Solved

Group Policy

Posted on 2013-05-30
9
562 Views
Last Modified: 2013-08-16
I am using Server 2000.  I created a GPO object to deploy Office 2003 with a transform file.  The group policy is not executing and installing from the .MSI from a network share.  

How do I do this?  I only want to test on users and their virtual machines and not deploy through all the organization yet.
0
Comment
Question by:Robert Mohr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 5

Expert Comment

by:Coffinated
ID: 39209310
Server 2000?! It is time to upgrade.

It has been a while, but you may need an Office 2003 resource kit

http://office.microsoft.com/en-us/office-2003-resource-kit/using-group-policy-to-deploy-office-HA001140201.aspx

Make sure that the following setting is enabled,

Computer Configuration\Administrative Templates\System\Logon\ Always wait for the network at computer startup and logon.

Steps in a nutshell

1. Create a shared folder in the local system drive and give administrator full access and everyone read only access.
2. Copy all the contents of the Office 2003 setup to a folder there.
3. Using Custom Installation Wizard in Office 2003 resource kit create a file with any name and save in the shared folder created in first step

Once you've installed windows resource kit tools, you can find a menu called the Custom Installation Wizard in start menu. Invoke it, and when prompted, point it to the .MSI for Office Version (PRO11.MSI for Office 2003). An .MST file (Windows Installer transform) will be generated. Save it in the same place as your installation point. This file is an answer file for installation.

4. Create a new Group Policy object, and Assign/Publish a new Software Package (Assign it to the computer configuration). Point the GPO to the .MSI of Office version PRO11.msi for the Office 2003. In Modifications tab browse for the MST file created in the previous step.
5. Disable the User Configuration settings in the GPO, as they won't be used (Installing software per computer here).

6. Reboot one of the system which falls in the scope of above given GPO and see how it actually works.

7. In case if your client consist of Windows XP Pro you will have make sure that the following setting is enabled,
Computer Configuration\Administrative Templates\System\Logon\ Always wait for the network at computer startup and logon
0
 
LVL 3

Expert Comment

by:GlobalStrata
ID: 39212854
Yeah, upgrade needed since this OS is not longer supported by Microsoft which means you are no longer getting security updates.

If you are having issues applying a software installation via GPO, I would suggest enabling software installation Log to see what is happening.  Do you see the GPO Processing?  To see if it is processing, enable the UserEnv.log.  You can see how to enable the logs using the following: http://technet.microsoft.com/en-us/library/cc775423(v=WS.10).aspx

Gladys Rodriguez
http://blogs.technet.com/b/mspfe/
0
 

Author Comment

by:Robert Mohr
ID: 39216594
Coffinated -
Yes, I know, Server 2000 NEEDS to be removed/upgraded.  Working on it...

I followed all of your steps and on the specific machine I receive this warning on the end user machine that I am testing the GPO.

The processing of Group Policy failed. Windows attempted to read the file \\unitedshockwave.com\SysVol\unitedshockwave.com\Policies\{CCF6A1B3-2916-4AFA-B247-3E39D259F1DF}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved....
When going to that specific file path, the long string starting with {CCF6A1B..., it is not listed in that folder.  Any thoughts on the issue?  WE'RE SO CLOSE!

GlobalStrata -
I enabled the log and I don't believe it is showing me information that is helping me deduce the issue.  I might not be reading it correctly however.  
Thoughts?
0
SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

 
LVL 3

Accepted Solution

by:
GlobalStrata earned 500 total points
ID: 39220652
Are you seeing that path if you check on all Domain Controller Sysvol Folder?  If the answer is no, then you are having Sysvol Replication issues.  

If the answer is yes, then my suggestion is to delete that GPO, create a new one and put the settings in the new one.  It seems that there was some type of corruption that happened.  You may want to check if Antivirus is scanning your Sysvol.  It is recommended for Sysvol not to be scanned.

Just a quick background.  When you create a GPO, information is saved in two locations:

1. Active Directory Users and Computers > System (Need to enable Advanced View to see) > Policies > GUID.  This is called the Group Policy Container.  It contains attribute information such as version, Display Name and others.

2. Sysvol > Domain > Policies > GUID.  This is called Group Policy Template and contains the actual GPO Settings.

This means that for Group Policy to work correctly, both Active Directory and Sysvol Replication must work correctly.  There is a possibility for one of the components explained above to not exist.  Usually this happen when there are some type of communication, scanner locking files or some other weird issue.  In your case, it seem that the GPT may be missing.

Gladys Rodriguez
http://blogs.technet.com/b/mspfe/
0
 
LVL 78

Expert Comment

by:arnold
ID: 39220969
Are you deploying as a user or a computer GPO?
If the GUID not showing up, that means you have an error in the GPO that prevents its rollout into sysvol.

It might be a permission related issue.
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 39221173
Globalstrata is pointing in the right direction. If you get that error in event logs it means its not been replicated to all DC's.

start with dcdiag and the eventlogs to spot the issues with replication then your GPO will start working
0
 
LVL 40

Expert Comment

by:Vadim Rapp
ID: 39221853
Delete this group policy, then create new. You can start with publishing or assigning some trivial MSI package. In group policy editor, run "group policy results wizard" and see if your policy and package become visible to the machine.

Troubleshooting is best to start from clean workstation, such as clean virtual machine, which you can restore to the original state by one click. Otherwise you never know whether the problems are on domain controller or on the workstation.

> Yes, I know, Server 2000 NEEDS to be removed/upgraded.  

Only if you have real reasons, such as there are things you can't do with it, applications you need to install on it but incompatible, and such. If your dc is not on the perimeter of your network, then you probably don't face any security risks, while Microsoft security patches has a long history of being 99% publicity stunts, ruining core functionality of the affected systems left and right. There are lots of non-security patches whose description starts with "After you apply security patch xxx, you experience.....", however, unlike security patches, these are not pushed to anybody, you have to learn about them, find them, and request them from Microsoft. Which is kinda paradox, since the probability to be affected by the security vulnerability is usually negligent, while the probability to be affected by the pushed security patch with known defect is 100%. For that reason, on my own domain windowsupdate is not automatic, and I personally approve through WSUS only few selected fixes that do have impact - practically all non-security ones. As a bottom line, I couldn't care less whether my O/S is "supported" by Microsoft, or not, and the only reason to upgrade becomes, for example, new Exchange Server that needs newer server o/s.
0
 

Author Comment

by:Robert Mohr
ID: 39275806
Anti-virus is not scanning SYSVOL.
I deleted the GPO, created a new one and still received that same error.
I'm abandoning this and chalking it up to Server 2000.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question