We help IT Professionals succeed at work.

Google Chrome GPO installation

deanavey used Ask the Experts™
I've set up an installation of Google Chrome through GPO using instructions I've been given and I log on as the test user and it doesn't seem to be working. I am a rookie when it comes to GPO but here are the steps I followed:

1) Downloaded the .msi for Google chrome, along with the templates. Saved them to C\Software\templates and shared it.
2) Started GPO management, under my domain and GPOs created 'Test-Chrome'.
3) Edit GPO, under 'Computer Configuration -> Policies -> software settings -> software installation', I chose the .msi package I want to install. I used the network path as the path this will install from, not straight link to the C drive.
4) Under 'administrative templates' I choose 'add' and found 'chrome.adm' and added it.
5) From that I just configured some hope page and password management settings.
6) Linked the GPO to the domain and under "security filtering" I added just my single test user from Active Directory. Link Enabled is checked at this point.
7) Started cmd prompt on both the test PC and the DC and used 'gpupdate /force' and the GPO successfully updates.

The only thing I know that I haven't done for sure is restart any machines because these are in live production.

From there I logged off the test PC and back on and am not finding chrome anywhere.
When I log in as the test user, under 'add/remove programs/ I DO see Google Chrome, but there are no details populated. When I attempt to try to uninstall or update it I receive 'the feature you are trying to use is on a network resource that is unavailable. I checked the share again and all users have full privileges.  What am I doing wrong?

Thank you for your help and please let me know if you need other details.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

This is just a guess ....

Does your test user have Share rights and NTFS rights to the folder you shared the MSI from?

(Not Sure if it needs to be or not) But is your test user a local admin?


No, test user isn't a local admin. I'll test this tomorrow for sure. Thanks for the suggestion!
Another option is to put the file in the netlogon directory ... We use that for our desktop backgrounds and such.

If you arent aware the path is \\<domainname>\netlogon. This folder is replicated to all domain controllers, so it will be available everywhere.
"The only thing I know that I haven't done for sure is restart any machines because these are in live production."

You need to reboot as that is when the actual software is installed.
1. make sure that the folder where you put it has read permissions for domain computers; both share permissions, and NTFS permissions.
2. add "domain computers" to security filtering.
3. Run "group policy results" wizard, specify the machine you want Chrome to be installed at, analyze the results and verify that your new policy is applied, and that the package shows up as assigned under Machine Configuration.


1. make sure that the folder where you put it has read permissions for domain computers; both share permissions, and NTFS permissions.
  - tried this to no avail
2. add "domain computers" to security filtering.
  - this did need to be done so that helped. It shows up in the modeling now, but still no test PC success.

Restarted the test PC, still no success. I'm now attempting to add it to the DC netlogon folder, recreate the GPO, update, restart, and try again.


Now that I've moved it to the netlogon folder my modeling results show the GPO as Denied due to "access denied (security filtering)
Access denied - is it in computer configuration?

As an experiment, add this machine alone to the security configuration and see it it makes the change. If it does, then find out why it does not belong to Domain Computers.

If you have other group policies that are applied, you can compare what's in their security filtering to this policy.

In order to be available to the users, you should add "authenticated users" to the security filtering; but since you added this package under Computer Configuration, it shouldn't matter.


Yes it was created in computer config. I'll try your suggestion and get back to you shortly.
> it was created in computer config.

I mean "access denied" showed up in the results of the wizard under Computer Configuration, right? like on this screenshot.

Double-check permissions by opening Properties of the policy, go to the tab "security" and check. There can be entries with "deny" that wouldn't show up in GP console.


Looked through security and there are no deny permissions and the apply GPO boxes are checked accordingly.

Reran the results wizard, under computer config the test GPO is no longer denied but received this notice under Computer config -> Componant Status:

Software Installation failed due to the error listed below.
The installation source for this product is not available. Verify that the source exists and that you can access it.

Checked, and I can access the folder from the test PC and logged in as the test user. So I guess it's just a matter of figuring out why it can't see the shared .msi resourece
> I can access the folder

Not you, winlogon running on machine account has to access it.  Give share and ntfs permissions to "system" and to "domain computers" and to "everyone" (which is excessive, but OK just to make it working).


On my very first attempt at doing this GPO I created a share in the C:\ drive of the DC and shared it for testing purposes. So the path for this was C:\Software. I just logged onto my test machine again and went into add/remove programs and Google Chrome shows up, but not populated with anything. When I attempt to uninstall it the default root it looks for to try to uninstall is C:\Software. But my GPO installation package has been created from \\server\netlogon\software. I've set both the NTFS and share permissions to read only for 'everyone'.

Does it seem like there is a rogue GPO somewhere or setting that still thinks this share exists?
When you uninstall, it does not matter what is in the GPO now. It tries to uninstall from the location it was installed from. So if you installed it from c:\software, it has to find the source in c:\software.

Remove it from GPO, restart machine, and make sure it's uninstalled from the machine. Then add back to GPO, restart machine, and it has to be installed.

You can see the source location of the package in the same Group Policy Results (not Modeling, by the way, as you mentioned somewhere above)

I didn't quite get this: "Google Chrome shows up, but not populated with anything" - what do you mean?


Sorry.. Google Chrome shows up in the list of programs to uninstall, but it doesn't have a size, or last used date.
This usually means that it's not assigned but advertised, so it's not yet installed. Or that the system knows that it had to be installed, but failed to install. This might be because of your problem with "access denied" to the installation source file.

Look in the "add new programs" - is it there? try to add it from there - will it install?


When I go to Add Programs it says "No programs available on the network". But when I attempt to add on from "CD or Floppy" anyway, I am able to browse to the network location that the .msi is located. When I select this file and attempt to run it says "The installation package could not be opened. Verify that the package exists and that you can access it. Or contact the application vendor to verify that this is a valid Windows installer package."

I'm going to try to re-download this .msi package amongst all things.


So all this work and it appears to have been a corrupt .msi. I used the MSI before and it was fine, but I just downloaded a new one and linked it with the GPO and now my test machine has a functional, admin controlled Google Chrome...

You all did have very helpful advice though in the process. Thank you so much!
You don't need to request moderator's intervention in order to close your question. http://www.experts-exchange.com/help/viewHelpPage.jsp?helpPageID=24 has details, including how to accept multiple answers.


Sorry, I didn't realize I was requesting anything. I just hit 'accept multiple solutions' chose them, and hit submit. I'll try again
As a closing comment, here's some additional info re. Google Chrome for Enterprise. Their MSI installation is not "real" MSI, it's only a wrapper around setup.exe; which is most likely the reason why it needed the installation source in order to uninstall itself - normally it's not necessary, it also does not have some other advantages of true MSI installation, such as ability to repair the product, and some others.