GPO Software Deployment Woes
-
@anthonyh said in GPO Software Deployment Woes:
error 1612
Just to confirm, the share that the GPO is pointing to, has read permissions set for authenticated users all the way down to the msi file, right?
-
@wrx7m said in GPO Software Deployment Woes:
@anthonyh said in GPO Software Deployment Woes:
error 1612
Just to confirm, the share that the GPO is pointing to, has read permissions set for authenticated users all the way down to the msi file, right?
Using the files from the example GPO information I posted earlier:
Authenticated Users, Domain Computers, and even Everyone has read & execute set for the root folder (gposw). The share permissions are set to Everyone with Full Control
The subfolder
esetis inheriting these permissions properly (at least per the Advanced Security Settings dialog box).The file
eea_nt64_enu_6.6.2089.2.msiis inheriting the expected permissions as well. -
Hmmm. What if you create a new share and see if that works?
-
@wrx7m said in GPO Software Deployment Woes:
Hmmm. What if you create a new share and see if that works?
Yeah, that's an option. I may try this first to see if I can get some clarification on if it's even attempting to hit the share first...
https://www.rootusers.com/configure-file-access-auditing-in-windows-server-2016/
-
@anthonyh Have you created a new GPO from scratch too?
-
@wrx7m said in GPO Software Deployment Woes:
@anthonyh Have you created a new GPO from scratch too?
No, that's something to test too.
I'd really like to get these existing Software Installation GPOs working if at all possible. I imagine there will be some havoc if I delete and re-create them...
-
Alright, for the heck of it, I re-created the share on my new DC (it assumed the same name as the DC it replaced, which was the DC originally hosting these files). And, guess what? All of the software installation policies applied successfully.
So even though I'm changing the msiFileList in ADSI Edit, it's not applying somewere. Even though looking at the Deployment Information of the GPOs shows the modified path, and running gpresult shows the modified path.
What the heck?!
I may just kick this can down the road a bit and re-visit it later unless anyone has any ideas?
-
@anthonyh said in GPO Software Deployment Woes:
Alright, for the heck of it, I re-created the share on my new DC (it assumed the same name as the DC it replaced, which was the DC originally hosting these files). And, guess what? All of the software installation policies applied successfully.
So even though I'm changing the msiFileList in ADSI Edit, it's not applying somewere. Even though looking at the Deployment Information of the GPOs shows the modified path, and running gpresult shows the modified path.
What the heck?!
I may just kick this can down the road a bit and re-visit it later unless anyone has any ideas?
For the heck of it, do you get to access the share while on Windows Explorer?
-
@dbeato said in GPO Software Deployment Woes:
@anthonyh said in GPO Software Deployment Woes:
Alright, for the heck of it, I re-created the share on my new DC (it assumed the same name as the DC it replaced, which was the DC originally hosting these files). And, guess what? All of the software installation policies applied successfully.
So even though I'm changing the msiFileList in ADSI Edit, it's not applying somewere. Even though looking at the Deployment Information of the GPOs shows the modified path, and running gpresult shows the modified path.
What the heck?!
I may just kick this can down the road a bit and re-visit it later unless anyone has any ideas?
For the heck of it, do you get to access the share while on Windows Explorer?
Yes. I think the problem is somewhere in the bowels of the GPOs the path isn't updating.
-
@anthonyh said in GPO Software Deployment Woes:
@dbeato said in GPO Software Deployment Woes:
@anthonyh said in GPO Software Deployment Woes:
Alright, for the heck of it, I re-created the share on my new DC (it assumed the same name as the DC it replaced, which was the DC originally hosting these files). And, guess what? All of the software installation policies applied successfully.
So even though I'm changing the msiFileList in ADSI Edit, it's not applying somewere. Even though looking at the Deployment Information of the GPOs shows the modified path, and running gpresult shows the modified path.
What the heck?!
I may just kick this can down the road a bit and re-visit it later unless anyone has any ideas?
For the heck of it, do you get to access the share while on Windows Explorer?
Yes. I think the problem is somewhere in the bowels of the GPOs the path isn't updating.
Yes, I was typing this before:
“
Just for my own sanity reading this Thread, did you actually import each software back again from the new share? Because sometimes that is what it takes” -
@dbeato said in GPO Software Deployment Woes:
@anthonyh said in GPO Software Deployment Woes:
@dbeato said in GPO Software Deployment Woes:
@anthonyh said in GPO Software Deployment Woes:
Alright, for the heck of it, I re-created the share on my new DC (it assumed the same name as the DC it replaced, which was the DC originally hosting these files). And, guess what? All of the software installation policies applied successfully.
So even though I'm changing the msiFileList in ADSI Edit, it's not applying somewere. Even though looking at the Deployment Information of the GPOs shows the modified path, and running gpresult shows the modified path.
What the heck?!
I may just kick this can down the road a bit and re-visit it later unless anyone has any ideas?
For the heck of it, do you get to access the share while on Windows Explorer?
Yes. I think the problem is somewhere in the bowels of the GPOs the path isn't updating.
Yes, I was typing this before:
“
Just for my own sanity reading this Thread, did you actually import each software back again from the new share? Because sometimes that is what it takes”No, I haven't tried that. Can you delete and re-add software packages to the GPO without it triggering an attempt to re-install them? I want to avoid triggering all of my clients to re-install everything and then wig out because it's all already installed...if that makes sense.
-
@anthonyh said in GPO Software Deployment Woes:
@dbeato said in GPO Software Deployment Woes:
@anthonyh said in GPO Software Deployment Woes:
@dbeato said in GPO Software Deployment Woes:
@anthonyh said in GPO Software Deployment Woes:
Alright, for the heck of it, I re-created the share on my new DC (it assumed the same name as the DC it replaced, which was the DC originally hosting these files). And, guess what? All of the software installation policies applied successfully.
So even though I'm changing the msiFileList in ADSI Edit, it's not applying somewere. Even though looking at the Deployment Information of the GPOs shows the modified path, and running gpresult shows the modified path.
What the heck?!
I may just kick this can down the road a bit and re-visit it later unless anyone has any ideas?
For the heck of it, do you get to access the share while on Windows Explorer?
Yes. I think the problem is somewhere in the bowels of the GPOs the path isn't updating.
Yes, I was typing this before:
“
Just for my own sanity reading this Thread, did you actually import each software back again from the new share? Because sometimes that is what it takes”No, I haven't tried that. Can you delete and re-add software packages to the GPO without it triggering an attempt to re-install them? I want to avoid triggering all of my clients to re-install everything and then wig out because it's all already installed...if that makes sense.
You can do this
https://support.microsoft.com/en-us/help/2395088/how-to-change-the-msi-file-location-in-the-software-deployment-gpo-mutOr redploy the application, I assume you have set the Package to uninstall when it falls out of the scope?
-
@dbeato said in GPO Software Deployment Woes:
@anthonyh said in GPO Software Deployment Woes:
@dbeato said in GPO Software Deployment Woes:
@anthonyh said in GPO Software Deployment Woes:
@dbeato said in GPO Software Deployment Woes:
@anthonyh said in GPO Software Deployment Woes:
Alright, for the heck of it, I re-created the share on my new DC (it assumed the same name as the DC it replaced, which was the DC originally hosting these files). And, guess what? All of the software installation policies applied successfully.
So even though I'm changing the msiFileList in ADSI Edit, it's not applying somewere. Even though looking at the Deployment Information of the GPOs shows the modified path, and running gpresult shows the modified path.
What the heck?!
I may just kick this can down the road a bit and re-visit it later unless anyone has any ideas?
For the heck of it, do you get to access the share while on Windows Explorer?
Yes. I think the problem is somewhere in the bowels of the GPOs the path isn't updating.
Yes, I was typing this before:
“
Just for my own sanity reading this Thread, did you actually import each software back again from the new share? Because sometimes that is what it takes”No, I haven't tried that. Can you delete and re-add software packages to the GPO without it triggering an attempt to re-install them? I want to avoid triggering all of my clients to re-install everything and then wig out because it's all already installed...if that makes sense.
You can do this
https://support.microsoft.com/en-us/help/2395088/how-to-change-the-msi-file-location-in-the-software-deployment-gpo-mutOr redploy the application, I assume you have set the Package to uninstall when it falls out of the scope?
That link is the exact article I followed.
Some are set to uninstall when out of scope, some are not.
-
Also diplicate the GPO and then setup a TEST ou and test it there with a VM or Desktop you can test.
-
@dbeato said in GPO Software Deployment Woes:
Also diplicate the GPO and then setup a TEST ou and test it there with a VM or Desktop you can test.
Yeah. I'll do that. I'll set up a GPO software deployment in a test OU and then remove/re-add the package and see what happens.
-
Is your filesrv02 the actual name of the machine? I remember seeing a mention of using a DNS record... I may be wrong but IIRC DNS redirection and modern SMB don't always work together very well because Kerberos. Like I said, might be completely out to lunch on this one, still working on my 1st coffee of the day.
-
@notverypunny said in GPO Software Deployment Woes:
Is your filesrv02 the actual name of the machine? I remember seeing a mention of using a DNS record... I may be wrong but IIRC DNS redirection and modern SMB don't always work together very well because Kerberos. Like I said, might be completely out to lunch on this one, still working on my 1st coffee of the day.
Boy I hope not, otherwise that precludes the ability to use a generic servername that can be assigned to be used so moving the share is easy.
-
@notverypunny said in GPO Software Deployment Woes:
Is your filesrv02 the actual name of the machine? I remember seeing a mention of using a DNS record... I may be wrong but IIRC DNS redirection and modern SMB don't always work together very well because Kerberos. Like I said, might be completely out to lunch on this one, still working on my 1st coffee of the day.
Yes, that is the actual name of the host I have moved the files to. @Dashrender was the one that suggested to use a CNAME in the future, which I will experiment with since if it works would make future moves (though years out likely) much easier.
The original host was
dc01, and the desire was to move the files tofilesrv02. I had followed the article @dbeato posted (https://support.microsoft.com/en-us/help/2395088/how-to-change-the-msi-file-location-in-the-software-deployment-gpo-mut) before starting this post here.I re-created the share on the "new"
dc01, even after re-pointing the msiFileList on all of my Software Install GPOs tofilesrv02. This satisfied the GPOs and on my test VM they all ran and installed without fuss.This tells me that even though I updated the msiFileList property (removed the old value and replaced it with new, which was simply changing the server. The share name and all permissions were identical), and even though gpresult was reflecting the new path, somewhere somehow things were not truly obeying this.
I even went as far as to enable file auditing on the share on
filesrv02and, sure enough, I saw zero attempts at any connections when a machine failed through the software install GPOs.So, for now, I've left the share in both locations and have updated the msiFileList property on the software install GPOs to reflect my "preferred" location (not ideal for sure). I think I'll revisit this once the other DC has been demoted and replaced with a Server 2016 host.
-
@anthonyh said in GPO Software Deployment Woes:
@notverypunny said in GPO Software Deployment Woes:
Is your filesrv02 the actual name of the machine? I remember seeing a mention of using a DNS record... I may be wrong but IIRC DNS redirection and modern SMB don't always work together very well because Kerberos. Like I said, might be completely out to lunch on this one, still working on my 1st coffee of the day.
Yes, that is the actual name of the host I have moved the files to. @Dashrender was the one that suggested to use a CNAME in the future, which I will experiment with since if it works would make future moves (though years out likely) much easier.
The original host was
dc01, and the desire was to move the files tofilesrv02. I had followed the article @dbeato posted (https://support.microsoft.com/en-us/help/2395088/how-to-change-the-msi-file-location-in-the-software-deployment-gpo-mut) before starting this post here.I re-created the share on the "new"
dc01, even after re-pointing the msiFileList on all of my Software Install GPOs tofilesrv02. This satisfied the GPOs and on my test VM they all ran and installed without fuss.This tells me that even though I updated the msiFileList property (removed the old value and replaced it with new, which was simply changing the server. The share name and all permissions were identical), and even though gpresult was reflecting the new path, somewhere somehow things were not truly obeying this.
I even went as far as to enable file auditing on the share on
filesrv02and, sure enough, I saw zero attempts at any connections when a machine failed through the software install GPOs.So, for now, I've left the share in both locations and have updated the msiFileList property on the software install GPOs to reflect my "preferred" location (not ideal for sure). I think I'll revisit this once the other DC has been demoted and replaced with a Server 2016 host.
Awesome!
-
Just a side note: I can confirm that @Dashrender 's suggestion of creating a CNAME works like a charm. I created a new software deployment GPO and added the source via the CNAME record and deployment was successful.
