[gptalk] Re: Installing Applications Fails[Scanned]
- From: Thorbjörn Sjövold <thorbjorn.sjovold@xxxxxxxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Thu, 15 Feb 2007 10:59:58 +0100
You are running with the system credentials (system level) but you get prompted
for credentials because the Redirector (Workstation service) figures out that
to access the resources you request the current ones are inadequate. On the
network the mighty Local System account is just another user, if you have
security logging enabled on your share you would find the computer name with a
$ sign , e.g. "mycomputer$" sign after it as it it is the computer SAM account
name that is used when a computer is trying to access something.
Your account obviously are still connected to the domain, since Group Policy is
processing fine. In the System command prompt I assume you can read from
SYSVOL. i.e. \\<domain.rootdomain\SYSVOL\<domain.rootdomain ? Also do you have
any problems accessing the shares as an ordinary user and not as the computer?
HTH,
Thorbjörn Sjövold
Special Operations Software
www.specopssoft.com <http://www.specopssoft.com/>
thorbjorn.sjovold a t specopssoft.com
Download our free tool for remote Gpupdate with graphical reporting,
http://www.specopssoft.com/products/specopsgpupdate/
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Craig Judd
Sent: den 15 februari 2007 10:21
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Installing Applications Fails[Scanned]
I did try this, it seems like an excellent way to determine access rights from
the system level. I obviously have a problem because I am trying to connect to
our shares
Net view \\10.1.1.10\[sharename <file:///\\10.1.1.10\%5bsharename> ] and I get
the error
"System error 5 Access is denied" - this seems to be blanket across all shares,
even if I have "everyone" read only and the "domain computers" read only on the
shares and file level security.
If I Net Use * \\10.1.1.10\[sharename <file:///\\10.1.1.10\%5bsharename> ] I
get prompted for username and password. But I thought this was running at the
system level?
Any ideas?
Regards
Craig
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Thorbjörn Sjövold
Sent: 14 February 2007 15:22
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Installing Applications Fails[Scanned]
If this is a computer based deployment, here is a neat little trick to check if
this is permission problem:
1) Log on as an administrator on a computer where you have the problem.
2) Start a Command Prompt
3) Run the command "AT <A time close to now> /Interactive cmd.exe"
4) When the jobs runs a new command prompt will pop up where you are actually
running with the security credentials as the System, i.e. the computer account.
5) Try to access the path where your files are located using for example DIR
from the new command prompt. If you get an Access Denied here then you know it
is a permission problem.
Observe that this will not work in Vista due to all services and the system
itself now have their Windows Stations in Session 0 and we mortals do not :)
HTH,
Thorbjörn Sjövold
Special Operations Software
www.specopssoft.com <http://www.specopssoft.com/>
thorbjorn.sjovold a t specopssoft.com
Download our free tool for remote Gpupdate with graphical reporting,
http://www.specopssoft.com/products/specopsgpupdate/
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: den 14 februari 2007 15:58
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Installing Applications Fails
Craig-
This is a common problem I see and I'll be darned if I can find a common
thread. But, some things to check. If you are deploying per-computer, try
granting the Domain Computers group explicit read access to these shares and
files. I know that it shouldn't matter if you already have the Everyone group
but I have seen this help. 2nd thing-if the servers are 2003, SP1, there may be
some SMB signing going on that the clients can't handle. Make sure that your
security settings on the servers don't require SMB signing or that your clients
are set to respond to it.
Those are the two things that come to mind right away. Let us know if neither
helps.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Craig Judd
Sent: Wednesday, February 14, 2007 12:45 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Installing Applications Fails
Hi
We have a medium sized Active Directory that has been in place for about 3 yrs,
apart from the deployment of the Office Suite against the "domain policy" we
have OU's that represent each group of machines and in turn we have associated
applications for each department trying to install from these OU's. The office
installation succeeds by the way.
However it has come to light that these other apps fail to be deployed
successfully, the LOG entry says that the "source installation file is not
available".
So we see that when we reboot a client workstation it says that it is
installing the required application, it all appears to go through ok, the log
in box finally appears, but yet the deployed application has not been installed.
The source files are available at the share location, and all security and
rights are available to everyone as read only.
Any pointers as to why the apps are failing to deploy would be a huge help,
thanks in advance.
Craig Judd
ICT Network Manager
Parkstone Grammar School,
Sopers Lane,
Poole,
Dorset.
BH17 7EP
01202 605617
Other related posts:
