[gptalk] Re: Permissions for software installation
- From: Shane Williford <shane.williford@xxxxxxxxxx>
- To: "gptalk@xxxxxxxxxxxxx" <gptalk@xxxxxxxxxxxxx>
- Date: Tue, 5 Aug 2008 11:06:57 -0500
Yeah..that's exactly what I did - applied for license to distribute it, got the
.msi file, and applied to Comp Config. I ran it on a test OU as well and had
problems with it working. As suggested by Jamie Nelson, I transferred the
install to the sysvol folder instead of a network share. I uninstalled Flash,
booted up my test computer and it worked. I uninstalled it again; again, booted
it up, and it again worked. So, I thought I had this licked. But, in beta
testing on a couple other OUs, it's not seeming to work. I'm probably gonna
give Adobe a call to see if they have any suggestions as well. I'll keep you
posted via the list here if you like...
Shane
Shane M. Williford
Systems Administrator
MCSE, MCSA Sec, Sec+, Net+, A+
Mazuma Credit Union
9300 Troost
Kansas City, MO 64131
shane.williford@xxxxxxxxxx<mailto:shane.williford@xxxxxxxxxx>
816-361-4194 x6012
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Andrew McHale
Sent: Tuesday, August 05, 2008 11:02 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Permissions for software installation
Hi Shane,
The Flash installation for me has been, so far, very simple.
I'm only talking about the Flash Reader IE active-x plug-in though, not a full
blown copy of the Flash developer.
I grabbed the distributable msi by applying for a license, created a
per-computer GPO software installation, told it to uninstall if moved out of
scope and left the rest at default. I didn't apply any transforms or
application switches.
I assigned it to a test OU which only has a single workstation in and applied
it to two groups we have, one for desktops and one for laptops. I have since
gone through and given 'Domain Computers' 'Full Control' my installation files
folder.
However, I have only done this on a brand new, fully patched version of XP SP3
with minimal installations on it such as Office 2007, Acrobat, Java, etc.
I read a lot of problems on appdeploy.com about Flash installation failing if a
previous version of Flash exists on the system. Everyone on there seems to have
had to deploy Flash using a script which checks for Flash and runs an
uninstaller first if its present. I expect I'll have these problems once I test
this on an existing workstation with all the usual trash on!
I doubt this helps but hope it does.
Andrew
From: Shane Williford [mailto:shane.williford@xxxxxxxxxx]
Sent: 05 August 2008 16:45
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Permissions for software installation
Hi Andrew...
I actually was just getting GP assistance for deploying Flash via GP last week.
I thought I had it licked, but alas...it doesn't work. I followed all
documentation steps as well as suggestions from here (Jamie, specifically) and
it seemed to work for me, but when I apply it on other OUs, it doesn't seem to
install unless an Admin runs/activates it first. If you get yours to work,
please share how.
Thanks.
Shane M. Williford
Systems Administrator
MCSE, MCSA Sec, Sec+, Net+, A+
Mazuma Credit Union
9300 Troost
Kansas City, MO 64131
shane.williford@xxxxxxxxxx<mailto:shane.williford@xxxxxxxxxx>
816-361-4194 x6012
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Andrew McHale
Sent: Tuesday, August 05, 2008 4:45 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Permissions for software installation
Hi all,
Thanks for the pointer.
It was a per-computer GPO (sorry for missing this out in my original post) and
I didn't even think about adding Domain Computers instead of Everyone.
Interestingly, the Authenticated Users group has no rights on this folder which
could add to the fact it wouldn't run.
I used a full computer path, not an IP, so this wasn't the issue, but thanks
for the suggestion.
What I still don't understand though, is why the Java installation would work
fine but the Acrobat one wouldn't. They are both per-computer GPO's and have
files in the same folder structure with exactly the same permissions. The only
differences are the Acrobat install uses a Transform file and the GPO has the
User Configuration Settings disabled, where as the Java GPO doesn't.
Any idea's or should I just chalk this up to 'one of those things'?
Many thanks
Andrew
From: Nelson, Jamie [mailto:Jamie.Nelson@xxxxxxx]
Sent: 04 August 2008 23:58
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Permissions for software installation
Don't know why you would use an IP, but in this case it shouldn't make a
difference. It usually comes down to permissions.
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Greg
Sent: Monday, August 04, 2008 5:50 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Permissions for software installation
When you set up the deployment, did you point it to an IP address or a server
name? I had this issue once in the past when I used an ip address and found
out it will cause you to get access denied.
----- Original Message -----
From: Nelson, Jamie<mailto:Jamie.Nelson@xxxxxxx>
To: gptalk@xxxxxxxxxxxxx<mailto:gptalk@xxxxxxxxxxxxx>
Sent: Monday, August 04, 2008 1:29 PM
Subject: [gptalk] Re: Permissions for software installation
Yep, I've always made it a point to grant explicit rights to Domain Computers
if it is a per-computer assigned installation.
From: gptalk-bounce@xxxxxxxxxxxxx<mailto:gptalk-bounce@xxxxxxxxxxxxx>
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Monday, August 04, 2008 11:41 AM
To: gptalk@xxxxxxxxxxxxx<mailto:gptalk@xxxxxxxxxxxxx>
Subject: [gptalk] Re: Permissions for software installation
Andrew-
Was this a per-computer deployment? If so, then the installation happens in the
context of the machine's domain account. In the past I've noticed that
Authenticated Users was not sufficient to solve this problem, even though it
should have been. I'm not clear why this is, but perhaps setting up some
auditing on the server sided would have pointed the way. What I've seen, as a
solution, is to grant either Domain Computers or Everyone explicit access to
the files.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Andrew McHale
Sent: Monday, August 04, 2008 9:33 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Permissions for software installation
Hi all,
I've just created a GPO for deploying Acrobat 9 using the standard policy
software installation (not GPP) and added a transform file to get around things
like desktop shortcuts and EULA agreements.
However, when I came to deploy it I got errors about not being able to access
the files.
On Friday I also created a GPO to deploy Java. This had exactly the same access
rights as the Acrobat files but worked first time.
I managed to get the Acrobat installation to work by giving 'Everyone' read,
list and execute permissions to the folder containing the files but am confused
as to why I had to do this.
I thought the software installation used elevated privileges to install
software? Can anyone explain to me (to help my GP understanding) why this is
the case? In case you need to know, our environment is 100% Server 2003 SP2 and
I was deploying to a XP SP3 machine.
Thanks
Andrew
________________________________
Confidentiality Warning: This message and any attachments are intended only for
the use of the intended recipient(s), are confidential, and may be privileged.
If you are not the intended recipient, you are hereby notified that any review,
retransmission, conversion to hard copy, copying, circulation or other use of
all or any portion of this message and any attachments is strictly prohibited.
If you are not the intended recipient, please notify the sender immediately by
return e-mail, and delete this message and any attachments from your system.
________________________________
Notice: The information transmitted in this e-mail may contain confidential
and/ or legally privileged information intended only for the use of the
individual(s) named above. Review, use, disclosure, distribution, or forwarding
of this information by persons or entities other than the intended recipient(s)
is prohibited by law and may subject them to criminal or civil liabilities.
Statements and opinion expressed in this e-mail may not represent those of
Mazuma Credit Union. All e-mail communications through Mazuma's corporate email
system are subject to archiving and review by someone other than the recipient.
If you have received this communication in error, please notify the sender
immediately and delete/destroy any and all copies of the original message from
any computer or network system.
________________________________
Notice: The information transmitted in this e-mail may contain confidential
and/ or legally privileged information intended only for the use of the
individual(s) named above. Review, use, disclosure, distribution, or forwarding
of this information by persons or entities other than the intended recipient(s)
is prohibited by law and may subject them to criminal or civil liabilities.
Statements and opinion expressed in this e-mail may not represent those of
Mazuma Credit Union. All e-mail communications through Mazuma's corporate email
system are subject to archiving and review by someone other than the recipient.
If you have received this communication in error, please notify the sender
immediately and delete/destroy any and all copies of the original message from
any computer or network system.
Other related posts:
