Install Software via GPO - Computer Configuration vs User Configuration
-
Open a Run prompt and type in rsop.msc
What do you see here?
-
Looks like the script is running, as that last execution time is when I last rebooted.
-
I just rebooted again and it ran again, but still didn't install. Am I missing something?
-
Does the 'authenticated users' group have permissions to the folder where your files are located?
I personally don't like messing with security filtering until AFTER everything else tests OK. This is one place where most people muck it up and change all sorts of other things when it's this aspect that is incorrect.
-
@IRJ and I kind of figured out that it probably isn't running because the script pulls the installer from a domain path, which if it's a computer config, it runs as local admin right? That would mean it wouldn't have access to a domain path, maybe. Still haven't gotten it working..
-
It is actually the system account, not local administrator since we are talking about an computer object and actual users do not come into play here. If the share and subsequent files don't have 'authenticated users' or that computer name somehow (either by group or by name) specified with permissions, then you are correct, the computer's system account won't be able to access those files and your installation will fail.
-
Why do the installation through a script? Can you create a package for it instead and publish it in GP?
-
@Dashrender said:
Why do the installation through a script? Can you create a package for it instead and publish it in GP?
Haven't found a way to bundle Lync 2013 client as an MSI, so no.
-
@Rob-Dunn said:
It is actually the system account, not local administrator since we are talking about an computer object and actual users do not come into play here. If the share and subsequent files don't have 'authenticated users' or that computer name somehow (either by group or by name) specified with permissions, then you are correct, the computer's system account won't be able to access those files and your installation will fail.
The share has permissions for "Everyone" to have "Read" access. Is that enough?
-
@thanksaj this should work just fine. If you want to exclude other accounts like 'guest' and 'local service' - i.e. non-passworded accounts, use 'authenticated users' instead.
If there is ever any need for anyone (and I mean anyone) to write anything to this share, you're going to want to change 'everyone' to 'full control' on the share, and then set the permissions on the folder for read only for that group. That way, administrators can still mount the share and write/edit files there.
-
@Rob-Dunn said:
@thanksaj this should work just fine. If you want to exclude other accounts like 'guest' and 'local service' - i.e. non-passworded accounts, use 'authenticated users' instead.
If there is ever any need for anyone (and I mean anyone) to write anything to this share, you're going to want to change 'everyone' to 'full control' on the share, and then set the permissions on the folder for read only for that group. That way, administrators can still mount the share and write/edit files there.
Yeah, that's fine. Just trying to figure out why my GPOs and scripts aren't working...
-
I just tested the commands from the local admin account. Now could the issue be where these scripts are located? I have them on one of the DC's NETLOGON folders. That should be fine AFAIK, but it seems like the computer config GPOs are having issues pulling from a domain location, even the scripts. Any thoughts?
-
@thanksaj
Using the local admin account is not the same as the computer using the computer account - these are two different things. The local administrator account will access the files in the context of a user object (albeit a local user), whereas the computer will access them as the computer object (a domain computer object). Kind of an odd concept to grasp, but the computer has it's own identity when it accesses network resources.
-
@Rob-Dunn said:
@thanksaj
Using the local admin account is not the same as the computer using the computer account - these are two different things. The local administrator account will access the files in the context of a user object (albeit a local user), whereas the computer will access them as the computer object (a domain computer object). Kind of an odd concept to grasp, but the computer has it's own identity when it accesses network resources.
Ok, so it should have the permissions to access a domain resource then? That's what I always figured but this whole thing is getting confusing.
-
@thanksaj
Yep, so the domain group 'authenticated users' contains both user objects and computer objects since both authenticate using their own passwords (computers just have their own passwords that they change automatically). So long as 'authenticated users' is set as a group that is allowed access to a network resource, your scripts configured under the computer configuration GPO settings should be able to reference and use those domain folders and files.
Does that help?
-
@Rob-Dunn said:
@thanksaj
Yep, so the domain group 'authenticated users' contains both user objects and computer objects since both authenticate using their own passwords (computers just have their own passwords that they change automatically). So long as 'authenticated users' is set as a group that is allowed access to a network resource, your scripts configured under the computer configuration GPO settings should be able to reference and use those domain folders and files.
Does that help?
Yes, that was EXTREMELY helpful!
-
Ok, so I've figured out the trick to how we can get this to work. First of all, THANK YOU to all of you, but especially @Rob-Dunn and @IRJ for your help and insights. How I did this was create TWO GPOs. The first one that executes is the Computer Config GPO and it copies a text file I created called "install_lync_key.txt" from the DC's NETLOGON folder to the root of C:. This GPO is only applied to the computers I want to install Lync on.
Next, my second GPO executes a batch script to all users. Security Filter is just Authenticated Users, and it's applied at the root level of the domain. The script is as follows:
__
IF EXIST "C:\Program Files\Microsoft Office\Office15\lync.exe" exit
IF EXIST "C:\Program Files (x86)\Microsoft Office\Office15\lync.exe" exit
IF EXIST "C:\install_lync_key.txt" goto InstallLync ELSE exit:InstallLync
"[removed]\LyncInstaller\Lync Install Files\setup.exe" /config [removed]\LyncInstaller\config.xml
__
Basically, if Lync is already installed, it just kills the script. If it doesn't find the file on the computer, it kills the install. Tested this and it's working the way we wanted. FINALLY! This thing has been a nightmare. Anyways, that's the fix I was able to figure this out with. Thanks for everyone's help!A.J.
-
@thanksaj BOOYA!
-
-
Sorry that I stepped out of this one. I have a big deployment I have been preparing for. Its going to be a long night\morning