[gptalk] Re: auto install

  • From: "Robert Mariani" <rmariani@xxxxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Wed, 20 Sep 2006 11:57:27 +1000 (EST)

In terms of security the Netlogon directory is pretty wide open - and like 
Darren said -
all the MSI's will replicate to your DC's

The way that i manage my GPO
software deployments is like this ( i will use Acrobat 7 Pro as a example)

1.  Create a folder like \\<server>\GPOManagedApps\"Acrobat"
2.  Create the MSI admin install to to the Acrobat folder
3.  Create a
Security group with the computers/users I want to install is package to in the 
4.  Remove all (execept admin) security from the Acrobat folder and add
read/execute to the newly created security group
5.  Create a GPO to assign in
the usual fashion although in the security filtering add the security group 
just create
6.  Link the GPO the required OU and voila! - gpupdate /force (if you
want) and all should be well

hope this give you some pointers...

feel free to correct me if there is a better way!


On Wed, September 20, 2006 11:36 am, Jim Bangle said: 

I am soooooo
excited that you all are saying this. I had my msi&rsquo;s on a share, all 
warm, fuzzy,
and secure, but I had the same exact symptom Eric is having. I was told by 
another admin
around here someplace that the msi&rsquo;s had to be in Netlogon, and after 
putting them in folders under Netlogon and reassigning them&hellip; voila! 
has worked since. BUT, I don&rsquo;t want them where they are! So, now I have 
motivation to figure out how to create what I want. I thought I was working 
with a
system limitation.

Thanks for the
feedback, all. AND, does anyone have any ideas as to why moving my msi&rsquo;s 
have appeared to have been a solution?



From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Tuesday, September 19, 2006 6:28
Subject: [gptalk] Re: auto install


Agreed. Netlogon
is probably not the place for these--you don't necessarily want your packages
replicating to every DC.. A good DFS share somewhere on a file server is your 
best bet.
Eric I think your best bet again is to use the msi*.log files in 
c:\windows\temp to
troubleshoot why the per-computer assignment is not working.



From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Robert Mariani
Sent: Tuesday, September 19, 2006 6:24
Subject: [gptalk] Re: auto install

Although a valid suggestion i would not be putting my msi files in
the Netlogon directory -

I believe best practice is to create a shared folder
on the network and allow access via security groups etc...

just my


On Wed, September 20, 2006 11:08 am, Jim Bangle


Are your
msi files in Netlogon or a subfolder thereof? They must be stored there, though 
assign process will allow you to browse to other locations and point to msi's 
I was caught by this early on. 

-----Original Message----- 
To: gptalk@xxxxxxxxxxxxx 
Sent: Tue Sep 19
15:51:18 2006 
Subject: [gptalk] auto install 

I have tried to make
group policy auto install programs. I can make it do it via user config but I 
would like
to it do it via computer config. I have added the msi and they are set to 
assign. At
startup the computer sais something briefly about managed software but then does
nothing. Anyhelp would be great. 



Other related posts: