none
GPO Software Installation working on Windows 7 but not on Windows XP

    Question

  • I need to deploy an msi installation from Domain Controller Windows Server 2008 R2 Standard Editio to approx 500 PC´s. Is working perfectly in Windows 7 computers, but is not working at all in Windows XP computers.

    This are the steps I have done to make it work but still no luck:

    01- reboot several times and gpupdate/force
    02- install Group Policy Preference Client Side Extensions on XP computer
    03- update and re-sync w32tn
    04- redeploy
    05- try another msi installations
    06- check event viewer
    07- check rsop.msc
    08- compare clocks between the Server and the XP client
    09- install Microsoft FixIt related to Media Sensing 
    10- enable "Always wait for the network at computer startup and logon"

    All this steps were tested on different XP computers, so the problem is not an specific PC.

    Again: on Windows 7 computers work correctly, no problems. But in Windows XP computers is not working, as if no GPO is there.

    Thursday, February 28, 2013 7:58 PM

All replies

  • Are XPs and W7 in the same OU in AD?

    Do you have any Security Group filters on the GPO?

    Do you have any WMI filters on the GPO?

    If you run Group Policy Results against that computer is it even showing up as applicable GPO?

    Check the Event Viewer - Application in XP is there any reference that the GPO even attempted to install anything?


    • Edited by Brano Lukic Thursday, February 28, 2013 8:15 PM
    Thursday, February 28, 2013 8:14 PM
  • - YES,  XPs and W7 are in the same OU
    - YES, I didn´t add thw whole OU, I just added a few computers, some with XP and some W7
    - NO, I don´t have WMI filters
    - YES, after gpresult I can see the GPO says "Filtering: Not Applied (Empty)"
    - DON´T KNOW, I can see SceCli references in the Application part in Event Viewer, but I don´t know if it refers to this "soft installation" GPO or another GPO I also have to restrict end user permissions.


    Friday, March 01, 2013 12:24 PM
  • GPResult also Shows the originating DC. Are working and non working Computers pointing to different DCs? Is it a replication issue?

    SceCli is the security part of GPOs.


    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!

    Friday, March 01, 2013 2:37 PM
  • Working and non working computers are pointing to 2 DC. I tested it in a few computers, and some W7 are pointing to DC1 and others to DC2. The same with XP computers. I don´t think this is a replation issue.

    Another "strange" thing, is that some XP after rebooting says "installing java 1.0.7.5" as if the GPO would be working, but after that I login and the java was not updated at all. And some XP directly does not say "installing", those continue the startup as usual, as if no GPO is there.

    Friday, March 01, 2013 2:56 PM
  • On a non working XP Computer, open up GPMC.MSC (Needs Installation of AdminPak.msi for 2003), create a RSOP Report from GPMC and check the Computer configuration part for applied and denied GPOs.

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!

    Friday, March 01, 2013 3:04 PM
  • Now i can see what could be a problem

    If you go to a computer that's not working now (XP) and run "gpupdate /force" and do a reboot you will find probably that it will work.

    You need to turn off your Fast Logon Optimization fox XP.

    http://support.microsoft.com/kb/305293

    To turn off Fast Logon Optimization, you can use the following policy setting: 

    Computer Configuration\Administrative Templates\System\Logon\ Always wait for the network at computer startup and logon

    Friday, March 01, 2013 3:47 PM
  • I have already done that, I mentioned in post:

    10- enable "Always wait for the network at computer startup and logon"

    Friday, March 01, 2013 3:51 PM
  • http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=112428

    Please verify if you have following keys

    • Per-machine registry hack as a policy via "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" with registry value "SyncForegroundPolicy"=dword:00000001
    • Per-machine registry hack via "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" with registry value "SyncForegroundPolicy"=dword:00000001
    • Per-user registry hack as a policy via "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" with registry value "SyncForegroundPolicy"=dword:00000001
    • Per-user registry hack via "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" with registry value "SyncForegroundPolicy"=dword:00000001
    Friday, March 01, 2013 3:59 PM
  • I did it on 3 diferent computers:

    ON XP that the startup continue, as if no GPO is there:

    Applied: - Default Domain Policy (this is another GPO)
    Denied: none

    -----------------------------------------------------------------

    ON XP that the startup says "installing java 1.0.7.5":

    Applied: - Default Domain Policy (this is another GPO)
                  - Software Deploy (this is the problematic GPO)
    Denied: none

    -----------------------------------------------------------------

    ON W7:

    Applied: - Default Domain Policy (this is another GPO)
                  - Software Deploy (this is the problematic GPO)
    Denied: none

    Friday, March 01, 2013 4:01 PM
  • I con go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT, there is no CurrentVersion folder in Windows NT.
    Friday, March 01, 2013 4:04 PM
  • Do you have a loopback policy enabled in that GPO?
    Friday, March 01, 2013 4:15 PM
  • NO, loopback in not enabled in the GPO.
    Friday, March 01, 2013 5:42 PM
  • Here is a great log on troubleshooting GP.

    You need to go through the Event Viewer - Application i think to find out what is going on.

    In XP "Application Managment" is the key word for software deployments i think see what you find in the logs.

    Under Event Viewer - System look for Netlogon errors, maybe the computer is not seeing the domain controlloer when is booting up.

    http://blogs.technet.com/b/gpguru/archive/2008/08/29/troubleshooting-group-policy-using-event-logs.aspx

    Friday, March 01, 2013 6:34 PM
  • Thanks Brano, I will take a look. 

    Another information: I found that some computers were not in the same OU, now I moved everyone in the same OU that the GPO has access.
    Now the GPO is applying in every XP. When the XP is the starting up  it says "installing java 1.0.7.5" but after that when I log in the java is not updated.

    Windows 7 computers (that are in the same OU with same permissions) continue installing properly.

    Friday, March 01, 2013 6:49 PM
  • News: checking the event viewer in an XP computer i see the "Application Management" shows this error "the installation source for this product is not aviable. Check if the source exist and if you have access". The msi file is in another server shared for everyone. My question is: everyone is referred to users in the Domain, if the software installation is taken during the windows startup, before user promt, which user do the computer use to go through the network and find the msi in another server? I think that the problem is there. Any ideas?
    Friday, March 01, 2013 7:27 PM
  • http://social.technet.microsoft.com/Forums/en/windowsserver2008r2general/thread/3816efc7-255f-4f01-a71d-f27be627e439

    -      Everyone includes any security principal from the local domain, including guest accounts; any security principal from any trusted domain, including guest accounts, and the Anonymous logon system account (in Windows 2000). Windows Server 2003, Windows Server 2008 and Windows XP, as well) separates the Anonymous Logon system account from the Everyone group.

    -      Authenticated Users includes any security principal from the local domain, including guest accounts; any security principal from any trusted domain, including guest accounts, and does not include the Anonymous logon system account. Everyone is any user account from the domain and any trusted domain, including the Guest, IUSR & IWAM accounts. Authenticated User does not include Guest, IUSR & the IWAM accounts. The IUSR_ and IWAM_ accounts are members of Guests and Domain Users

    In the past when i did the deployments via GPO i always used "Authenticated Users" with Read and Execute for the permissionss.

    Since you are deploying that to the computers you could even use "Domain Computers" with Read and Execute on the share where the msi exists.

    Friday, March 01, 2013 7:53 PM
  • I added everyone, authenticated users, system, domain computers, a particular XP computer, all of them with share and NTFS full permissions. Still the same, no luck. I receive 3 Application Management errors in the event viewer in this order: 102, 303 and 108.  "the installation source for this product is not aviable. Check if the source exist and if you have access". The problem is the access from the computer to the server where the msi installation file is.
    What I don´t understand is why is working from W7, why W7 can access the 
     msi installation file and the XP cannot.
    Friday, March 01, 2013 8:42 PM
  • Pick one computer that doesn't work

    Run "gpupdate /force"

    delete all msi packages from "c:\windows\installer\"

    reboot

    Friday, March 01, 2013 9:02 PM
  • Did you add the package from a DFS-share?
    If so can you test from non DFS, add using "normal" UNC-path.

    Also make sure you have write permissions on the share and not just NTFS-security


    --
    Goran Johansson
    http://gjohansson.com/blog

    Saturday, March 02, 2013 1:27 PM
  • Brano, I don´t have the "installer" folder in C:\Windows
    Monday, March 04, 2013 12:56 PM
  • Yes the package has been added from DFS-share
    The permissions are OK in share AND NTFS, I added the same in both groups.

    I don´t understand what do you mean with this "If so can you test from non DFS, add using "normal" UNC-path." Can you explain please?

    Monday, March 04, 2013 12:57 PM
  • Enable hidden files and you should be able to find it.

    Monday, March 04, 2013 2:18 PM
  • I enable hidden and system protected files and now I see it. I eresa every file in the folder "installer" and still the same. I continue receiving  "the installation source for this product is not aviable. Check if the source exist and if you have access" in the Event Viewer.
    Monday, March 04, 2013 3:16 PM
  • In general there has been several issues with DFS and Windows XP so I would suggest that you try to install to Windows XP from a non DFS-share.

    --
    Goran Johansson
    http://gjohansson.com/blog

    Monday, March 04, 2013 3:46 PM
  • What do you mean when you say "non DFS-share" ? Can you give me an example please?
    Monday, March 04, 2013 3:57 PM
  • I am sorry, I said something wrong, the share is not a DFS-Share. Is a common share in a server.
    I did other tests:
    - I added the msi package in the DC instead of another server and still the same
    - I added the msi package directly in a non-working windows XP and it worked correctly. So the problem is the XP going to a server to find the msi.

    Monday, March 04, 2013 6:11 PM
  • Am 04.03.2013 16:16, schrieb Federico Guidoni:
    > I enable hidden and system protected files and now I see it. I eresa
    > every file in the folder "installer" and still the same. I continue
    > receiving  "the installation source for this product is not aviable.
    > Check if the source exist and if you have access" in the Event Viewer.
     
    Congratulations - from now on you will be unable to remove any piece of
    software that was installed through MSI technology. And you will be
    unable to upgrade any of them. Reinstalling the particular compuer is
    the only solution for what you did...
     
    Maybe, next time, better ask for a second opinion...
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Tuesday, March 05, 2013 9:25 PM
  • Am 01.03.2013 22:02, schrieb Brano Lukic:
    > delete all msi packages from "c:\windows\installer\"
     
    Worst advice I've seen for a long time... Totally useless, too. SCNR...
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Tuesday, March 05, 2013 9:26 PM
  • Am 01.03.2013 21:42, schrieb Federico Guidoni:
    > What I don´t understand is why is working from W7, why W7 can access
    > the  msi installation file and the XP cannot.
     
    XP and W7 behave differently in terms of "authentication to remote
    systems from system context" (search for "UseMachineID" for more
    details...). Grab sysinternals psexec, run "psexec -s cmd" and try to do
    a "dir" on the UNC path where your MSI resides.
     
    What happens?
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Tuesday, March 05, 2013 9:28 PM