Go Premium for a chance to win a PS4. Enter to Win


Group Policy

Posted on 2013-05-30
Medium Priority
Last Modified: 2013-08-16
I am using Server 2000.  I created a GPO object to deploy Office 2003 with a transform file.  The group policy is not executing and installing from the .MSI from a network share.  

How do I do this?  I only want to test on users and their virtual machines and not deploy through all the organization yet.
Question by:Robert Mohr

Expert Comment

ID: 39209310
Server 2000?! It is time to upgrade.

It has been a while, but you may need an Office 2003 resource kit


Make sure that the following setting is enabled,

Computer Configuration\Administrative Templates\System\Logon\ Always wait for the network at computer startup and logon.

Steps in a nutshell

1. Create a shared folder in the local system drive and give administrator full access and everyone read only access.
2. Copy all the contents of the Office 2003 setup to a folder there.
3. Using Custom Installation Wizard in Office 2003 resource kit create a file with any name and save in the shared folder created in first step

Once you've installed windows resource kit tools, you can find a menu called the Custom Installation Wizard in start menu. Invoke it, and when prompted, point it to the .MSI for Office Version (PRO11.MSI for Office 2003). An .MST file (Windows Installer transform) will be generated. Save it in the same place as your installation point. This file is an answer file for installation.

4. Create a new Group Policy object, and Assign/Publish a new Software Package (Assign it to the computer configuration). Point the GPO to the .MSI of Office version PRO11.msi for the Office 2003. In Modifications tab browse for the MST file created in the previous step.
5. Disable the User Configuration settings in the GPO, as they won't be used (Installing software per computer here).

6. Reboot one of the system which falls in the scope of above given GPO and see how it actually works.

7. In case if your client consist of Windows XP Pro you will have make sure that the following setting is enabled,
Computer Configuration\Administrative Templates\System\Logon\ Always wait for the network at computer startup and logon

Expert Comment

ID: 39212854
Yeah, upgrade needed since this OS is not longer supported by Microsoft which means you are no longer getting security updates.

If you are having issues applying a software installation via GPO, I would suggest enabling software installation Log to see what is happening.  Do you see the GPO Processing?  To see if it is processing, enable the UserEnv.log.  You can see how to enable the logs using the following: http://technet.microsoft.com/en-us/library/cc775423(v=WS.10).aspx

Gladys Rodriguez

Author Comment

by:Robert Mohr
ID: 39216594
Coffinated -
Yes, I know, Server 2000 NEEDS to be removed/upgraded.  Working on it...

I followed all of your steps and on the specific machine I receive this warning on the end user machine that I am testing the GPO.

The processing of Group Policy failed. Windows attempted to read the file \\unitedshockwave.com\SysVol\unitedshockwave.com\Policies\{CCF6A1B3-2916-4AFA-B247-3E39D259F1DF}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved....
When going to that specific file path, the long string starting with {CCF6A1B..., it is not listed in that folder.  Any thoughts on the issue?  WE'RE SO CLOSE!

GlobalStrata -
I enabled the log and I don't believe it is showing me information that is helping me deduce the issue.  I might not be reading it correctly however.  
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.


Accepted Solution

GlobalStrata earned 1000 total points
ID: 39220652
Are you seeing that path if you check on all Domain Controller Sysvol Folder?  If the answer is no, then you are having Sysvol Replication issues.  

If the answer is yes, then my suggestion is to delete that GPO, create a new one and put the settings in the new one.  It seems that there was some type of corruption that happened.  You may want to check if Antivirus is scanning your Sysvol.  It is recommended for Sysvol not to be scanned.

Just a quick background.  When you create a GPO, information is saved in two locations:

1. Active Directory Users and Computers > System (Need to enable Advanced View to see) > Policies > GUID.  This is called the Group Policy Container.  It contains attribute information such as version, Display Name and others.

2. Sysvol > Domain > Policies > GUID.  This is called Group Policy Template and contains the actual GPO Settings.

This means that for Group Policy to work correctly, both Active Directory and Sysvol Replication must work correctly.  There is a possibility for one of the components explained above to not exist.  Usually this happen when there are some type of communication, scanner locking files or some other weird issue.  In your case, it seem that the GPT may be missing.

Gladys Rodriguez
LVL 80

Expert Comment

ID: 39220969
Are you deploying as a user or a computer GPO?
If the GUID not showing up, that means you have an error in the GPO that prevents its rollout into sysvol.

It might be a permission related issue.
LVL 18

Expert Comment

ID: 39221173
Globalstrata is pointing in the right direction. If you get that error in event logs it means its not been replicated to all DC's.

start with dcdiag and the eventlogs to spot the issues with replication then your GPO will start working
LVL 40

Expert Comment

by:Vadim Rapp
ID: 39221853
Delete this group policy, then create new. You can start with publishing or assigning some trivial MSI package. In group policy editor, run "group policy results wizard" and see if your policy and package become visible to the machine.

Troubleshooting is best to start from clean workstation, such as clean virtual machine, which you can restore to the original state by one click. Otherwise you never know whether the problems are on domain controller or on the workstation.

> Yes, I know, Server 2000 NEEDS to be removed/upgraded.  

Only if you have real reasons, such as there are things you can't do with it, applications you need to install on it but incompatible, and such. If your dc is not on the perimeter of your network, then you probably don't face any security risks, while Microsoft security patches has a long history of being 99% publicity stunts, ruining core functionality of the affected systems left and right. There are lots of non-security patches whose description starts with "After you apply security patch xxx, you experience.....", however, unlike security patches, these are not pushed to anybody, you have to learn about them, find them, and request them from Microsoft. Which is kinda paradox, since the probability to be affected by the security vulnerability is usually negligent, while the probability to be affected by the pushed security patch with known defect is 100%. For that reason, on my own domain windowsupdate is not automatic, and I personally approve through WSUS only few selected fixes that do have impact - practically all non-security ones. As a bottom line, I couldn't care less whether my O/S is "supported" by Microsoft, or not, and the only reason to upgrade becomes, for example, new Exchange Server that needs newer server o/s.

Author Comment

by:Robert Mohr
ID: 39275806
Anti-virus is not scanning SYSVOL.
I deleted the GPO, created a new one and still received that same error.
I'm abandoning this and chalking it up to Server 2000.

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question