Help with Deploying software through GPO

Can some please explain to me this!!! I have an OU with 25 client I have crated GPO deploying small MSI plug in for an application, what I can’t explain is half of client the software is there and the other half is not. We have win 2000 DC and XP clients I have created the GPO 5 days ago surely it should filter by know. I tried to force the client by running gpupdate /force switch, I get message saying “computer policy refresh has completed, I restarted the machine steal I can’t see the software what am I missing here? any help with this issue is greatly appreciated

Find more posts tagged with

SAVE $250 on Your Microsoft Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Microsoft Boot Camps

Comments

dynamik

Run gpresult or RSoP to check group policy settings.

TechStriker

Thanks dynamik for your quick reply do run the gpresult on all the client with out the software or can I do it on the server (My server is win2000).

Thanks

undomiel

Just pick one problem client and run gpresult and see whether it shows your GPO being applied or not. Also don't forget to check your error logs to see if the client is having problems with group policy period.

gojericho0

if you have win2000 i believe you can only run it on the client.

You can then see what policies are applied

TechStriker

Thanks guys

I have just run gpresult on one of my client and it shows me the GPO has applied from one of member DC not the DC I have created with the policy is this problem? Even though it shows it has applied the policy but the software is not there and i had a look the log files i can't see any thing relating to this GPO.

undomiel

Userenv logging is where I would turn to next.

http://support.microsoft.com/kb/221833

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Add DWORD UserEnvDebugLevel
0x00030002

Do this on one of the problem machines and check the userenv log in c:\windows\Debug\UserMode\Userenv.log

Look for the section where the GPO is being applied and see if there are any meaningful errors around there.

You may also want to make sure that these clients have access to where the MSI file is being stored. If they can't access it that could be causing it to fail but still show up as applied.

gojericho0

TechStriker wrote:

Thanks guys

I have just run gpresult on one of my client and it shows me the GPO has applied from one of member DC not the DC I have created with the policy is this problem?

No this is not a problem because group policy is replicated to all dcs.

I would also run gpotool on your PDC just to make sure there is not a version mismatch between your AD and SYSVOL version numbers. If there is you have similar symptoms to what you are describing

TechJunky

I am having the same problem.

I attached the GPO to one computer/user to make sure it works first before deploying to all computers.

I ran gpresult on the computer and it doesnt have the GPO applied. I have ran gpupdate /force on both the DC and the computer that the GPO is assigned to.

Any ideas why the GPO would not apply? It isnt in the "GPO was not applied because it was filtered out" list either. It's just like it is non existant. Any ideas?

I have already tried logging off of the workstation and logging back on.

Thanks.

TechStriker

I did as undomiel suggested checked event viewer and usernv log on one of the problem machines and found this error
(Windows cannot obtain the domain controller name for your computer network the domain either does not exist or could not be contacted) Group Policy processing aborted.

This is my problem and steal researching for soloution, ……> undomiel what do you think could be the issues, all the problem machines are memeber of the domain I can manage them through AD no issues.

sprkymrk

TechJunky wrote:

I attached the GPO to one computer/user to make sure it works first before deploying to all computers.

Hi TechJunky,

What do you mean when you say you attached the GPO to one computer/user? I am guessing you mean that you created an OU and placed a single computer and a single user in it?

gojericho0

TechStriker wrote:

(Windows cannot obtain the domain controller name for your computer network the domain either does not exist or could not be contacted) Group Policy processing aborted.

It could be DNS, if you do an nslookup on your FQDN does it resolve all the IP addresses correctly?

undomiel

Do these computers have a 1 gig NIC on them? Group policy may be processing before the NICs are online. I had that problem here and it was a royal pain to track down. Make sure you have set always wait for the network at computer startup and logon group policy. But sometimes that isn't enough, so bump up the GP Network Start Timeout policy. Mine's at 60 seconds which seems to work just fine over here.

TechStriker

I did an nslookup on my FQDN it resolved all the IP addresses correctly with the problem machines.

My issues is GP Network Start Timeout policy Event ID: 1054
Source: Userenv as undomiel pointed out exactly again

I found this fix http://support.microsoft.com/kb/840669 I am in the process of applying this fix by GPO.

Thanks guys for all your help

mrx9000

Perhaps this guide written by a friend would be useful:

Deploying Software via Group Policy

Deployment of software via Group Policy is an effective way of installing software to PC’s. The software can be targeted, installed, patched and removed centrally. The Windows Installer technology is used for this task. It provides a common way of installing packages to PC’s. A software package to be deployed via Group Policy needs to come with an MSI file. Normally these are included in the latest packages but there are various tools available to create custom MSI files. Software companies sometimes supply tools to create custom MSI and MST files.

An MST transform file holds a collection of changes applied to an installation. By applying a transform to a base installation package, the installer can add or replace data in the installation database. The installer can only apply transforms during an installation. An MST file will for example, automatically accept EULA agreements.

MSI package – Acrobat Reader example
As an example we will create a Group Policy to automatically distribute Adobe Acrobat Reader 6 to PC’s. These steps will only differ in how the MSI package is created/obtained.

Download the full install of Acrobat Reader 6.01 from Adobe. Obtain the MSI package by running the “AdbeRdr60_enu_full.exe” file. It will start to recompose the data. Once you are presented with the Adobe Acrobat Reader 6.0.1 Setup dialog window click Cancel and end setup. Now browse to the following location: -

C:\WINNT\Cache\Adobe Reader 6.0.1\ENUBIG
or
C:\WINDOWS\Cache\Adobe Reader 6.0.1\ENUBIG

Copy or move the ENUBIG folder to SERVER\SHARE$\ then rename the “ENUBIG” folder at its new location to “Acrobat Reader 6”

Notice that the folder contains various files, one of which is the MSI files, called “Adobe Reader 6.0.1.msi”. Also notice the MST file called “Rdr60.mst”.

Creation of Group Policy
Because we want to distribute software by computer rather than user (so that the software remains on the PC for ALL users to use and will remain on the PC as long as that PC continues to be a member of that software group), we locate the deployment groups in the relevant OU.

In Active Directory Users and Computers, right-click on the relevant OU and Create a new Group.

Group Name: GPO-Acrobat6-Reader
Make it a Global group
Select the type as Security

Right-click relevant OU and select Properties
Click the Group Policy tab
Select New Policy and name the group “Deploy Acrobat6 Reader” (i.e. what the policy actually does).

Highlight “Deploy Acrobat6 Reader” policy and select Properties
Important: As this is a Computer policy and not a User policy we need to tick “Disable User Config Settings” check box.

Now goto the Security tab.

Important: Highlight “Authenticated Users” and untick “Apply Group Policy”. If it is left ticked then ALL PC’s that are in the AD will have Acrobat Reader deployed to them!

What we want to do is only deploy to PC’s that are members of the Acrobat Reader 6 group. To do this we now need to click Add and select the GPO-Acrobat6-Reader group we created earlier. Now tick Apply Group Policy against this group. Click OK.

Now select Edit and browse to Computer Configuration > Software Settings and right-click on Software Installation and create a new Package.

Browse to SERVER\SHARE$\Acrobat Reader 6 and select the MSI file.

As this is a Computer policy select Advanced checkbox.

Select the Deployment tab and tick “Uninstall if it comes out of scope”. What this means is that if the computer is no longer a member of the GPO-Acrobat6-Reader group then Acrobat Reader 6 will be uninstalled from that machine.

Select the Modification tab and Add the MST file (same location as the Acrobat Reader MSI file).

Test package
Test the new package on a test machine before deployment in the wild. Try various scenarios, e.g. deploying over an older version of the software. Turning the machine off during deployment. Using the software logged on as a normal user account. Once you are satisfied with the package it is important to contact users prior to deployment so that they are aware what you are installing, that their PC will take longer to boot-up whilst the package is being deployed for the first time and to arrange a suitable time this can actually take place.