Solved

GPO do not catch up

Posted on 2012-04-13
38
326 Views
Last Modified: 2012-05-16
i have a WDS setup ready and various software packages i want to deploy:

these packages are small ones (about 20MB),so there shouldnt be network issues.
i created a MSI package and a GPO for each one and created a directory c:\software from where it shall be distributed.

same goes for the IE9 package: its in c:\software as well.

i typed gpupdate /force on the WDS and client but the packages werent installed after a few attempts.


atuenticated users and those computers have the "apply group policy" right granted.
on the clients (win 7 sp1), there the following message:

"group policy client extension software was unable to aply one or more settings..."

i rebootet those client several times,but no software were installed.

i posted some PS`s so its easier to follow up.
o1.png
o2.png
o3.png
o4.png
o5.png
0
Comment
Question by:quickslvr
  • 23
  • 15
38 Comments
 
LVL 17

Expert Comment

by:James Haywood
ID: 37841837
Your software path is pointing towards c:\software\xxx. You need to use a UNC instead as when the client processes the GPO it will look for c:\software\xxx on its own C drive.

Change the path to a UNC and ensure the share has read permissions enabled
0
 

Author Comment

by:quickslvr
ID: 37842274
ah i see.
i did this all,but the GPO still dont seem to catch up.
0
 
LVL 17

Expert Comment

by:James Haywood
ID: 37842298
Are the GPOs applied to the OU that contain the relevant computer accounts?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:quickslvr
ID: 37842656
yes
0
 
LVL 17

Expert Comment

by:James Haywood
ID: 37842671
Can you connect from one of the clients to the UNC path and install one of the packages manually? This will clear a few possible issues.
0
 

Author Comment

by:quickslvr
ID: 37850119
yes,i could do that. the UNC path is visible
0
 
LVL 17

Expert Comment

by:James Haywood
ID: 37850134
Ok, can you run gpresult on a client and confirm wether the GPO is being picked up or not?
0
 

Author Comment

by:quickslvr
ID: 37850192
ok,heres more info:

i created those MSI packages with the exe-to-msi converter tool. i assume that this tool has some impact as well
0
 

Author Comment

by:quickslvr
ID: 37850466
ok,wait a min
0
 

Author Comment

by:quickslvr
ID: 37850584
ok, the GPO has not been picked up
0
 
LVL 17

Expert Comment

by:James Haywood
ID: 37850587
Do a double check and confirm the GPO containing computer configuration is being applied to an OU containing computer accounts.
0
 

Author Comment

by:quickslvr
ID: 37850698
YES,THIS IS THE CASE
0
 
LVL 17

Expert Comment

by:James Haywood
ID: 37850711
I notice you have set security at some levels. Remove all the permissions you originally set. To limit the GPO its easier to set filtering within the GPO console.
0
 

Author Comment

by:quickslvr
ID: 37850788
pls have a look here. do you see something which leds to those issues?
GPReport.html
0
 

Author Comment

by:quickslvr
ID: 37852317
i think i found the reason:

 all software packages reside in the same folder.
i ran gpresult /h and saw that the last package "wins".

i assume that the last package in that folder will be deployed.

could you confirm that fact?
0
 
LVL 17

Expert Comment

by:James Haywood
ID: 37852659
It doesn't matter where the software is located as long as there is a separate link to each package within the GPO (or a separate GPO for each package).
0
 

Author Comment

by:quickslvr
ID: 37852741
but thats what i just described,right?

a software delivery GPO must have a dedicated UNC path to make it work,right?
i created a different subfolders for each GPO under the software folder.

would that work then?
0
 
LVL 17

Expert Comment

by:James Haywood
ID: 37852763
I don't know if you need to use different subfolders for each package, but thinking about it I've always done it like that anyway!
Try it (just ensure you update each GPO with the new path)
0
 

Author Comment

by:quickslvr
ID: 37852887
ok,ill let you know
0
 

Author Comment

by:quickslvr
ID: 37854768
I re-created everything new.
theres a share for each software folder (I.E. Acrobat) and granted everyone and domain users read rights.

so far, nothing has been installed since an hour..
0
 
LVL 17

Expert Comment

by:James Haywood
ID: 37855137
Run gpupdate /force on the client pc.
Reboot and logon x 2
0
 

Author Comment

by:quickslvr
ID: 37855735
din not help.

i also created a GPO which maps drives. same there,it doesnt catch up.

i dont know what else i could do
0
 
LVL 17

Expert Comment

by:James Haywood
ID: 37856007
Ok, lets go back to the beginning and create the following:

1. Shared location containing a single software package (.msi) (read access set to everyone both NTFS and share permissions). Confirm this by connecting to the UNC and installing the package onto a client machine.
2. Create a new GPO, assign the relevant settings to the Computer Configuration side (use assigned not publish) using only the package tested above. Do not set any filtering or security at this point.
3. Assign the GPO to an OU that contains computer accounts
4. Run GPupdate /force on the client. You should receive a message saying some settings need to be run on startup and asking if you would like to reboot. If you don't receive this message double check #3
5. Reboot client. Check to see if software is installed. Sometimes it takes two reboots but Windows 7 usually works straight away.

Do all these steps one at a time. If this still doesn't work we can look at DC's etc.
0
 

Author Comment

by:quickslvr
ID: 37856545
ok, i can confirm all the steps above.

i also checked the "ignore languages2 and make 32bit applications available to 64bit machines (since they are all 64x Win 7 SP1)"

same goes with the drive maps. none of the GPO has worked.

i have to admit that those win 7 machines have been deployed thru WDS and sysprep
0
 
LVL 17

Expert Comment

by:James Haywood
ID: 37858045
And the clients are not picking up any of the new GPOs? Does GPresult show them now?
0
 

Author Comment

by:quickslvr
ID: 37859390
i will post gpresult in a minute
0
 

Author Comment

by:quickslvr
ID: 37859415
0
 

Author Comment

by:quickslvr
ID: 37859419
and no,the clients do not pick up the GPOs
0
 

Author Comment

by:quickslvr
ID: 37859453
and heres the gpresult from the DC
GPReport.html
0
 
LVL 17

Expert Comment

by:James Haywood
ID: 37859871
Your source is still set to a local path (E:\Software\Win7Codecs\win7codecs_v350.msi)

This needs to be a UNC i.e. \\servername\sharename\win7codecs_v350.msi

If not then a client will look at its own E:\ for this path which will not exist.
0
 

Author Comment

by:quickslvr
ID: 37860026
are you sure?
i just lookes at the GPO and it is like this;pls see attachment
pgowsus1.png
0
 
LVL 17

Accepted Solution

by:
James Haywood earned 500 total points
ID: 37862823
I was looking at your gpreport above on the TEST-MC54 machine. Your extract above does show the UNC though so I'm not sure where the discrepancy is?

Can you remove this machine from the domain, remove all gpos then rejoin? That might help starting from fresh.

Removing GPOs (says XP but works with 7)
http://cobracommunications.wordpress.com/2010/09/14/remove-group-polices-from-clients/
0
 

Author Comment

by:quickslvr
ID: 37865080
meantime,theres some success:

two of my software delivery GPO caught up,but there are two more packages not installed.

I`ve found out that the drive maps GPO shoulds is a user GPo and should be linked to
a user group. i will try this and report.

heres some:

  The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Drive Mapping GPO
            Filtering:  Not Applied (Empty)
0
 
LVL 17

Expert Comment

by:James Haywood
ID: 37869446
Thats good. If two are installing then we know the infrastructure works, machines are talking etc. Do a double check on the GPOs that are not installing and make sure they have the same settings as the ones that are.

The Drive Mapping GPO will be filtered out as you have correctly stated as it applied to user accounts not computer accounts.
0
 

Author Comment

by:quickslvr
ID: 37870305
i have to correct my statement. the GPos are still not catching up.
i dont know where to look else
0
 

Author Comment

by:quickslvr
ID: 37870319
on hide/show this drive, what do i have to check?
testgpo.png
0
 

Author Comment

by:quickslvr
ID: 37964500
i found another phenomenon:

those self-created MSI (with the freeware) do not work. i took an MSI from appdeploy and that worked right away.

so what i need,is a packaging tool which does all those tasks. since freeware dont do, im willing to pay for something which works.

suggestions which packaging tools do work 100% without any errors?
0
 
LVL 17

Expert Comment

by:James Haywood
ID: 37964652
That looks like the problem then1

I haven't really used any .msi creation tools myself. Have a google and try some out I suppose.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question