GPO creating for MSI via Active Directory
El Tigre
This document assumes you will be deploying software to a set of machines in which the user does not have local admin rights, so it will focus on the process to deploy to the computers via the Computer Configuration GPO setting
Verify the MSI Works First
Before you defined the GPO and Package Objects, ensure that the MSI installer files works as you planned.
Keep in mind that if it attempts to set HKEY_Current_User registry keys, that process will fail since there is no user logged onto the machine during the software deployment, so no HKEY_Current_User registry section is available.
If you require HKEY_Current_User registry keys to be set, split your MSI installer file into two parts, and define the software installation in the Computer Configuration GPO section, and the HKEY_Current_User registry updates in the User Configuration GPO section.
Also, you may want to test the MSI file as the local computer account first. See the Troubleshooting section on how to obtain a command prompt as the NT Authority\System account.
Defining the GPO and Package Object
Create a share on a server, and allow Domain Computers at least READ access to the share. Copy the MSI installation file to the share and ensure it also allows for Domain Computers READ access.
Create the Group Policy Object in the Active Directory Users and Computers application:
1. Right click on the OU you wish to define the GPO and select Properties
2. Click the Group Policy tab and click New.
3. Type a descriptive name for this new GPO. Be sure to prefix the name with your Section/Division to provide ambiguity.
4. Click the Properties button, then select the Security tab. Add the Domain Computers group (or edit the existing Authenticated Users group) and assign the READ and APPLY GROUP POLICY rights.
5. Click on the Edit button to edit this new Group Policy. Expand the Computer Configuration\Software Settings tree on the left side of the screen. Right-click Software Installation tree option and select the menu item New\Package
6. An Open File dialog box should appear. Type in the UNC path to the server share where the MSI installer file is located. Select the appropriate MSI installer file and click Open. If you receive a ‘Cannot open file’ error, check the share permissions to ensure the account you are using the Active Directory Users and Computers application with has READ/WRITE access to the share.
7. Select the Assign radio button and click OK. The other Published and Advanced radio buttons are alternate ways to publish the MSI package. Published will not automatically install the MSI installer file, but instead place an entry in the local Add/Remove Programs utility for manual installation later. Advanced will give you the ability to change certain properties such as the Package Name.
8. You have now created and assigned the Package Object.
9. Right click on the Package Object and select Properties.
10. Click on the Security tab and add Domain Computers (or Authenticated Users if that is your scheme) to the security permissions. Ensure Domain Computers has the READ right.
11. Click the Advanced tab and select Domain Computers (or Authenticated Users if that is your scheme) and click Edit. Assign the List Contents, Read All Properties and Read Permissions checkboxes are selected.
12. Close the Group Policy window.
13. Close the GPO window.
14. The MSI package has now been defined and is ready for deployment.
15. Wait about 10-15 minutes for your changes to be replicated to the other Domain Controllers, then reboot a machine contained within the OU you defined the GPO for.
Verifying Installation
After rebooting a workstation contained within the OU you defined the GPO Software Deployment policy for, an information box should appear on the screen after the Applying Security Settings messages stating it is installing the MSI package along with the name you defined in the Package Object advanced properties, or defaulting to the deployment name within the MSI installation file.
1. After the workstation boots, log in and open the Event Viewer.
2. Navigate to the Applications Event Viewer.
3. A successful installation will have three informational entries indicating a successful MSI deployment. Check the Event Viewer message to see if there are any errors.
Kind regards to Home.Fnal.Gov for this helpful guide!
sroz...@gmail.com
On Wednesday, July 11, 2012 6:53:48 PM UTC+6, El Tigre wrote: