Install Software via GPO - Computer Configuration vs User Configuration
-
I just tested the commands from the local admin account. Now could the issue be where these scripts are located? I have them on one of the DC's NETLOGON folders. That should be fine AFAIK, but it seems like the computer config GPOs are having issues pulling from a domain location, even the scripts. Any thoughts?
-
@thanksaj
Using the local admin account is not the same as the computer using the computer account - these are two different things. The local administrator account will access the files in the context of a user object (albeit a local user), whereas the computer will access them as the computer object (a domain computer object). Kind of an odd concept to grasp, but the computer has it's own identity when it accesses network resources.
-
@Rob-Dunn said:
@thanksaj
Using the local admin account is not the same as the computer using the computer account - these are two different things. The local administrator account will access the files in the context of a user object (albeit a local user), whereas the computer will access them as the computer object (a domain computer object). Kind of an odd concept to grasp, but the computer has it's own identity when it accesses network resources.
Ok, so it should have the permissions to access a domain resource then? That's what I always figured but this whole thing is getting confusing.
-
@thanksaj
Yep, so the domain group 'authenticated users' contains both user objects and computer objects since both authenticate using their own passwords (computers just have their own passwords that they change automatically). So long as 'authenticated users' is set as a group that is allowed access to a network resource, your scripts configured under the computer configuration GPO settings should be able to reference and use those domain folders and files.
Does that help?
-
@Rob-Dunn said:
@thanksaj
Yep, so the domain group 'authenticated users' contains both user objects and computer objects since both authenticate using their own passwords (computers just have their own passwords that they change automatically). So long as 'authenticated users' is set as a group that is allowed access to a network resource, your scripts configured under the computer configuration GPO settings should be able to reference and use those domain folders and files.
Does that help?
Yes, that was EXTREMELY helpful!
-
Ok, so I've figured out the trick to how we can get this to work. First of all, THANK YOU to all of you, but especially @Rob-Dunn and @IRJ for your help and insights. How I did this was create TWO GPOs. The first one that executes is the Computer Config GPO and it copies a text file I created called "install_lync_key.txt" from the DC's NETLOGON folder to the root of C:. This GPO is only applied to the computers I want to install Lync on.
Next, my second GPO executes a batch script to all users. Security Filter is just Authenticated Users, and it's applied at the root level of the domain. The script is as follows:
__
IF EXIST "C:\Program Files\Microsoft Office\Office15\lync.exe" exit
IF EXIST "C:\Program Files (x86)\Microsoft Office\Office15\lync.exe" exit
IF EXIST "C:\install_lync_key.txt" goto InstallLync ELSE exit:InstallLync
"\[removed]\LyncInstaller\Lync Install Files\setup.exe" /config \[removed]\LyncInstaller\config.xml
__
Basically, if Lync is already installed, it just kills the script. If it doesn't find the file on the computer, it kills the install. Tested this and it's working the way we wanted. FINALLY! This thing has been a nightmare. Anyways, that's the fix I was able to figure this out with. Thanks for everyone's help!A.J.
-
@thanksaj BOOYA!
-
-
Sorry that I stepped out of this one. I have a big deployment I have been preparing for. Its going to be a long night\morning
-
@IRJ That's why this is a community and not email
Good luck with your deployment!
