GPO Software Installation working on Windows 7 but not on Windows XP
-
Thursday, February 28, 2013 7:58 PM
I need to deploy an msi installation from Domain Controller Windows Server 2008 R2 Standard Editio to approx 500 PC´s. Is working perfectly in Windows 7 computers, but is not working at all in Windows XP computers.
This are the steps I have done to make it work but still no luck:
01- reboot several times and gpupdate/force
02- install Group Policy Preference Client Side Extensions on XP computer
03- update and re-sync w32tn
04- redeploy
05- try another msi installations
06- check event viewer
07- check rsop.msc
08- compare clocks between the Server and the XP client
09- install Microsoft FixIt related to Media Sensing
10- enable "Always wait for the network at computer startup and logon"All this steps were tested on different XP computers, so the problem is not an specific PC.
Again: on Windows 7 computers work correctly, no problems. But in Windows XP computers is not working, as if no GPO is there.
All Replies
-
Thursday, February 28, 2013 8:14 PM
Are XPs and W7 in the same OU in AD?
Do you have any Security Group filters on the GPO?
Do you have any WMI filters on the GPO?
If you run Group Policy Results against that computer is it even showing up as applicable GPO?
Check the Event Viewer - Application in XP is there any reference that the GPO even attempted to install anything?
- Edited by Brano Lukic Thursday, February 28, 2013 8:15 PM
- Edited by Brano Lukic Thursday, February 28, 2013 8:15 PM
-
Friday, March 01, 2013 12:24 PM
- YES, XPs and W7 are in the same OU
- YES, I didn´t add thw whole OU, I just added a few computers, some with XP and some W7
- NO, I don´t have WMI filters
- YES, after gpresult I can see the GPO says "Filtering: Not Applied (Empty)"
- DON´T KNOW, I can see SceCli references in the Application part in Event Viewer, but I don´t know if it refers to this "soft installation" GPO or another GPO I also have to restrict end user permissions.
-
Friday, March 01, 2013 2:37 PM
GPResult also Shows the originating DC. Are working and non working Computers pointing to different DCs? Is it a replication issue?
SceCli is the security part of GPOs.
NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating! -
Friday, March 01, 2013 2:56 PM
Working and non working computers are pointing to 2 DC. I tested it in a few computers, and some W7 are pointing to DC1 and others to DC2. The same with XP computers. I don´t think this is a replation issue.
Another "strange" thing, is that some XP after rebooting says "installing java 1.0.7.5" as if the GPO would be working, but after that I login and the java was not updated at all. And some XP directly does not say "installing", those continue the startup as usual, as if no GPO is there.
-
Friday, March 01, 2013 3:04 PMOn a non working XP Computer, open up GPMC.MSC (Needs Installation of AdminPak.msi for 2003), create a RSOP Report from GPMC and check the Computer configuration part for applied and denied GPOs.
NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating! -
Friday, March 01, 2013 3:47 PM
Now i can see what could be a problem
If you go to a computer that's not working now (XP) and run "gpupdate /force" and do a reboot you will find probably that it will work.
You need to turn off your Fast Logon Optimization fox XP.
http://support.microsoft.com/kb/305293
To turn off Fast Logon Optimization, you can use the following policy setting:Computer Configuration\Administrative Templates\System\Logon\ Always wait for the network at computer startup and logon
-
Friday, March 01, 2013 3:51 PM
I have already done that, I mentioned in post:
10- enable "Always wait for the network at computer startup and logon"
-
Friday, March 01, 2013 3:59 PM
http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=112428
Please verify if you have following keys
- Per-machine registry hack as a policy via "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" with registry value "SyncForegroundPolicy"=dword:00000001
- Per-machine registry hack via "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" with registry value "SyncForegroundPolicy"=dword:00000001
- Per-user registry hack as a policy via "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" with registry value "SyncForegroundPolicy"=dword:00000001
- Per-user registry hack via "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" with registry value "SyncForegroundPolicy"=dword:00000001
- Edited by Brano Lukic Friday, March 01, 2013 4:01 PM
-
Friday, March 01, 2013 4:01 PM
I did it on 3 diferent computers:
ON XP that the startup continue, as if no GPO is there:Applied: - Default Domain Policy (this is another GPO)
Denied: none-----------------------------------------------------------------
ON XP that the startup says "installing java 1.0.7.5":
Applied: - Default Domain Policy (this is another GPO)
- Software Deploy (this is the problematic GPO)
Denied: none
-----------------------------------------------------------------
ON W7:
Applied: - Default Domain Policy (this is another GPO)
- Software Deploy (this is the problematic GPO)
Denied: none -
Friday, March 01, 2013 4:04 PMI con go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT, there is no CurrentVersion folder in Windows NT.
-
Friday, March 01, 2013 4:15 PMDo you have a loopback policy enabled in that GPO?
-
Friday, March 01, 2013 5:42 PMNO, loopback in not enabled in the GPO.
-
Friday, March 01, 2013 6:34 PM
Here is a great log on troubleshooting GP.
You need to go through the Event Viewer - Application i think to find out what is going on.
In XP "Application Managment" is the key word for software deployments i think see what you find in the logs.
Under Event Viewer - System look for Netlogon errors, maybe the computer is not seeing the domain controlloer when is booting up.
-
Friday, March 01, 2013 6:49 PM
Thanks Brano, I will take a look.
Another information: I found that some computers were not in the same OU, now I moved everyone in the same OU that the GPO has access.
Now the GPO is applying in every XP. When the XP is the starting up it says "installing java 1.0.7.5" but after that when I log in the java is not updated.Windows 7 computers (that are in the same OU with same permissions) continue installing properly.
-
Friday, March 01, 2013 7:27 PMNews: checking the event viewer in an XP computer i see the "Application Management" shows this error "the installation source for this product is not aviable. Check if the source exist and if you have access". The msi file is in another server shared for everyone. My question is: everyone is referred to users in the Domain, if the software installation is taken during the windows startup, before user promt, which user do the computer use to go through the network and find the msi in another server? I think that the problem is there. Any ideas?
-
Friday, March 01, 2013 7:53 PM
- Everyone includes any security principal from the local domain, including guest accounts; any security principal from any trusted domain, including guest accounts, and the Anonymous logon system account (in Windows 2000). Windows Server 2003, Windows Server 2008 and Windows XP, as well) separates the Anonymous Logon system account from the Everyone group.
- Authenticated Users includes any security principal from the local domain, including guest accounts; any security principal from any trusted domain, including guest accounts, and does not include the Anonymous logon system account. Everyone is any user account from the domain and any trusted domain, including the Guest, IUSR & IWAM accounts. Authenticated User does not include Guest, IUSR & the IWAM accounts. The IUSR_ and IWAM_ accounts are members of Guests and Domain Users
In the past when i did the deployments via GPO i always used "Authenticated Users" with Read and Execute for the permissionss.
Since you are deploying that to the computers you could even use "Domain Computers" with Read and Execute on the share where the msi exists.
-
Friday, March 01, 2013 8:42 PMI added everyone, authenticated users, system, domain computers, a particular XP computer, all of them with share and NTFS full permissions. Still the same, no luck. I receive 3 Application Management errors in the event viewer in this order: 102, 303 and 108. "the installation source for this product is not aviable. Check if the source exist and if you have access". The problem is the access from the computer to the server where the msi installation file is.
What I don´t understand is why is working from W7, why W7 can access the msi installation file and the XP cannot. -
Friday, March 01, 2013 9:02 PM
Pick one computer that doesn't work
Run "gpupdate /force"
delete all msi packages from "c:\windows\installer\"
reboot
-
Saturday, March 02, 2013 1:27 PM
Did you add the package from a DFS-share?
If so can you test from non DFS, add using "normal" UNC-path.Also make sure you have write permissions on the share and not just NTFS-security
--
Goran Johansson
http://gjohansson.com/blog -
Monday, March 04, 2013 12:56 PMBrano, I don´t have the "installer" folder in C:\Windows
-
Monday, March 04, 2013 12:57 PM
Yes the package has been added from DFS-share
The permissions are OK in share AND NTFS, I added the same in both groups.I don´t understand what do you mean with this "If so can you test from non DFS, add using "normal" UNC-path." Can you explain please?
-
Monday, March 04, 2013 2:18 PM
Enable hidden files and you should be able to find it.
-
Monday, March 04, 2013 3:16 PMI enable hidden and system protected files and now I see it. I eresa every file in the folder "installer" and still the same. I continue receiving "the installation source for this product is not aviable. Check if the source exist and if you have access" in the Event Viewer.
-
Monday, March 04, 2013 3:46 PMIn general there has been several issues with DFS and Windows XP so I would suggest that you try to install to Windows XP from a non DFS-share.
--
Goran Johansson
http://gjohansson.com/blog -
Monday, March 04, 2013 3:57 PMWhat do you mean when you say "non DFS-share" ? Can you give me an example please?
-
Monday, March 04, 2013 6:11 PM
I am sorry, I said something wrong, the share is not a DFS-Share. Is a common share in a server.
I did other tests:
- I added the msi package in the DC instead of another server and still the same
- I added the msi package directly in a non-working windows XP and it worked correctly. So the problem is the XP going to a server to find the msi. -
Tuesday, March 05, 2013 9:25 PMAm 04.03.2013 16:16, schrieb Federico Guidoni:> I enable hidden and system protected files and now I see it. I eresa> every file in the folder "installer" and still the same. I continue> receiving "the installation source for this product is not aviable.> Check if the source exist and if you have access" in the Event Viewer.Congratulations - from now on you will be unable to remove any piece ofsoftware that was installed through MSI technology. And you will beunable to upgrade any of them. Reinstalling the particular compuer isthe only solution for what you did...Maybe, next time, better ask for a second opinion...
NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating! -
Tuesday, March 05, 2013 9:26 PMAm 01.03.2013 22:02, schrieb Brano Lukic:> delete all msi packages from "c:\windows\installer\"Worst advice I've seen for a long time... Totally useless, too. SCNR...
NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating! -
Tuesday, March 05, 2013 9:28 PMAm 01.03.2013 21:42, schrieb Federico Guidoni:> What I don´t understand is why is working from W7, why W7 can access> the msi installation file and the XP cannot.XP and W7 behave differently in terms of "authentication to remotesystems from system context" (search for "UseMachineID" for moredetails...). Grab sysinternals psexec, run "psexec -s cmd" and try to doa "dir" on the UNC path where your MSI resides.What happens?
NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
.png)
