Group Policy

Posted on 2013-05-30
Last Modified: 2013-08-16
I am using Server 2000.  I created a GPO object to deploy Office 2003 with a transform file.  The group policy is not executing and installing from the .MSI from a network share.  

How do I do this?  I only want to test on users and their virtual machines and not deploy through all the organization yet.
Question by:Robert Mohr

Expert Comment

Comment Utility
Server 2000?! It is time to upgrade.

It has been a while, but you may need an Office 2003 resource kit

Make sure that the following setting is enabled,

Computer Configuration\Administrative Templates\System\Logon\ Always wait for the network at computer startup and logon.

Steps in a nutshell

1. Create a shared folder in the local system drive and give administrator full access and everyone read only access.
2. Copy all the contents of the Office 2003 setup to a folder there.
3. Using Custom Installation Wizard in Office 2003 resource kit create a file with any name and save in the shared folder created in first step

Once you've installed windows resource kit tools, you can find a menu called the Custom Installation Wizard in start menu. Invoke it, and when prompted, point it to the .MSI for Office Version (PRO11.MSI for Office 2003). An .MST file (Windows Installer transform) will be generated. Save it in the same place as your installation point. This file is an answer file for installation.

4. Create a new Group Policy object, and Assign/Publish a new Software Package (Assign it to the computer configuration). Point the GPO to the .MSI of Office version PRO11.msi for the Office 2003. In Modifications tab browse for the MST file created in the previous step.
5. Disable the User Configuration settings in the GPO, as they won't be used (Installing software per computer here).

6. Reboot one of the system which falls in the scope of above given GPO and see how it actually works.

7. In case if your client consist of Windows XP Pro you will have make sure that the following setting is enabled,
Computer Configuration\Administrative Templates\System\Logon\ Always wait for the network at computer startup and logon

Expert Comment

Comment Utility
Yeah, upgrade needed since this OS is not longer supported by Microsoft which means you are no longer getting security updates.

If you are having issues applying a software installation via GPO, I would suggest enabling software installation Log to see what is happening.  Do you see the GPO Processing?  To see if it is processing, enable the UserEnv.log.  You can see how to enable the logs using the following:

Gladys Rodriguez

Author Comment

by:Robert Mohr
Comment Utility
Coffinated -
Yes, I know, Server 2000 NEEDS to be removed/upgraded.  Working on it...

I followed all of your steps and on the specific machine I receive this warning on the end user machine that I am testing the GPO.

The processing of Group Policy failed. Windows attempted to read the file \\\SysVol\\Policies\{CCF6A1B3-2916-4AFA-B247-3E39D259F1DF}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved....
When going to that specific file path, the long string starting with {CCF6A1B..., it is not listed in that folder.  Any thoughts on the issue?  WE'RE SO CLOSE!

GlobalStrata -
I enabled the log and I don't believe it is showing me information that is helping me deduce the issue.  I might not be reading it correctly however.  

Accepted Solution

GlobalStrata earned 500 total points
Comment Utility
Are you seeing that path if you check on all Domain Controller Sysvol Folder?  If the answer is no, then you are having Sysvol Replication issues.  

If the answer is yes, then my suggestion is to delete that GPO, create a new one and put the settings in the new one.  It seems that there was some type of corruption that happened.  You may want to check if Antivirus is scanning your Sysvol.  It is recommended for Sysvol not to be scanned.

Just a quick background.  When you create a GPO, information is saved in two locations:

1. Active Directory Users and Computers > System (Need to enable Advanced View to see) > Policies > GUID.  This is called the Group Policy Container.  It contains attribute information such as version, Display Name and others.

2. Sysvol > Domain > Policies > GUID.  This is called Group Policy Template and contains the actual GPO Settings.

This means that for Group Policy to work correctly, both Active Directory and Sysvol Replication must work correctly.  There is a possibility for one of the components explained above to not exist.  Usually this happen when there are some type of communication, scanner locking files or some other weird issue.  In your case, it seem that the GPT may be missing.

Gladys Rodriguez
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

LVL 76

Expert Comment

Comment Utility
Are you deploying as a user or a computer GPO?
If the GUID not showing up, that means you have an error in the GPO that prevents its rollout into sysvol.

It might be a permission related issue.
LVL 18

Expert Comment

Comment Utility
Globalstrata is pointing in the right direction. If you get that error in event logs it means its not been replicated to all DC's.

start with dcdiag and the eventlogs to spot the issues with replication then your GPO will start working
LVL 40

Expert Comment

by:Vadim Rapp
Comment Utility
Delete this group policy, then create new. You can start with publishing or assigning some trivial MSI package. In group policy editor, run "group policy results wizard" and see if your policy and package become visible to the machine.

Troubleshooting is best to start from clean workstation, such as clean virtual machine, which you can restore to the original state by one click. Otherwise you never know whether the problems are on domain controller or on the workstation.

> Yes, I know, Server 2000 NEEDS to be removed/upgraded.  

Only if you have real reasons, such as there are things you can't do with it, applications you need to install on it but incompatible, and such. If your dc is not on the perimeter of your network, then you probably don't face any security risks, while Microsoft security patches has a long history of being 99% publicity stunts, ruining core functionality of the affected systems left and right. There are lots of non-security patches whose description starts with "After you apply security patch xxx, you experience.....", however, unlike security patches, these are not pushed to anybody, you have to learn about them, find them, and request them from Microsoft. Which is kinda paradox, since the probability to be affected by the security vulnerability is usually negligent, while the probability to be affected by the pushed security patch with known defect is 100%. For that reason, on my own domain windowsupdate is not automatic, and I personally approve through WSUS only few selected fixes that do have impact - practically all non-security ones. As a bottom line, I couldn't care less whether my O/S is "supported" by Microsoft, or not, and the only reason to upgrade becomes, for example, new Exchange Server that needs newer server o/s.

Author Comment

by:Robert Mohr
Comment Utility
Anti-virus is not scanning SYSVOL.
I deleted the GPO, created a new one and still received that same error.
I'm abandoning this and chalking it up to Server 2000.

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
A theme is a collection of property settings that allow you to define the look of pages and controls, and then apply the look consistently across pages in an application. Themes can be made up of a set of elements: skins, style sheets, images, and o…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now