ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    GPO Software Deployment Woes

    Scheduled Pinned Locked Moved IT Discussion
    34 Posts 5 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • anthonyhA
      anthonyh
      last edited by

      To add:

      When using the Effective Access feature of Advanced Security Settings for the share, if I specify the user/group of "Authenticated Users", it shows success for the various execute and read permissions. If I do the same for "Domain Computers", it shows no access at all. Though my understanding is that "Authenticated Users" is supposed to encompass computer accounts as well and supersede "Domain Computers", but it is odd nonetheless since I explicitly give "Domain Computers" read/execute just like "Authenticated Users".

      wrx7mW 1 Reply Last reply Reply Quote 1
      • wrx7mW
        wrx7m @anthonyh
        last edited by

        @anthonyh said in GPO Software Deployment Woes:

        To add:

        When using the Effective Access feature of Advanced Security Settings for the share, if I specify the user/group of "Authenticated Users", it shows success for the various execute and read permissions. If I do the same for "Domain Computers", it shows no access at all. Though my understanding is that "Authenticated Users" is supposed to encompass computer accounts as well and supersede "Domain Computers", but it is odd nonetheless since I explicitly give "Domain Computers" read/execute just like "Authenticated Users".

        That is correct. Domain computers are included in Authenticated Users.

        anthonyhA 1 Reply Last reply Reply Quote 0
        • anthonyhA
          anthonyh @wrx7m
          last edited by

          @wrx7m said in GPO Software Deployment Woes:

          @anthonyh said in GPO Software Deployment Woes:

          To add:

          When using the Effective Access feature of Advanced Security Settings for the share, if I specify the user/group of "Authenticated Users", it shows success for the various execute and read permissions. If I do the same for "Domain Computers", it shows no access at all. Though my understanding is that "Authenticated Users" is supposed to encompass computer accounts as well and supersede "Domain Computers", but it is odd nonetheless since I explicitly give "Domain Computers" read/execute just like "Authenticated Users".

          That is correct. Domain computers are included in Authenticated Users.

          Thanks for the confirmation!

          1 Reply Last reply Reply Quote 0
          • wrx7mW
            wrx7m
            last edited by

            Are your GPOs working now?

            anthonyhA 1 Reply Last reply Reply Quote 0
            • anthonyhA
              anthonyh @wrx7m
              last edited by

              @wrx7m said in GPO Software Deployment Woes:

              Are your GPOs working now?

              Nope, as that's the permissions I've had set when this started. I'm really pulling my hair out on this one...

              wrx7mW 1 Reply Last reply Reply Quote 0
              • wrx7mW
                wrx7m @anthonyh
                last edited by

                @anthonyh said in GPO Software Deployment Woes:

                @wrx7m said in GPO Software Deployment Woes:

                Are your GPOs working now?

                Nope, as that's the permissions I've had set when this started. I'm really pulling my hair out on this one...

                What does the security filtering look like for the GPO? If you removed authenticated users from there, you need to make sure that you add it as read in the delegation tab.

                anthonyhA 1 Reply Last reply Reply Quote 0
                • anthonyhA
                  anthonyh @wrx7m
                  last edited by

                  @wrx7m said in GPO Software Deployment Woes:

                  @anthonyh said in GPO Software Deployment Woes:

                  @wrx7m said in GPO Software Deployment Woes:

                  Are your GPOs working now?

                  Nope, as that's the permissions I've had set when this started. I'm really pulling my hair out on this one...

                  What does the security filtering look like for the GPO? If you removed authenticated users from there, you need to make sure that you add it as read in the delegation tab.

                  The security filtering has both "Authenticated Users" and "Domain Computers" listed (I added Domain Computers after the fact in desperation). The Delegation tab has them both listed as well as "Read (from Security Filtering).

                  The GPOs are running, it's the install that fails with error 1612.

                  I need to figure out how to see if the GPO is actually trying to grab the files or not. And if it is and failing, why...

                  1 Reply Last reply Reply Quote 0
                  • wrx7mW
                    wrx7m
                    last edited by

                    @anthonyh said in GPO Software Deployment Woes:

                    error 1612

                    Just to confirm, the share that the GPO is pointing to, has read permissions set for authenticated users all the way down to the msi file, right?

                    anthonyhA 1 Reply Last reply Reply Quote 0
                    • anthonyhA
                      anthonyh @wrx7m
                      last edited by

                      @wrx7m said in GPO Software Deployment Woes:

                      @anthonyh said in GPO Software Deployment Woes:

                      error 1612

                      Just to confirm, the share that the GPO is pointing to, has read permissions set for authenticated users all the way down to the msi file, right?

                      Using the files from the example GPO information I posted earlier:

                      Authenticated Users, Domain Computers, and even Everyone has read & execute set for the root folder (gposw). The share permissions are set to Everyone with Full Control

                      The subfolder eset is inheriting these permissions properly (at least per the Advanced Security Settings dialog box).

                      The file eea_nt64_enu_6.6.2089.2.msi is inheriting the expected permissions as well.

                      1 Reply Last reply Reply Quote 0
                      • wrx7mW
                        wrx7m
                        last edited by

                        Hmmm. What if you create a new share and see if that works?

                        anthonyhA 1 Reply Last reply Reply Quote 0
                        • anthonyhA
                          anthonyh @wrx7m
                          last edited by

                          @wrx7m said in GPO Software Deployment Woes:

                          Hmmm. What if you create a new share and see if that works?

                          Yeah, that's an option. I may try this first to see if I can get some clarification on if it's even attempting to hit the share first...

                          https://www.rootusers.com/configure-file-access-auditing-in-windows-server-2016/

                          wrx7mW 1 Reply Last reply Reply Quote 0
                          • wrx7mW
                            wrx7m @anthonyh
                            last edited by

                            @anthonyh Have you created a new GPO from scratch too?

                            anthonyhA 1 Reply Last reply Reply Quote 0
                            • anthonyhA
                              anthonyh @wrx7m
                              last edited by

                              @wrx7m said in GPO Software Deployment Woes:

                              @anthonyh Have you created a new GPO from scratch too?

                              No, that's something to test too.

                              I'd really like to get these existing Software Installation GPOs working if at all possible. I imagine there will be some havoc if I delete and re-create them...

                              1 Reply Last reply Reply Quote 0
                              • anthonyhA
                                anthonyh
                                last edited by

                                Alright, for the heck of it, I re-created the share on my new DC (it assumed the same name as the DC it replaced, which was the DC originally hosting these files). And, guess what? All of the software installation policies applied successfully.

                                So even though I'm changing the msiFileList in ADSI Edit, it's not applying somewere. Even though looking at the Deployment Information of the GPOs shows the modified path, and running gpresult shows the modified path.

                                What the heck?!

                                I may just kick this can down the road a bit and re-visit it later unless anyone has any ideas?

                                dbeatoD 1 Reply Last reply Reply Quote 0
                                • dbeatoD
                                  dbeato @anthonyh
                                  last edited by

                                  @anthonyh said in GPO Software Deployment Woes:

                                  Alright, for the heck of it, I re-created the share on my new DC (it assumed the same name as the DC it replaced, which was the DC originally hosting these files). And, guess what? All of the software installation policies applied successfully.

                                  So even though I'm changing the msiFileList in ADSI Edit, it's not applying somewere. Even though looking at the Deployment Information of the GPOs shows the modified path, and running gpresult shows the modified path.

                                  What the heck?!

                                  I may just kick this can down the road a bit and re-visit it later unless anyone has any ideas?

                                  For the heck of it, do you get to access the share while on Windows Explorer?

                                  anthonyhA 1 Reply Last reply Reply Quote 0
                                  • anthonyhA
                                    anthonyh @dbeato
                                    last edited by

                                    @dbeato said in GPO Software Deployment Woes:

                                    @anthonyh said in GPO Software Deployment Woes:

                                    Alright, for the heck of it, I re-created the share on my new DC (it assumed the same name as the DC it replaced, which was the DC originally hosting these files). And, guess what? All of the software installation policies applied successfully.

                                    So even though I'm changing the msiFileList in ADSI Edit, it's not applying somewere. Even though looking at the Deployment Information of the GPOs shows the modified path, and running gpresult shows the modified path.

                                    What the heck?!

                                    I may just kick this can down the road a bit and re-visit it later unless anyone has any ideas?

                                    For the heck of it, do you get to access the share while on Windows Explorer?

                                    Yes. I think the problem is somewhere in the bowels of the GPOs the path isn't updating.

                                    dbeatoD 1 Reply Last reply Reply Quote 0
                                    • dbeatoD
                                      dbeato @anthonyh
                                      last edited by

                                      @anthonyh said in GPO Software Deployment Woes:

                                      @dbeato said in GPO Software Deployment Woes:

                                      @anthonyh said in GPO Software Deployment Woes:

                                      Alright, for the heck of it, I re-created the share on my new DC (it assumed the same name as the DC it replaced, which was the DC originally hosting these files). And, guess what? All of the software installation policies applied successfully.

                                      So even though I'm changing the msiFileList in ADSI Edit, it's not applying somewere. Even though looking at the Deployment Information of the GPOs shows the modified path, and running gpresult shows the modified path.

                                      What the heck?!

                                      I may just kick this can down the road a bit and re-visit it later unless anyone has any ideas?

                                      For the heck of it, do you get to access the share while on Windows Explorer?

                                      Yes. I think the problem is somewhere in the bowels of the GPOs the path isn't updating.

                                      Yes, I was typing this before:

                                      “
                                      Just for my own sanity reading this Thread, did you actually import each software back again from the new share? Because sometimes that is what it takes”

                                      anthonyhA 1 Reply Last reply Reply Quote 0
                                      • anthonyhA
                                        anthonyh @dbeato
                                        last edited by

                                        @dbeato said in GPO Software Deployment Woes:

                                        @anthonyh said in GPO Software Deployment Woes:

                                        @dbeato said in GPO Software Deployment Woes:

                                        @anthonyh said in GPO Software Deployment Woes:

                                        Alright, for the heck of it, I re-created the share on my new DC (it assumed the same name as the DC it replaced, which was the DC originally hosting these files). And, guess what? All of the software installation policies applied successfully.

                                        So even though I'm changing the msiFileList in ADSI Edit, it's not applying somewere. Even though looking at the Deployment Information of the GPOs shows the modified path, and running gpresult shows the modified path.

                                        What the heck?!

                                        I may just kick this can down the road a bit and re-visit it later unless anyone has any ideas?

                                        For the heck of it, do you get to access the share while on Windows Explorer?

                                        Yes. I think the problem is somewhere in the bowels of the GPOs the path isn't updating.

                                        Yes, I was typing this before:

                                        “
                                        Just for my own sanity reading this Thread, did you actually import each software back again from the new share? Because sometimes that is what it takes”

                                        No, I haven't tried that. Can you delete and re-add software packages to the GPO without it triggering an attempt to re-install them? I want to avoid triggering all of my clients to re-install everything and then wig out because it's all already installed...if that makes sense.

                                        dbeatoD 1 Reply Last reply Reply Quote 0
                                        • dbeatoD
                                          dbeato @anthonyh
                                          last edited by

                                          @anthonyh said in GPO Software Deployment Woes:

                                          @dbeato said in GPO Software Deployment Woes:

                                          @anthonyh said in GPO Software Deployment Woes:

                                          @dbeato said in GPO Software Deployment Woes:

                                          @anthonyh said in GPO Software Deployment Woes:

                                          Alright, for the heck of it, I re-created the share on my new DC (it assumed the same name as the DC it replaced, which was the DC originally hosting these files). And, guess what? All of the software installation policies applied successfully.

                                          So even though I'm changing the msiFileList in ADSI Edit, it's not applying somewere. Even though looking at the Deployment Information of the GPOs shows the modified path, and running gpresult shows the modified path.

                                          What the heck?!

                                          I may just kick this can down the road a bit and re-visit it later unless anyone has any ideas?

                                          For the heck of it, do you get to access the share while on Windows Explorer?

                                          Yes. I think the problem is somewhere in the bowels of the GPOs the path isn't updating.

                                          Yes, I was typing this before:

                                          “
                                          Just for my own sanity reading this Thread, did you actually import each software back again from the new share? Because sometimes that is what it takes”

                                          No, I haven't tried that. Can you delete and re-add software packages to the GPO without it triggering an attempt to re-install them? I want to avoid triggering all of my clients to re-install everything and then wig out because it's all already installed...if that makes sense.

                                          You can do this
                                          https://support.microsoft.com/en-us/help/2395088/how-to-change-the-msi-file-location-in-the-software-deployment-gpo-mut

                                          Or redploy the application, I assume you have set the Package to uninstall when it falls out of the scope?

                                          anthonyhA 1 Reply Last reply Reply Quote 0
                                          • anthonyhA
                                            anthonyh @dbeato
                                            last edited by

                                            @dbeato said in GPO Software Deployment Woes:

                                            @anthonyh said in GPO Software Deployment Woes:

                                            @dbeato said in GPO Software Deployment Woes:

                                            @anthonyh said in GPO Software Deployment Woes:

                                            @dbeato said in GPO Software Deployment Woes:

                                            @anthonyh said in GPO Software Deployment Woes:

                                            Alright, for the heck of it, I re-created the share on my new DC (it assumed the same name as the DC it replaced, which was the DC originally hosting these files). And, guess what? All of the software installation policies applied successfully.

                                            So even though I'm changing the msiFileList in ADSI Edit, it's not applying somewere. Even though looking at the Deployment Information of the GPOs shows the modified path, and running gpresult shows the modified path.

                                            What the heck?!

                                            I may just kick this can down the road a bit and re-visit it later unless anyone has any ideas?

                                            For the heck of it, do you get to access the share while on Windows Explorer?

                                            Yes. I think the problem is somewhere in the bowels of the GPOs the path isn't updating.

                                            Yes, I was typing this before:

                                            “
                                            Just for my own sanity reading this Thread, did you actually import each software back again from the new share? Because sometimes that is what it takes”

                                            No, I haven't tried that. Can you delete and re-add software packages to the GPO without it triggering an attempt to re-install them? I want to avoid triggering all of my clients to re-install everything and then wig out because it's all already installed...if that makes sense.

                                            You can do this
                                            https://support.microsoft.com/en-us/help/2395088/how-to-change-the-msi-file-location-in-the-software-deployment-gpo-mut

                                            Or redploy the application, I assume you have set the Package to uninstall when it falls out of the scope?

                                            That link is the exact article I followed.

                                            Some are set to uninstall when out of scope, some are not.

                                            1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 1 / 2
                                            • First post
                                              Last post