 

Author Comment

by:mikey250
ID: 36518836
Hi Ove,  I wanted to check as I have had the internet connected last Friday which is a 'Netgear router', which is also acting as a DHCP Server.

I have also configured my Server as a Win 2008 server and added the 'Reservation Mac Address' within the DHCP, so can this be an issue?

By the way I have completely deleted the user account GPO etc and 'shutdown' server.
Ive now switched server back on and checked 'Eventviewer' and GPO's have now gone as the only one showing by default 'Local Gp Policy' Not Applied!!

Im going to start again as per the images I sent you, ensuring the issues you pointed out are also added as below:

pic1.docx: your client MICK-PC should NOT be a member of "Domain-Users"...only "Domain Computers"
pic4.docx: your gpo's do not need to be "Enforced: Yes"...it should be "Enforce: No"
pic9.docx: remove "Domain-Users" and add "Domain Computers"

Then reboot if neccessary and then check Server 'Eventviewer' to ensure GPO's have been applied, once I get to this point before switching host pc on I will come back to this site and see if you have responded otherwise or not thats if your awake as it is Sunday rest day!!
0
 
LVL 11

Assisted Solution

by:Ove
Ove earned 417 total points
ID: 36524559
your postings are a little bit puzzling to me :-)
there is a well known slogan: 99% of all active-directory-problems have their reason in DNS-errors/-problems.
So..do you only have ONE DHCP-server inside your environment, or several?
Are the DNS-info's on all dhcp-servers the same? -> pointing to the domain-controller, which has to be dns-server ?

What is the ip-address of your domain-controller?
Pls post a "ipconfig /all" of your client MICK-PC

Ove
0
 

Author Comment

by:mikey250
ID: 36529712
Hi Ova im back!!
0
 

Author Comment

by:mikey250
ID: 36529808
Originally my setup was the following:

- 1 x Win Server/DC/Dns/Dhcp integrated with SP2 only
- 1 x switch
- 1 x host pc for testing

Note: I had my new internet connection added last Friday with my Local ISP!

So it is now the following:

- 1 x Netgear router - which was running as the 'Master' but I did not realise, but have since 'Disabled' this allowing the 'Below' server to be the 'Master'
- 1 x Win Server/DC/Dns/Dhcp integrated with SP2 only
- 1 x switch
- 1 x host pc for testing

Note: I have since removed 'Dhcp and Dns' entries after the above changes so everything is ok as far as 'Dhcp & Dns' are!!

Note: I have since deleted 'OLD' GPO from both AD & GPO Server and 'RECREATED' NEW ONES ADDING AN OU' aswell, then carried out the below:

1. I have been making changes to the GPO on the server and not doing: gpupdate /force ACTUALLY ON THE SERVER
2. After changes on server above I switch host pc on and logged on with 'normal domain user acount' then ran: gpupdate /force.

The eventviewer on the 'Server' stopped showing the 'OLD' GPO, and showed the 'NEW' GPO, but it has gone back to showing the 'OLD GPO'!!!!!!!!!!!!!

May I point out I sucessfully 'Prohibited the control panel' on host pc - in my 1st GPO!

I then created a 2nd GPO specifically under: Computer configuration!!

I think that the way Ive configured AD on both User account for 'prohibit of control panel' and the way Ive configured the 'GPO Software' for Domain Controller has caused this issue also, Im not sure when or when not to use 'gpupdate /force' or with what account I should be using on the host pc???
0
 

Author Comment

by:mikey250
ID: 36529823
No errors in DNS!!!
0
 

Author Comment

by:mikey250
ID: 36530106
I think Ive lost services intermitantly as on saving an image so that I can give to you it wont let me select a folder for it to go in!
0
 

Author Comment

by:mikey250
ID: 36530362
As I think some services dont work and it wont let me actually save images although it did before as one instance.  I think I am going to have to do a clean re-install as you maybe busy anyway and at least do No 1 below but leave No2 until you return hopefully!!

1. I can with no problems 'prohibit the control panel with 1 x GPO!!!!!!!

2. I appear to become stuck when it comes to installing GPO Software the correct way!!!
0
 
LVL 11

Assisted Solution

by:Ove
Ove earned 417 total points
ID: 36532617
due to the fact that it's all TEST-environment you should make a reinstall and then come back to your initial question here: "BEST WAY TO UNINSTALL GPO DEPLOY SOFTWARE".

We can't make a fully online-support for the whole active-directory-usage and gpo-usage :-)

Pls prepare your environment to come back to the initial question ...that would make things much easier for us :-)

Ove
0
 

Author Comment

by:mikey250
ID: 36534337
Morning Ove,  Yes I re-installed lastnight but will do this morning create a 'DC'!!!

What I wish to know is once a 'DC', within GPO server am I supposed to create 2 GPO's:

qns1. 1 x GPO for the user configuration where the 'redirection folder' goes?
qns2. 1 x GPO for the software to go ie - computer configuration?
qns3. Or is both above in same GPO?
0
 
LVL 11

Assisted Solution

by:Ove
Ove earned 417 total points
ID: 36534368
i would create two GPO's

Ove
0
 

Author Comment

by:mikey250
ID: 36534412
GOOD Ive been thinking about this all night and could not get to sleep as been repeating this for 3 weeks 7 days a week belive it or not!!!!!!

I will come back to you soon as just woke up and need to have breakfast and cup of tea.!!!!! If thats ok!!!?
0
 

Author Comment

by:mikey250
ID: 36534986
Hi Im back now!!
0
 
LVL 11

Expert Comment

by:Ove
ID: 36535010
remember: this is NOT twitter :-)
So pls do only post technical facts and not the ongoing life ;-)

Ove
0
 

Author Comment

by:mikey250
ID: 36535400
Hi Ove,  As Ive reinstalled a clean OS as a Win 2008 DC/Dns/Dhcp integrated with SP2 ive also done the following:

My Netgear router also has the ability to act as the DHCP Server which I have disabled!! It was using the class C reserved address but my DC server is now master with a static ip address:

Server
ip: 192.168.0.10
sm: 255.255.255.0
dg: 192.168.0.1
dns: 192.168.0.1

Im not sure if I should use the 'dns' from the image attached as the correct way of doing things ie public primary/secondary dns?
netgear-gui-settings.docx
0
 

Author Comment

by:mikey250
ID: 36535443
Hi Ove,  correction on previous thread my dns is: 192.168.0.10 not 192.168.0.1..!!
0
 

Author Comment

by:mikey250
ID: 36535483
Hi Ove,  I just thought I wouldn't need my default gateway in this situation would ie due to my server getting its internet access via the Netgear router anyway?
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 11

Assisted Solution

by:Ove
Ove earned 417 total points
ID: 36535555
if your network is small (only some machines) you do NOT need DHCP.
Simply give all machines static-ip-addresses.

If machines should get internet-access you have to add the gateway-address (of your netgear-router) as default-gateway on the clients (and your server).

The DC must be DNS-server. Pls set the address of the DC into your client(s) as DNS-server.

But for your gpo-scenario you do not need internet-access...so you can safely ignore all the internet stuff. Simply give ip-addresses (static or dhcp - doesn't matter) to your client(s).

Ove
0
 

Author Comment

by:mikey250
ID: 36535768
Hi Ove,  I will create another thread for your extra comments as dont agree!

Just for purposes of practically knowing what to do is all it is about so I will continue with the DHCP server..

I will go back now to the GPO Software issue as also attached what I have done so far as dont wont to jump ahead of your direction!!!!!!!!!!!!!
images.zip
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 36535779
@Ove
Why would you ever use Static IP for a client machine.
You are asking for more admin work then needed.
If DHCP is setup with the proper Options you should not have to worry.

Option name:
003 Router <Netgear IP>
006 DNS <all DNS Servers>


I to not agree with OVE.
0
 

Author Comment

by:mikey250
ID: 36535826
Hi yo_bee I was going to create another thread around that as it I wish to delve in a little deep so I understand that scenario! I will keep this thread though relating to the main thread of this issue I have once 'Ove' hopefully gets back to me so I can once and for all know exactly what to do to install GPO Software, which I have successfully done but dont know how so trying to find the exact steps I need instead of 100 to get to same goal!!
0
 

Author Comment

by:mikey250
ID: 36535839
Hi yo_bee, in 'Ove' defence it was reference to a really small LAN, so I suppose why not add static ip addresses which in turn stops the configuration of dhcp in turn saves on server resources!!!
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 36535873
Small , Mid, Large DHCP is a better way to go.
It is easier to manage and maintain.  
0
 

Author Comment

by:mikey250
ID: 36535952
Hi Ove, Im still puzzled as when configuring a GPO for the 'Redirection of folder' and 2nd the GPO for software deploy Im puzzled as when or when not to add either 'Domain computers or Domain Users or specific user or all in AD or GPO?

0
 

Author Comment

by:mikey250
ID: 36535958
Hi yo_bee I have not added that new thread but will do!!!
0
 
LVL 11

Assisted Solution

by:Ove
Ove earned 417 total points
ID: 36535997
let's focus on the gpo used to install and uninstall software via msi-files.

ToDo:
1.) create a OrganisationUnit for your Hardware (Clients).
2.) Move your client (computer-account) into that OU
2b.) btw. the computeraccount is created when joing to domain with the client
3.) Create a GPO inside that Hardware-OU with a softwareinstallation of an msi-packet inside the computerpart of the gpo
4.) Add "Domaincomputers" to the Securityfiltering of the gpo
5.) reboot your client (or issue "gpupdate /force" some times) , maybe also do reboot twice
6.) Your Software should be installed on the next reboot
To uninstall the software do the following:
1.) remove the msi-packet from your gpo
2.) when asked answer : uninstall software from clients
3.) reboot your client (or issue "gpupdate /force" some times) , maybe also do reboot twice
4.) Your Software should be UNinstalled on the next reboot

Pls try this...

Ove
0
 
LVL 11

Expert Comment

by:Ove
ID: 36536056
see this two images from my site:
 gpo01
 gpo02
0
 
LVL 21

Assisted Solution

by:yo_bee
yo_bee earned 83 total points
ID: 36536064
Here is a link to another thread I added some comments to.  It is relivant to your question about Folder Redirection.
http://www.experts-exchange.com/Storage/Backup_Restore/Q_27044543.html.  I copied and pasted the Snippet of my comment about it below.
Hope this helps with addressing that part of the question.    

 
ID:35786402                 Author:          yo_beeDate:05/18/11 11:20 AM      Assisted Solution  

Yes.
Windows 7 Forlder Redirection  GPO setting is more manageable.
There is a setting under  Users Configuration > Policies > Folder Redirection
This is were you make the setting.
What happens is the registry on the clients computer is modifies to point to a UNC rather than a local location on the c:\

This setting will give the users access to their Desktop, Docuement, Favorites..etc.  


http://technet.microsoft.com/en-us/library/cc753996.aspx
http://technet.microsoft.com/en-us/library/cc732275.aspx
http://technet.microsoft.com/en-us/library/cc771969.aspx

Mind you if you are running Active Directory 2003 you will need to download and install RSAT on your Windows 7 machine and add the GPM feature or run this from a Windows Server 2008 GPM feature enable.

If you do not you will not get the added options that are offered with the ADMX

   

http://technet.microsoft.com/en-us/library/cc771969.aspx

Mind you if you are running Active Directory 2003 you will need to download and install RSAT on your Windows 7 machine and add the GPM feature or run this from a Windows Server 2008 GPM feature enable.

If you do not you will not get the added options that are offered with the ADMX
   

0
 

Author Comment

by:mikey250
ID: 36536359
im in process of following your 1 - 6 instructions Ive just had to log back onto internet to get the extract commands to convert my wordviewer.exe to .msc.

Ive always been able to add 'Redirection folder' and 'prohibit control panel.

It is when creating the 2nd GPO for the software it dont work

Ive have stumbled upon a query that confuses me in GPO server!!!!!!!!!!!!

Within AD OU - the folder Ive created called 'Group1' is just known as a 'Group'?

In the GPO Server does the GPO have to be the same name as the 'Group' in AD, Im assuming not?
0
 
LVL 11

Assisted Solution

by:Ove
Ove earned 417 total points
ID: 36536422
Within "Active Directory Users and Computers" you have to create e new "Organisational Unit" - not a new group!
To apply gpo's to ALL computers inside your OU add "DomainComputers" (compare gpo01.png above).

Ove
0
 

Author Comment

by:mikey250
ID: 36541331
Hi Ove,  Ive always told you Ive already created an OU!!!
0
 

Author Comment

by:mikey250
ID: 36541334
Then I created a user account and put inside OU as per your instruction!!
0
 
LVL 11

Expert Comment

by:Ove
ID: 36541335
pls provide new screenshots.

Ove
0
 

Author Comment

by:mikey250
ID: 36541340
What about rights/permissions on AD and GPO?  I did set this later to Full access but has not made no difference.  Rebooted pc 3 times and run gpupdate /force - which is ok in Eventviewer but no software installed!!
0
 

Author Comment

by:mikey250
ID: 36541561
Hi Ove, I will send what you want step by step!!
pic1a.docx
pic2a.docx
0
 
LVL 11

Expert Comment

by:Ove
ID: 36541596
pls provide screenshots from the Group Policy Management Console showing the OU "Computer" with the attached GPOs
and show all tabs of your gpo used for the softwareinstallation

Ove
0
 

Author Comment

by:mikey250
ID: 36541760
Hi Ove,  see attached images that you requested so far!
images-gpo.zip
0
 
LVL 11

Assisted Solution

by:Ove
Ove earned 417 total points
ID: 36542063
to make your GPO work on your MICK-PC you'll have to move the computeraccount MICK-PC from "Computers" to your OU "HR3". Only then the GPO1 will apply to MICK-PC.

pic10a.docx: Select "Uninstall the applications when they fall out of the scope of management"


Ove
0
 

Author Comment

by:mikey250
ID: 36542546
Hi Ove, Request completed, see attached!  -  Procedures just done in following order:

1. Moved Computer to OU - closed AD and rechecked - All good
2. Opened GPO Server and ticked boxes x 2 on left window properties and right window properties for 'Uninstall the apps when they fall out of scope of management
3. logged onto host pc with user account still no software installed
4. Ran - gpupdate /force - on host pc
5. Restarted host pc 'twice' and logged on with user account still no software
6. Shutdown host pc and restarted Server
7. Opened 'Eventviewer' on host pc for and 'App issue'
8.  Gp policy ok, but in Eventviewer 'Application' shows issues with GPO Software referencing 1612
9.  No changes appear to affect Server Eventviewer.
pc-moved-to-OU.zip
0
 
LVL 11

Assisted Solution

by:Ove
Ove earned 417 total points
ID: 36542825
pls check the info from here:
http://www.minasi.com/forum/topic.asp?TOPIC_ID=26294

Ove
0
 
LVL 11

Assisted Solution

by:Ove
Ove earned 417 total points
ID: 36542828
0
 

Author Comment

by:mikey250
ID: 36543154
Hi Ive looked at the url's you mentioned and yes I have read simular info but wanted to stick with your guidance as I have installed GPO Software a week ago twice but couldnt remember how I did it except that I may have gave admin rights instead of user rights and this worked successfully without the need for these extra additions.

As I have now input these images I am going to reboot server in following order:

- Restart host pc
- run: gpupdate /force but if this does not work
- I will then restart host pc twice
- Then check host pc Eventviewer again

Gp-policy-refresh-interval.docx
GP-slow-link-detection.docx
Network-directories-to-sync-at-l.docx
User-configuration-extra-setting.docx
0
 

Author Comment

by:mikey250
ID: 36543204
Hi Ove, I have not done anything to the host pc yet, but sending the last change as image now before I do in a few mins!!
Always-wait-for-network-at-pc-st.docx
0
 
LVL 11

Expert Comment

by:Ove
ID: 36543342
pls disable all other gpo's - and do only user GPO1 for testing of software-installation.

Ove
0
 

Author Comment

by:mikey250
ID: 36543806
Hi Ive added the last images at end of process again.  You sent one url about: appmgmt.log

This url mentions about application management, but I dont think it is refferring to my particular error as the error I get states: 1612..!

http://support.microsoft.com/kb/315809

I will though now remove the 1 other GPO I have running which happens to ONLY run the 'redirection folder' for roaming profiles and that is it!!
host-pc-gp-policy-ok.docx
host-pc-eventviewer-1.docx
host-pc-eventviewer-2.docx
host-pc-eventviewer-3.docx
host-pc-eventviewer-4.docx
0
 

Author Comment

by:mikey250
ID: 36543819
Ive done the following on the host pc

- restarted host pc once
- ran: gpupdate /force
- restarted pc twice but still no software
0
 

Author Comment

by:mikey250
ID: 36544301
Hi Ove,  I deleted the 'USER' for the 'Redirection folder' can create another next time.  Im assuming to 'Disable' a GPO I should untick 'Link Enabled' ?

Should the 'GPO1' also be placed under 'ITSOLUTION.CO.UK - ?
host-pc-gp-policy-ok.docx
host-pc-eventviewer-1.docx
host-pc-eventviewer-2.docx
host-pc-eventviewer-3.docx
host-pc-eventviewer-4.docx
gpo-1-only.docx
0
 

Author Comment

by:mikey250
ID: 36544315
Hi Ove,  I will return tomorrow as had enough today!!!!!!!!!! thankyou for your patience!!!!!
0
 

Author Comment

by:mikey250
ID: 36544365
Hi Ove,  I was just wondering when I 'Edit' computer configuration just for 'Deploy software', is that all I touch, or do I also access User configuration in same GPO for all those other changes I made specifically, but only in the 'GPO USER' for the 'Redirection folder' etc?
0
 

Author Comment

by:mikey250
ID: 36544388
All I have done specific to:

Computer configuration - Added software and not made any other changes anywhere in this GPO...
User configuration - Added 'Redirection folder and those other network settings I sent earlier to do with logging on and off and roaming sync etc..

And nothing else
0
 
LVL 11

Assisted Solution

by:Ove
Ove earned 417 total points
ID: 36546090
Strange problems on newly installed machines :-O
The location of the GPO1 under "HR3" is absolutely OK.

So...at the moment neither the software is being installed nor uninstalled to your MICK-PC, right ?

I think due to the complexity of your problems it might be better to read some more basic "Getting started literature" - even if that sounds boring to you.

I think http://en.wikipedia.org/wiki/Group_Policy might be a good starting point - especially the link at the bottom: http://technet.microsoft.com/en-us/library/hh147307(WS.10).aspx (Group Policy for Beginners).

Sorry that was unable to help you - maybe another EE member might point you to the right direction.

Hope you'll get better help!

Ove
0
 

Author Comment

by:mikey250
ID: 36548337
Morning Ove,  Yes that is correct no software installed on Desktop or when I click 'Start', which is where I have seen it before when I think I made everything 'admin'.....

I have been reading boring literature and although you sent me those extra links to do with 'Sync logon/logoff' etc I already had those details but wanted to follow your lead!!!! As last time I successfully installed the software I did not have to input any of those extras!!

Im reading those 'Urls' now but may take sometime so was gonna leave this 'thread' open for sometime???

Thankyou for your help anyway at least I know Im on the right track!!!!!!!!!!!!!!!!! Im thinking of giving 'full access' completely everywhere or installing by 'Admin' and then checking!!

There maybe something stuck in the 'Registry' that needs to be removed due to previous changes!!
0
 

Author Comment

by:mikey250
ID: 36548703
Hi just a note for my thread as still reading the 'url's sent previously:  

So, what happens if multiple GPOs contain the same setting? This is where order of precedence comes into play. In general, the order in which Group Policy applies GPOs determines precedence. The order is site, domain, OU, and child OUs. As a result, GPOs in child OUs have a higher precedence than GPOs linked to parent OUs, which have a higher precedence than GPOs linked to the domain, which have a higher precedence than GPOs linked to the site. An easy way to think of this is that Group Policy applies GPOs from the top down, overwriting settings along the way. In more advanced scenarios, however, you can override the order of precedence.

You can also have—within a single OU—multiple GPOs that contain the same setting. Like before, the order in which Group Policy applies GPOs determines the order of precedence. In Figure 2, you see two GPOs linked to the domain corp.contoso.com: Windows Firewall Settings and Default Domain Policy. Group Policy applies GPOs with a lower link order after applying GPOs with a higher link order. In this case, it will apply Windows Firewall Settings after Default Domain Policy. Just remember that a link order of 1 is first priority, and a link order of 2 is second priority. You can change the link order for a container by clicking the up and down arrows as shown by callout number 2 in Figure 2.
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 36549444
@Mikey
Are you just putting the path for the MSI for office?

i.e  \\Server1\software\<ofice2003>.msi
0
 

Author Comment

by:mikey250
ID: 36549824
Hi yo_bee, when I locate the path it is the 'network path ie - \\servername\software\wordviewer\wordview.msi - for example.

Ive just done a clean re-install of Win 2008 and back on domain integrated with SP2 and done a clean install of my Win 7 host pc with the first lot of detected updates...

Ive now done the following in this order:

- Created OU
- Created  - 'user account' in OU and completed profile tab path ie - \\servername\profile\%username%
- Created - c:\profile - and gave 'Full access in Shared & Security tab'
- Software has been converted from '.exe to a .msi'
- Created - c:\software - and copied software to folder - Then gave 'Full access in Shared & Security tab'

My intention is now to do the following in this order:

- Join Win 7 host pc to domain
- Switch Win 7 host pc off
- Log back onto server and 'Move' Win 7 host pc into 'OU' previously created as above
- Will then add 'Domain computer' to 'Member of' tab in 'user account' - I think...........!!
- Will open GPO Server and see that automatically the 'OU' previously created has appeared, so will right click and select Create a GPO in this domain and link it here..
- I will then right click GPO/Edit and install software
- Switch host pc on and if not installed
- run on host pc - 'gpupdate or gpupdate /force'
- reboot and logon twice without running 'gpupdate or gpupdate /force' again

Will see what happens
0
 
LVL 21

Assisted Solution

by:yo_bee
yo_bee earned 83 total points
ID: 36550016
I saw that you has Office 2003 in one of the packages.  That might be failing due to a lack of answers (i.e. product key, whether excel is installed...etc..)
When you try wordview.msi  are there any other prompts that are asked other then the standard agreement to EULA, NEXT, NEXT, NEXT when you install this manually?
Sometime the MSI will need product Keys or what not entered.

OFFICE 2003 has Custom Installation Tool that you can download
http://office.microsoft.com/en-us/office-2003-resource-kit/custom-installation-wizard-HA001140170.aspx

This will create an answer file for Office 2003.  
0
 

Author Comment

by:mikey250
ID: 36550104
Hi yo_bee I have actually installed this 'office 2003' before on same host pc but not sure exactly what I did thats why repeating to find exact procedure although struggling now!!!!

I have a blank Win 7 OS currently with no Office or Office 2010, just like before.  Once Ive proved I understand the process then I was going to delve into other ideas!!!!

Appreciated for the url you sent!!

Not joined domain yet as took a break!!!
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 36550190
The tough this with Office 2007/2010 is that there is no MSI files for install.
You need to run the install from the setup.exe file.  This proposes an issue when trying to push via GPO.
Note: Office 2007/2010 come with the Custom Installation Wizard (Office Custom Tool) so yo can create the various transform files.
you run Setup.exe /Admin to gain access to the utility.

FYI You will probably need to push this out with a script unless you are able to create a custom MSI file for deployment.

0
 

Author Comment

by:mikey250
ID: 36550307
I copied 'office 2003 .exe' to c:\ then did - c:\wordview_en-us.exe /extract:c:\word-view - enter and this changed it to a .msi

Not sure what you mean by your comments

Not using office 2007/2010 yet anyway!!!! Trying to understand how to practically do install via GPO first of all

You need to run the install from the setup.exe - Dont understand what you mean here although I presume you mean my 'wordviewer.exe on server !!!!!

Note: office 2007/2010 comes with the CIW - I will try this later but wish to install this Office 2003 as been on this for 3 weeks 7 days a week, but due to getting it installed twice before this why not give up and used other ideas!!!!!!!!!!!!!

yet!!
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 36550517
I was just stating examples since I do not have actual application to reference.
I saw some of your screenshots and OFFICE 2003 was in that.  Office 2003 runs via MSI and not EXE.

With regards to Office 2007/2010 I saw that you mentioned it in the previous posts so I figured I would add my insight on that as well.
Really not more then that.

You will need to download the CIW for 2003 and configure this so Office can be pushed.
0
 

Author Comment

by:mikey250
ID: 36556548
Hi yo_bee I got it to work in the end but what I did for every extra configuration I added starting from the software - rights/permissions and going back one by one to the GPO - rights/permissions and back to AD rights and permissions and last of all going back to:  c:\software - rights and permissions I was able to: install software onto pc and then remove about 10 times until I was left with the bare bones of what allowed me to install it anyway.

On doing so I switched between Computer configuration to install software and remove
& User configuration to install software and remove

All appeared to be ok which was excellent!! But eventually I did get to a point when removing stuff regarding the user or domain computer reference rights/permissions ie instead of 'full access I changed it to 'read' for example and somewhere along the line I could not reinstall the software at 'Computer configuration'!!

Although on the host pc in 'Eventviewer' it did state some 'Bit service issue and after looking on the internet it stated to 'restart' the service, so I opened up the Computer configuration and located this 'Bit service' and did so and then I ran 'gpupdate /force' on the server and restarted the host pc which eventually detected that changes were made and mentioned about the 'software to be installed' was detected and would take another reboot, but even after a few more reboots and doing: gpupdate /force or gpupdate /wait:0' for example on the host pc it still did not install.

So I have not made no more changes since, but on looking in the 'Eventviewer' eventually it states that there was an issue with it.

Im not sure if I can even do: gpupdate /force or even gpupdate /wait:0 for example one by one before restarting the host pc as Im assuming this may cause even more problems and reboots making me appear to be going round in circles!!!!!!!!!!!

It ok I will leave it at that as learning this AD isn't straight forward and can be configuration in various ways dependant upon the scenario from what I've heard.


0
 

Author Comment

by:mikey250
ID: 36556561
Hi yo_bee,  I got it to work in the end but what I did for every extra configuration I added starting from the software - rights/permissions and going back one by one to the GPO - rights/permissions and back to AD rights and permissions and last of all going back to:  c:\software - rights and permissions I was able to: install software onto pc and then remove about 10 times until I was left with the bare bones of what allowed me to install it anyway.

What I mean't by above comment was that I changed privileges etc instead of 'full access' for everthing!!!
0
 

Author Closing Comment

by:mikey250
ID: 36941673
Sound advice but have been having intermitant issues which looks as though have been cause of my problem.  Although resolved now and no more issues so far with OS and no more intermitant issues!!
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

To effectively work with Diskpart on a Server Core, it is necessary to write some small batch script's, because you can't execute diskpart in a remote powershell session. To get startet, place the Diskpart batch script's into a share on your loca…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now