Install Software via GPO - Computer Configuration vs User Configuration
-
So we have a client that we are trying to install Lync 2013 on about 15 machines. We want to use a Computer-defined GPO as opposed to a user-based GPO, because the client needs to be installed only on these machines. Now, Lync 2013 doesn't have an MSI that I've seen anywhere. Lync 2010 was supposed to have an MSI that was created when you ran the installed and was placed in a folder in Program Files (x86), but Lync 2013 doesn't have that. Anyways, I am using a one-line batch script for the install. It contains this:
"\dc01\LyncInstaller\Lync Install Files\setup.exe" /config \dc01\LyncInstaller\config.xml
My coworker originally was trying it with the MSP file but some research I did found that using the config.xml might be preferred. The config.xml file consists of this:
<!--*************************************************
Created using Windows AFG found at:
http://windowsafg.no-ip.orgInstallation Notes
Location:
Notes: Enter your comments here...
**************************************************--><Configuration>
<Display Level="None" CompletionNotice="Yes" SuppressModal="Yes" AcceptEula="Yes" />
<USERNAME Value="" />
<USERINITIALS Value="" />
<COMPANYNAME Value="" />
<PIDKEY Value="[removed]" />
<Setting Id="AUTO_ACTIVATE" Value="1" />
<Setting Id="SETUP_REBOOT" Value="AutoIfNeeded" />
<INSTALLLOCATION Value="" />
<OptionState Id="ACCESSFiles" State="Absent" Children="force" />
<OptionState Id="EXCELFiles" State="Absent" Children="force" />
<OptionState Id="XDOCSFiles" State="Absent" Children="force" />
<OptionState Id="LyncCoreFiles" State="Local" Children="force" />
<OptionState Id="OneNoteFiles" State="Absent" Children="force" />
<OptionState Id="OUTLOOKFiles" State="Absent" Children="force" />
<OptionState Id="PPTFiles" State="Absent" Children="force" />
<OptionState Id="PubPrimary" State="Absent" Children="force" />
<OptionState Id="GrooveFiles2" State="Absent" Children="force" />
<OptionState Id="VisioPreviewerFiles" State="Absent" Children="force" />
<OptionState Id="WORDFiles" State="Absent" Children="force" />
<OptionState Id="SHAREDFiles" State="Local" Children="force" />
<OptionState Id="TOOLSFiles" State="Local" Children="force" />
</Configuration>__
When I run the batch script logged in as a domain admin, it executes in the background perfectly and as it should. When we execute this script via a user-based GPO, it works. However, we'd like to do it as a startup script. For the startup script, so that it doesn't keep trying to install over and over, I've written this:
IF EXIST "C:\Program Files\Microsoft Office\Office15\lync.exe" exit
IF EXIST "C:\Program Files (x86)\Microsoft Office\Office15\lync.exe" exit ELSE "\dc01\LyncInstaller\Lync Install Files\setup.exe" /config \dc01\LyncInstaller\config.xmlThe issue is that it does not work when executed as a startup script. Am I missing something that I should know about GPOs or startup scripts or could there be something else at work?
Thanks,
A.J. -
You need to follow this guide
-
I've seen that walkthrough, and it doesn't work. The script where you use the \share\lyncinstall /install /silent doesn't work. I tried just running the command as a test from inside Windows, and those switches don't even exist. Nothing using that method was working. Like I said, I'm trying to figure out why it will work as a user-gpo but not a computer-gpo.
-
@thanksaj said:
I've seen that walkthrough, and it doesn't work. The script where you use the \share\lyncinstall /install /silent doesn't work. I tried just running the command as a test from inside Windows, and those switches don't even exist. Nothing using that method was working. Like I said, I'm trying to figure out why it will work as a user-gpo but not a computer-gpo.
Sorry about that I didn't even realize the article was wrong. I just assumed it wasn't because it was technet. You are right about the XML file. Always remember that user GPO's go in the same OU as your users and Computer GPOs go in the same OU as the computer.You are applying the Startup Script to the OU of the Computers in AD, correct?
-
@thanksaj said:
where. Lync 2010 was supposed to have an MSI that was created when you ran the installed and was placed in a folder in Program Files (x86), but Lync 2013 doesn't have that. Anyways, I am using a one-line batch script for the install. It contains this:
"\dc01\LyncInstaller\Lync Install Files\setup.exe" /config \dc01\LyncInstaller\config.xml
You are probably going to have to create a VB or PowerShell script and place the install on a network share. That's what I had to do for Office Communicator 2007 at my office.
-
@IRJ said:
@thanksaj said:
I've seen that walkthrough, and it doesn't work. The script where you use the \share\lyncinstall /install /silent doesn't work. I tried just running the command as a test from inside Windows, and those switches don't even exist. Nothing using that method was working. Like I said, I'm trying to figure out why it will work as a user-gpo but not a computer-gpo.
Sorry about that I didn't even realize the article was wrong. I just assumed it wasn't because it was technet. You are right about the XML file. Always remember that user GPO's go in the same OU as your users and Computer GPOs go in the same OU as the computer.You are applying the Startup Script to the OU of the Computers in AD, correct?
The thing is, it's not all the computers in the Computers OU. What was done, before I started on the ticket, was the machines we want this applied to were placed in a new OU called Software Installation. However, these computers were not working with the GPO when we used the script that works as a logon script as a startup script. We just can't figure out why it works one way but not the other.
-
@Bill-Kindle said:
@thanksaj said:
where. Lync 2010 was supposed to have an MSI that was created when you ran the installed and was placed in a folder in Program Files (x86), but Lync 2013 doesn't have that. Anyways, I am using a one-line batch script for the install. It contains this:
"\dc01\LyncInstaller\Lync Install Files\setup.exe" /config \dc01\LyncInstaller\config.xml
You are probably going to have to create a VB or PowerShell script and place the install on a network share. That's what I had to do for Office Communicator 2007 at my office.
@Bill-Kindle, that one-line batch script is the heart of it. Any idea what the comparable Powershell would be?
-
@thanksaj said:
@Bill-Kindle said:
@thanksaj said:
where. Lync 2010 was supposed to have an MSI that was created when you ran the installed and was placed in a folder in Program Files (x86), but Lync 2013 doesn't have that. Anyways, I am using a one-line batch script for the install. It contains this:
"\dc01\LyncInstaller\Lync Install Files\setup.exe" /config \dc01\LyncInstaller\config.xml
You are probably going to have to create a VB or PowerShell script and place the install on a network share. That's what I had to do for Office Communicator 2007 at my office.
@Bill-Kindle, that one-line batch script is the heart of it. Any idea what the comparable Powershell would be?
@thanksaj You are doing it the correct way. I think its do to an incorrectly configured GPO. Can you show me how its applied?
http://technet.microsoft.com/en-us/library/dd630736(v=office.15).aspx
-
Specifically for Lync
-
So this is where it currently stands, as it works like this, but not the way we want it to.
Without editing it as it stands, this is where we were placing the same script path when we were doing it via Computer Config.
-
Show me which OU it is linked to and I would also like to see the filtering settings
-
@IRJ said:
Show me which OU it is linked to and I would also like to see the filtering settings
What do you need to see in the OU? And okay, give me just a minute.
-
Security Group we WERE testing with for the security filtering:
Members include our domain admin account (because it wasn't working as a computer config GPO) and our VM that we use:
Our new security group is part of no other groups:
This is the OU we've been trying to use:
GPO is not currently linked and no filters are in place, but we were using the softwareinstallation security group as the security filter for the link at the root level.
-
Is that what you needed @IRJ ?
-
-
The Security Filtering cannot be empty or else nothing will be applied. Computers are treated as Authenticated Users as well.
-
@IRJ said:
The Security Filtering cannot be empty or else nothing will be applied. Computers are treated as Authenticated Users as well.
Yes, I know. When we try adding a computer directly, it gave some error message if we didn't have a security group in there. Also, we removed authenticated users, but now that I think about it, if we're doing a computer config GPO and we leave Authenticated users in there and then just subsequently add all our computers, shouldn't it work? It'll apply the GPO to all authenticated users but because it's a computer config and not user config GPO, that doesn't hurt us, right?
-
Security Filtering is used more with User GPOs than it is with Computer GPOs. I usually just leave the default "Authenticated Users" which will include all computers in the OU that the GPO is linked with.
-
@thanksaj said:
@IRJ said:
The Security Filtering cannot be empty or else nothing will be applied. Computers are treated as Authenticated Users as well.
then just subsequently add all our computers, shouldn't it work? It'll apply the GPO to all authenticated users but because it's a computer config and not user config GPO, that doesn't hurt us, right?
Yes
-
Try testing again and let me know if it works
