GPO to install software

[KRPGroup]

Just wondering what account is used to install the package when using a GPO to push it out.

In the GPO under Computer Cfg I added a package to a share that was wide open (Authenticated Users) and it worked fine.

Since it was installed before a user logs on I assumed it would be a Domain Admin account used to push it to the computer. So I thenrestricted access to the top folder of the share to not include Authenticated users:

Local Admin = Full
Domain Admin = Full
System = Full
IT Dept = Full

But when I try to run the GPO again it fails with the error

The installation source for this product is not available. Verify that the source exists and that you can access it.

As soon as I add Authenticated Users with:
Read & Exe
List Folder
Read
It installs

My goal was to place this software in a share that staff couldn't just browse to or in as we may not want all staff to have it.

any suggestions on how to do this and what account if any can i specify to restrict access.

 

[58sniper]

Make sure that DOMAIN COMPUTERS has READ rights to the share point holding the deployment package.

Also make sure that the package is pointing to a network share, and not a local drive.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -

http://www.ietf.org/rfc/rfc2821.txt

 

[drew1701d]

Also make sure on the workstation group policy configuration that "Always Install With Elevated Privileges" is enabled. Found under Computer Configuration\Administrative Templates\Windows Components\Windows Installer.

This setting also should be enabled under the user configuration to be totally effective, test it without it enabled under user configuration first as this does add a security risk if you have malicious users.

"I'm certifiable, not certified. It just means my answers are from experience...not a book

 

[58sniper]

Also check out the Application Deployment forum here

http://www.tek-tips.com/threadminder.cfm?pid=733

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -

http://www.ietf.org/rfc/rfc2821.txt

 

[KRPGroup]

Should the share be on a Domain Controller?? I currently have it running on a Member server Win2003. And I keep getting errors that doesn't make sense.

Like "Install source not availble..." or "Fatal error" during install whether I try and run it as a Computer or User GPO. I have tested that even regular user can connnect to the exact UNC and manually run the msi and install the application.

 

[KRPGroup]

Also I do have 2 other GPOs that install DotNet.1.1 and Mitel YourAssistant successfully from the same share location.
I have check the permission on the working folder and they are matching the prog I am having trouble with.

The structure of the folder system where I keep all the install programs is as follows

\\Server\Share$\SoftwareApp\*.MSI

Permissions
Share$ (SharePermissions) - Authenticated Users = Full
(Security) - Athenticated Users = Transverse, Read Atributes, Read Ext Attributes, Read permission
SoftwareApp (Security) - Athenticated Users = Transverse, List Folder, Read Atributes, Read Ext Attributes, Read permission

The idea here was to allow staff into only the folders where the softwareApplication is.

 

[58sniper]

If it's a deployment, make sure that the DOMAIN COMPUTERS have both SHARE and NTFS rights.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -

http://www.ietf.org/rfc/rfc2821.txt