[gptalk] Re: Permissions for software installation
- From: "Andrew McHale" <Andrew.McHale@xxxxxxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Tue, 5 Aug 2008 17:01:38 +0100
Hi Shane,
The Flash installation for me has been, so far, very simple.
I'm only talking about the Flash Reader IE active-x plug-in though, not
a full blown copy of the Flash developer.
I grabbed the distributable msi by applying for a license, created a
per-computer GPO software installation, told it to uninstall if moved
out of scope and left the rest at default. I didn't apply any transforms
or application switches.
I assigned it to a test OU which only has a single workstation in and
applied it to two groups we have, one for desktops and one for laptops.
I have since gone through and given 'Domain Computers' 'Full Control' my
installation files folder.
However, I have only done this on a brand new, fully patched version of
XP SP3 with minimal installations on it such as Office 2007, Acrobat,
Java, etc.
I read a lot of problems on appdeploy.com about Flash installation
failing if a previous version of Flash exists on the system. Everyone on
there seems to have had to deploy Flash using a script which checks for
Flash and runs an uninstaller first if its present. I expect I'll have
these problems once I test this on an existing workstation with all the
usual trash on!
I doubt this helps but hope it does.
Andrew
From: Shane Williford [mailto:shane.williford@xxxxxxxxxx]
Sent: 05 August 2008 16:45
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Permissions for software installation
Hi Andrew...
I actually was just getting GP assistance for deploying Flash via GP
last week. I thought I had it licked, but alas...it doesn't work. I
followed all documentation steps as well as suggestions from here
(Jamie, specifically) and it seemed to work for me, but when I apply it
on other OUs, it doesn't seem to install unless an Admin runs/activates
it first. If you get yours to work, please share how.
Thanks.
Shane M. Williford
Systems Administrator
MCSE, MCSA Sec, Sec+, Net+, A+
Mazuma Credit Union
9300 Troost
Kansas City, MO 64131
shane.williford@xxxxxxxxxx
816-361-4194 x6012
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Andrew McHale
Sent: Tuesday, August 05, 2008 4:45 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Permissions for software installation
Hi all,
Thanks for the pointer.
It was a per-computer GPO (sorry for missing this out in my original
post) and I didn't even think about adding Domain Computers instead of
Everyone. Interestingly, the Authenticated Users group has no rights on
this folder which could add to the fact it wouldn't run.
I used a full computer path, not an IP, so this wasn't the issue, but
thanks for the suggestion.
What I still don't understand though, is why the Java installation would
work fine but the Acrobat one wouldn't. They are both per-computer GPO's
and have files in the same folder structure with exactly the same
permissions. The only differences are the Acrobat install uses a
Transform file and the GPO has the User Configuration Settings disabled,
where as the Java GPO doesn't.
Any idea's or should I just chalk this up to 'one of those things'?
Many thanks
Andrew
From: Nelson, Jamie [mailto:Jamie.Nelson@xxxxxxx]
Sent: 04 August 2008 23:58
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Permissions for software installation
Don't know why you would use an IP, but in this case it shouldn't make a
difference. It usually comes down to permissions.
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Greg
Sent: Monday, August 04, 2008 5:50 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Permissions for software installation
When you set up the deployment, did you point it to an IP address or a
server name? I had this issue once in the past when I used an ip
address and found out it will cause you to get access denied.
----- Original Message -----
From: Nelson, Jamie <mailto:Jamie.Nelson@xxxxxxx>
To: gptalk@xxxxxxxxxxxxx
Sent: Monday, August 04, 2008 1:29 PM
Subject: [gptalk] Re: Permissions for software installation
Yep, I've always made it a point to grant explicit rights to
Domain Computers if it is a per-computer assigned installation.
From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Monday, August 04, 2008 11:41 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Permissions for software installation
Andrew-
Was this a per-computer deployment? If so, then the installation
happens in the context of the machine's domain account. In the past I've
noticed that Authenticated Users was not sufficient to solve this
problem, even though it should have been. I'm not clear why this is, but
perhaps setting up some auditing on the server sided would have pointed
the way. What I've seen, as a solution, is to grant either Domain
Computers or Everyone explicit access to the files.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Andrew McHale
Sent: Monday, August 04, 2008 9:33 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Permissions for software installation
Hi all,
I've just created a GPO for deploying Acrobat 9 using the
standard policy software installation (not GPP) and added a transform
file to get around things like desktop shortcuts and EULA agreements.
However, when I came to deploy it I got errors about not being
able to access the files.
On Friday I also created a GPO to deploy Java. This had exactly
the same access rights as the Acrobat files but worked first time.
I managed to get the Acrobat installation to work by giving
'Everyone' read, list and execute permissions to the folder containing
the files but am confused as to why I had to do this.
I thought the software installation used elevated privileges to
install software? Can anyone explain to me (to help my GP understanding)
why this is the case? In case you need to know, our environment is 100%
Server 2003 SP2 and I was deploying to a XP SP3 machine.
Thanks
Andrew
________________________________
Confidentiality Warning: This message and any attachments are
intended only for the use of the intended recipient(s), are
confidential, and may be privileged. If you are not the intended
recipient, you are hereby notified that any review, retransmission,
conversion to hard copy, copying, circulation or other use of all or any
portion of this message and any attachments is strictly prohibited. If
you are not the intended recipient, please notify the sender immediately
by return e-mail, and delete this message and any attachments from your
system.
________________________________
Notice: The information transmitted in this e-mail may contain
confidential and/ or legally privileged information intended only for
the use of the individual(s) named above. Review, use, disclosure,
distribution, or forwarding of this information by persons or entities
other than the intended recipient(s) is prohibited by law and may
subject them to criminal or civil liabilities. Statements and opinion
expressed in this e-mail may not represent those of Mazuma Credit Union.
All e-mail communications through Mazuma's corporate email system are
subject to archiving and review by someone other than the recipient. If
you have received this communication in error, please notify the sender
immediately and delete/destroy any and all copies of the original
message from any computer or network system.
Other related posts:
