• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 604
  • Last Modified:

Group Policy

I am using Server 2000.  I created a GPO object to deploy Office 2003 with a transform file.  The group policy is not executing and installing from the .MSI from a network share.  

How do I do this?  I only want to test on users and their virtual machines and not deploy through all the organization yet.
Robert Mohr
Robert Mohr
1 Solution
Server 2000?! It is time to upgrade.

It has been a while, but you may need an Office 2003 resource kit


Make sure that the following setting is enabled,

Computer Configuration\Administrative Templates\System\Logon\ Always wait for the network at computer startup and logon.

Steps in a nutshell

1. Create a shared folder in the local system drive and give administrator full access and everyone read only access.
2. Copy all the contents of the Office 2003 setup to a folder there.
3. Using Custom Installation Wizard in Office 2003 resource kit create a file with any name and save in the shared folder created in first step

Once you've installed windows resource kit tools, you can find a menu called the Custom Installation Wizard in start menu. Invoke it, and when prompted, point it to the .MSI for Office Version (PRO11.MSI for Office 2003). An .MST file (Windows Installer transform) will be generated. Save it in the same place as your installation point. This file is an answer file for installation.

4. Create a new Group Policy object, and Assign/Publish a new Software Package (Assign it to the computer configuration). Point the GPO to the .MSI of Office version PRO11.msi for the Office 2003. In Modifications tab browse for the MST file created in the previous step.
5. Disable the User Configuration settings in the GPO, as they won't be used (Installing software per computer here).

6. Reboot one of the system which falls in the scope of above given GPO and see how it actually works.

7. In case if your client consist of Windows XP Pro you will have make sure that the following setting is enabled,
Computer Configuration\Administrative Templates\System\Logon\ Always wait for the network at computer startup and logon
Yeah, upgrade needed since this OS is not longer supported by Microsoft which means you are no longer getting security updates.

If you are having issues applying a software installation via GPO, I would suggest enabling software installation Log to see what is happening.  Do you see the GPO Processing?  To see if it is processing, enable the UserEnv.log.  You can see how to enable the logs using the following: http://technet.microsoft.com/en-us/library/cc775423(v=WS.10).aspx

Gladys Rodriguez
Robert MohrAuthor Commented:
Coffinated -
Yes, I know, Server 2000 NEEDS to be removed/upgraded.  Working on it...

I followed all of your steps and on the specific machine I receive this warning on the end user machine that I am testing the GPO.

The processing of Group Policy failed. Windows attempted to read the file \\unitedshockwave.com\SysVol\unitedshockwave.com\Policies\{CCF6A1B3-2916-4AFA-B247-3E39D259F1DF}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved....
When going to that specific file path, the long string starting with {CCF6A1B..., it is not listed in that folder.  Any thoughts on the issue?  WE'RE SO CLOSE!

GlobalStrata -
I enabled the log and I don't believe it is showing me information that is helping me deduce the issue.  I might not be reading it correctly however.  
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Are you seeing that path if you check on all Domain Controller Sysvol Folder?  If the answer is no, then you are having Sysvol Replication issues.  

If the answer is yes, then my suggestion is to delete that GPO, create a new one and put the settings in the new one.  It seems that there was some type of corruption that happened.  You may want to check if Antivirus is scanning your Sysvol.  It is recommended for Sysvol not to be scanned.

Just a quick background.  When you create a GPO, information is saved in two locations:

1. Active Directory Users and Computers > System (Need to enable Advanced View to see) > Policies > GUID.  This is called the Group Policy Container.  It contains attribute information such as version, Display Name and others.

2. Sysvol > Domain > Policies > GUID.  This is called Group Policy Template and contains the actual GPO Settings.

This means that for Group Policy to work correctly, both Active Directory and Sysvol Replication must work correctly.  There is a possibility for one of the components explained above to not exist.  Usually this happen when there are some type of communication, scanner locking files or some other weird issue.  In your case, it seem that the GPT may be missing.

Gladys Rodriguez
Are you deploying as a user or a computer GPO?
If the GUID not showing up, that means you have an error in the GPO that prevents its rollout into sysvol.

It might be a permission related issue.
Globalstrata is pointing in the right direction. If you get that error in event logs it means its not been replicated to all DC's.

start with dcdiag and the eventlogs to spot the issues with replication then your GPO will start working
Vadim RappCommented:
Delete this group policy, then create new. You can start with publishing or assigning some trivial MSI package. In group policy editor, run "group policy results wizard" and see if your policy and package become visible to the machine.

Troubleshooting is best to start from clean workstation, such as clean virtual machine, which you can restore to the original state by one click. Otherwise you never know whether the problems are on domain controller or on the workstation.

> Yes, I know, Server 2000 NEEDS to be removed/upgraded.  

Only if you have real reasons, such as there are things you can't do with it, applications you need to install on it but incompatible, and such. If your dc is not on the perimeter of your network, then you probably don't face any security risks, while Microsoft security patches has a long history of being 99% publicity stunts, ruining core functionality of the affected systems left and right. There are lots of non-security patches whose description starts with "After you apply security patch xxx, you experience.....", however, unlike security patches, these are not pushed to anybody, you have to learn about them, find them, and request them from Microsoft. Which is kinda paradox, since the probability to be affected by the security vulnerability is usually negligent, while the probability to be affected by the pushed security patch with known defect is 100%. For that reason, on my own domain windowsupdate is not automatic, and I personally approve through WSUS only few selected fixes that do have impact - practically all non-security ones. As a bottom line, I couldn't care less whether my O/S is "supported" by Microsoft, or not, and the only reason to upgrade becomes, for example, new Exchange Server that needs newer server o/s.
Robert MohrAuthor Commented:
Anti-virus is not scanning SYSVOL.
I deleted the GPO, created a new one and still received that same error.
I'm abandoning this and chalking it up to Server 2000.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Tackle projects and never again get stuck behind a technical roadblock.
Join Now