Link to home
Create AccountLog in
Active Directory

Active Directory

--

Questions

--

Followers

Top Experts

Avatar of Mark Warren
Mark Warren🇺🇸

In AD Group Policy, how do you install a new application to computers that are already joined to the Domain and are in the OU where the group policy installation policy has already been attached?

When creating a new installation policy on an Active Directory Domain and applying the policy to a specific Organizational Unit, a computer that is not a member of the domain is joined to the Domain and then moved to the specific Organizational Unit that has the policy attached to it.  In this scenario, installation is achieved fine.


If existing Active Directory Domain computers needing the same installation and are moved to the Organizational Unit containing the same installation, installation doesn't occur unless the Active Directory Domain computer is removed from the Domain and rejoined to the Domain.


How do you accomplish group policy installation of software on existing Domain computers without first having to take them off the Domain and rejoin them to the Domain.


It makes no difference whether I run gpupdate /force or not or restart the computer.   How do you install a new application to computers that are already joined to the Domain and are in the OU where the installation policy has already been attached?

Zero AI Policy

We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.

Avatar of McKnifeMcKnife🇩🇪

There's no trick. For us it just works.
Some people have problems with PCs that boot very fast since those are not network-ready at the point in time when they should start installing.

Provide the application log entries that accompany the installation failures, please.

You could solve it quickly using scheduled tasks. Tasks can be deployed by GPO and simply install the MSI during normal operation. That works as long as the application is not in use.
Avatar of Mark WarrenMark Warren🇺🇸

ASKER

Can you point me to any read articles on how to deploy tasks through group policy if you think that will help.  We are a public elementary school of which it is difficult for young students to run any "gpupdates" themselves and we don't give them admin rights to their laptops.  They need, in this case, testing software to just install through a restart.  At the beginning of the school year, the installation policies are created at the servers first, then student laptops are joined to the Domain second, and the installation usually works.  Once imaged and joined to the Domain, We as a staff don't touch students laptops or see them for nine months or so and these tests don't become available until a few months after we have already dispersed the computers but need to have these tests installed and it isn't working until we take computers off Domain and rejoin them.  I would like to explore tasks as a possibility.
Avatar of McKnifeMcKnife🇩🇪

See this tutorial: https://woshub.com/scheduled-task-gpo/ but make sure to use the section "computer configuration", not "user configuration" and link the GPO to a test-OU with a test computer object (not a user object).

Make it an "immediate task (at least windows 7)", which implies that it runs once, only (and not installs again and again).
As executor, use "system".
As task action, use
msiexec.exe /i \\server\share\some.msi /quiet /norestart

Open in new window


That task will apply at the next GPO background refresh which occurs about every 90 minutes plus/minus 20 minutes randomization (can of course be sped up by using
gpupdate /target:computer
 on an elevated command prompt).

It will install the sofgtware quietly (invisible for the user)
Reward 1Reward 2Reward 3Reward 4Reward 5Reward 6

EARN REWARDS FOR ASKING, ANSWERING, AND MORE.

Earn free swag for participating on the platform.

Avatar of Philip ElderPhilip Elder🇨🇦

When the computer gets moved into the requisite OU make sure to run:

GPUpdate /Force

Open in new window

Once that's complete, reboot the computer and the software should install.


If it doesn't, check that computer's Event Logs under Administration and there should be a specific error listed for the "why" it doesn't install.

Avatar of Chris PhillipsChris Phillips🇬🇧

This sounds like it thinks it has deployed the software so it won't try it again.  You need to remove the registry entry for the specific app so it will retry.  I'd obviously suggest testing this on a couple of machines before rolling out across them all.  
Open regedit and browse to HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt.
check each entry under here and view the Deployment name for the GPO
 you require.
Delete the relevant entry under HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt
force a gpupdate (gpupdate /force) and reboot.  it should then redeploy the software

Provided the entry under HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt is the same on a couple of clients you can be sure that it is the same across the board.  you can then do some funky stuff with GPP for instance to see if the executable related to the app exists and if not to delete the relevant entry
Avatar of Mark WarrenMark Warren🇺🇸

ASKER

I have not been able to update this for awhile, but problems still remain in trying to roll testing software out to users.  I have tried creating a separate OU and moving a test computer to that with the policy and adding a startup script in the policy to force the installation.  Gpupdate /force doesn't make any difference and when I run gpresult /h it shows the installation as successful but the software is not listed in the list of programs installed and doesn't install.  As I said, I have been trying to add a script during startup to this policy.  Would this script need to be added to the scripts in SYSVOL and the policy pointing to the server parth for the script through all of the domain controllers and would this potentially solve my issue?  The policy will work if the computer is taken off of the domain and rejoined, but I can't collect every computer to do this.  It is impratical to collect 100 computers and do this manually.  Any other ideas would be welcome.  Thanks.
Free T-shirt

Get a FREE t-shirt when you ask your first question.

We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.

Avatar of Chris PhillipsChris Phillips🇬🇧

This sounds more like the actual software install method is failing as opposed to the GPO.  Is the software an MSI?  if you look in the c:\windows\temp folder there may be an install log created in there that may help you troubleshoot.  First off I would try installing the software manually by using a command line and running msiexec /i <path to msi file> and see if this works.  Where is the path for the software source that you are trying to deploy via GPO?  If it is a mapped drive does that drive exist when the install happens (if it is a computer based policy then it may not exist and you will need to provide the UNC path in the GPO).

Are you able to show the settings in the GPO for the software install so we can check that it looks ok?
ASKER CERTIFIED SOLUTION
Avatar of McKnifeMcKnife🇩🇪

Link to home
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Create Account
Avatar of Mark WarrenMark Warren🇺🇸

ASKER

Another contributor suggested the steps listed at:  https://woshub.com/scheduled-task-gpo/.  As I set this policy up under Computer Configuration (see attached), could I run the task listed in this article and include it with the policy to accomplish what I am trying to do?
Installation-Policy1.png
Installation-Policy2.png
Avatar of McKnifeMcKnife🇩🇪

You could!
Reward 1Reward 2Reward 3Reward 4Reward 5Reward 6

EARN REWARDS FOR ASKING, ANSWERING, AND MORE.

Earn free swag for participating on the platform.

Avatar of Mark WarrenMark Warren🇺🇸

ASKER

Under the DOMAIN\administrator account msiexec /i <path to MSI file does install the package.  The path is \\10.0.6.5\kite23\KiteStudentPortal.msi and it does work.  Can I add this in some way through Computer Configuration in the policy.  Here is a copy of the gpresult /h for you to see.
report.html
Avatar of Mark WarrenMark Warren🇺🇸

ASKER

For McKnife.  Would I run this as %LoginDomain%\%LogonUser% like it says or as NT Authority\System if I do it through Computer Configuration scheduler or User Configuration scheduler if I use the task scheduler.  What would be the syntax for the NT Authority\System entry?  The policy is presently setup through Computer Configuration and everything is successful as far as the *.msi file is concerned.
Avatar of McKnifeMcKnife🇩🇪

As said, use computer config and set the executor to system. There's no syntax, just write system.
Free T-shirt

Get a FREE t-shirt when you ask your first question.

We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.

Active Directory

Active Directory

--

Questions

--

Followers

Top Experts

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.