[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 990
  • Last Modified:

Using GPO to deploy msi that will not install as local admin on win7?

So we have deployed many msi's fine on our lan using GPO.

Issue i have with this msi is that it won't install as local admin.  I have to use the domain admin account.

The 3rd party co has provided a script/batch file to run it with msexec -i switch.  Seems pointless.  Also the msi seems to copy and register 3x ocx files.

Could there be a way to sort?

Thanks
0
CHI-LTD
Asked:
CHI-LTD
  • 20
  • 13
6 Solutions
 
CHI-LTDAuthor Commented:
could the msi have a setting in it to say run ad domain admin only?  could i use orca to edit the msi and change this to anyone?
0
 
McKnifeCommented:
I can hardly believe that, because why should anyone check for domain admin group membership? Pointless.

Please quote your error message. I am pretty sure that your domain admin is named "administrator" - that could be the reason. If "administrator", then UAC is off for that user and installations that may fail due to UAC incompatibility install alright while on the same computer with a different admin they fail - I bet that's it.

So you should be able to install it elevated: rightclick cmd.exe and select "run as administrator" -> an elevated command prompt will appear. No type in the path to your MSI and it will install elevated.
0
 
CHI-LTDAuthor Commented:
UAC is off.

I have a different msi from a large company which installs fine manually as the domain user account, not not permissions issue.  

Sure it works elevated, but i want to be able to run it under user profile.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
CHI-LTDAuthor Commented:
so i can add it to GPO
0
 
McKnifeCommented:
"adding to GPO" means publishing it to users? Because when you deploy an MSI to computer objects, no user intervention is required. Only when assigned to user objects. And even then, the user account would not be used to install, but only to trigger the windows installer service that uses a different account (the system account). Please feedback on that.
0
 
CHI-LTDAuthor Commented:
okay will give it a go on GPO.

And update.
0
 
CHI-LTDAuthor Commented:
well gpresult and modelling wizard show its applying ok, but i don't see it in progs on PC nor do i see any errors on the client machine.
0
 
CHI-LTDAuthor Commented:
there is also a batch file which runs msexec -i....
0
 
McKnifeCommented:
use rsop.msc at the client. If it displays the package as assigned to the computer (important, don't assign to users), it will install on the next reboot. If it does not, check the application event log at the client (search for msi).
0
 
CHI-LTDAuthor Commented:
assigned fine.
system log shows its failed.
0
 
McKnifeCommented:
Why did it, what's the complete error?
0
 
CHI-LTDAuthor Commented:
the isntall of application 'app name.msi' from policy 'appname' failed.  The reason was: %%1612
0
 
McKnifeCommented:
That means, the path to the package is unavailable to the system account.
1 Could it be the path you used is not in the notation \\server\share\xxx.msi but rather on a network drive like x:\xxx.msi?
2 Could it be that you gave no access rights on that package? does the group authenticated users/everyone/domain computers have read access (at least one of them) to that share and file?
0
 
CHI-LTDAuthor Commented:
nope, using UNC path.
i added our global group and can install the the msi from here manually using admin account.
0
 
McKnifeCommented:
manually using the admin account is something different. But we can simulate what happens... please download psexec. Then start cmd on the problem machine like this:
psexec -s -i cmd
in that new cmd, type in the UNC path of that package to see what happens.
0
 
CHI-LTDAuthor Commented:
type: psexec -s -i cmd?
0
 
CHI-LTDAuthor Commented:
if so, this fails to install service.
0
 
McKnifeCommented:
The syntax is correct but it needs to be executed on an elevated command prompt.
0
 
CHI-LTDAuthor Commented:
opens in new cmd window
type unc and cannot access it e.g. \\server1\
0
 
McKnifeCommented:
Please clarify... what did you type in and what was the message?
If the message is showing it cannot access the msi, then clearly, your Access permissions to the share or file are wrong. Add authenticated users with read permissions.
0
 
CHI-LTDAuthor Commented:
psexec -s -i cmd
in new cmd: \\server1\activex\
0
 
McKnifeCommented:
...and now the error message.
0
 
CHI-LTDAuthor Commented:
sure.  but just typing the unc path isnt going to work is it?
0
 
McKnifeCommented:
Please quote the complete error message first.
0
 
CHI-LTDAuthor Commented:
'\\server1\' is not recognised as an internal or external command, operable program or batch file
0
 
McKnifeCommented:
Ok, your command was only \\server1\activex\???
You need to input the whole path of the msi.
\\server1\activex\yourMSI.msi
0
 
CHI-LTDAuthor Commented:
hmm, access denied.
0
 
CHI-LTDAuthor Commented:
and that is using my account, a domain admin....
0
 
CHI-LTDAuthor Commented:
added authenticated users to share and NTFS side and can run/access it.  will see what happens...
0
 
McKnifeCommented:
This was expected. the psexec test uses the -s switch. That means, it is no longer executed as "you", the domain admin, but as the computeraccount (problemcomputer$).
0
 
CHI-LTDAuthor Commented:
okay do you think it will install now?
0
 
McKnifeCommented:
I don't see why not.
0
 
CHI-LTDAuthor Commented:
its there, well done!
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

  • 20
  • 13
Tackle projects and never again get stuck behind a technical roadblock.
Join Now