I recently upgraded my Domain from Windows 2003 R2 to Windows 2008 R2. In the past I have installed software via group policy using .msi files and I setup my installs from the netlogon share as follows \\mydomain.com\netlogon\Packages\installfile.msi. This worked fine on my 2003 domain controllers but now my 2008 R2 Domain controllers do not seem to allow this. On the client I get the following errors:
Event Type: Error
Event Source: Application Management
Event Category: None
Event ID: 102
Time: 9:11:04 AM
User: NT AUTHORITY\SYSTEM
The install of application SysAid Agent from policy "software" failed. The error was : The installation source for this product is not available. Verify that the source exists and that you can access it.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
From doing some research it looked like that the computer account did not have access to the netlogon share so I specifically gave the Domain Computers group security and share access but this did not have any affect on the problem.
I realize that it is not generally recomended to use Netlogon to push software packages but it always worked for me in the past and it is quite easy to do it this way. Any ideas on why this is not working anymore?
EricThursday, April 01, 2010 2:24 PM
If I create a share with the exact same share permissions and security permissions as the netlogon share it works just fine. It just will not run from the netlogon share which from what I can tell is an issue with a computer account accessing it.
Is there some sort of extra permissions and or controls on the sysvol share that can be changed?
EricThursday, April 01, 2010 7:02 PM
Thank you for posting in Windows Forum.
According to your description, I understand that you can not deploy application from the netlogon share through group policy.
As you are using netlogon folder as the shared folder to store .MSI files which is a DFS share. This issue might be caused that the permissions did not allow computer accounts to access the share.
1. Go to all replica DC's NETLOGON shares .
2. Ensure that computer accounts "Authenticated Users Group" was given read access to that share.
For your reference, you can refer to the following KB article:
278472 Packages Assigned to Computers with Group Policy Are Not Installed
This posting is provided "AS IS" with no warranties, and confers no rights.Friday, April 02, 2010 7:23 AM
I would not use the netlogon share, but create a new DFS for the application packages. Then you do not have to alter the permission at the netlogon share. That must be best practise ;-)
As Wilson says, Authenticated Users must have read access, so the computer account can read the source files.
Jens Ole Kragh MCITP, MCTS, MCT, Microsoft TechNet Influent Denmark http://jensolekragh.spaces.live.com/Friday, April 02, 2010 7:49 AM
Thanks for the suggestions. I did try and give the Authenticated Users group read access on the share and it did not have any affect on the problem. Also the everyone group has read already so I assume this included computer accounts. Is that correct?
This is a very odd issue. It seems like there is something besides share permissions and NTFS permissions that is stopping this from working. I can create a new share with the same share permissions and NTFS permissions and everything works find.
The reason I have not just created a new DFS share so far is that I have other software packages installed from this location. These also do not currently work but they did at one point.
I also forgot to add that Startup scripts that run from the same location run without any issues at all but software installs do not. From my understanding they both use the computer account. I am stumped........
EricFriday, April 02, 2010 12:55 PM
I'm trying to solve this problem since Monday and It's driving me mad.
I have migrated my plateform (Domain Controllers) last week from Win2003 to Win2008R2. I wanted to keep my File server under windows 2003 but it appears that by accessing the shares from the DC the browsing time into the directory onto my DFS shares was terrible from the DC (no problem from my XP and 2003 clients). Any share from a windows 2008 server was working perfectly. I supposed that it was coming from the fact that my file server was not under Win2008 (I found nothing which correspond to my problem on the net). I also supposed that the problem of software installation from my group policy (which was working perfectly on my win2003 domain and not anymore after migration - same problem as yours) was related. I tried to deploy application from a share located on a Win2008 File Server, but I still have the same issue as yours. Playing with the ntfs and sharing rights didn't help.
Please share if you find a solution, I'll do the same if I succeed.
SébastienFriday, April 02, 2010 3:20 PM