Group policy software installs to remote users without VPN
Matt:Funny you should ask this, I justpublished a post in the Active Directory groupon how to extend AD domain services to remote users without the cost and complexity ofa traditional VPN. While DirectAccess provides a viable option, it requires Windows 7 Enterprise clients and there are a lot of moving parts to making it work (see this article).Pertino gives you the functionality and end user transparency of DirectAccess, but it works with any Windows 7 client version as well as Macs and is super simple to deploy and administer.Here's a video that shows you how.If it looks like it might work for you, you can try Pertino free for 30-days by goinghere.
If you were able to configure DirectAccess; your remote users would be connected to the corporate network without a VPN at all times - though I'm thinking this is not applicable to your situation.
But strictly speaking, you cannot use Group Policy Software Installation to manage software on computers that are not connected to the corporate network. 1) They are unable to retrieve the policy, and 2) unable to retrieve the software package.
You would need a 3rd party solution for this.
Similar Messages
-
Group Policy Management installation software properties bug found
Hello
In the GPM editor - Software installation Properties - Deployment tab. A deployment option "Install this application at logon" is greyed and can't check it but there is a little trick. Click on "Assigned" and the deployment option "Install
this application at logon" is now able to check or uncheck.
Here are some screenshot
[IMG]http://i62.tinypic.com/2im2ykk.png[/IMG]
[IMG]http://i59.tinypic.com/2ewcwb9.png[/IMG]
My server is Windows Server 2012 Datacenter
I don't know if i posted this thread on wrong section but i just report a problem.Hi,
It seems that it is by design. When you are deploying applications to computers, Assigning is the only option. If you're deploying to user accounts, you can select the deployment type, Assign or Publish, from the shortcut menu.
If you want to change the options "Install this application at logon", you will likely need to change them before applications are correctly Assigned or Published to users.
For more detailed information, please refer to the article below:
Advanced Published or Assigned
http://flylib.com/books/en/4.47.1.89/1/
Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Regards,
Mandy
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Recently (within the past 2 weeks) I have noticed a few of our servers will have problems with the svchost.exe application causing the GPSVC (Group Policy Client) to crash. The only fix at that point is to reboot the server since the GPSVC service is tied
to svchost.exe and therefore is protected from being manually restarted.
I noticed the following errors when this occurs:
Log Name: Application
Source: Application Error
Date: 7/23/2013 4:35:26 AM
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: Server1.xxx.xxx.net
Description:
Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec4aa8e
Exception code: 0xc0000024
Fault offset: 0x00000000000cd7d8
Faulting process id: 0x46c
Faulting application start time: 0x01ce877f9476ac07
Faulting application path: C:\Windows\system32\svchost.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: d252d26d-f372-11e2-8ad4-005056ac00e8
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-07-23T08:35:26.000000000Z" />
<EventRecordID>158950</EventRecordID>
<Channel>Application</Channel>
<Computer>AAW19XM2.agency.nwie.net</Computer>
<Security />
</System>
<EventData>
<Data>svchost.exe</Data>
<Data>6.1.7600.16385</Data>
<Data>4a5bc3c1</Data>
<Data>ntdll.dll</Data>
<Data>6.1.7601.17725</Data>
<Data>4ec4aa8e</Data>
<Data>c0000024</Data>
<Data>00000000000cd7d8</Data>
<Data>46c</Data>
<Data>01ce877f9476ac07</Data>
<Data>C:\Windows\system32\svchost.exe</Data>
<Data>C:\Windows\SYSTEM32\ntdll.dll</Data>
<Data>d252d26d-f372-11e2-8ad4-005056ac00e8</Data>
</EventData>
</Event>
All of our servers are running Server 2008 R2 Enterprise where we use Citrix to deliver desktop sessions to our users, but some are virtual and some are physical. This seemingly impacts our virtual machines more, and our VMs are hosted through VMWare, however,
about 5 months ago a similar error fired on a non-virtual machine:
Log Name: Application
Source: Application Error
Date: 2/27/2013 6:57:58 AM
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: AAW29033
Description:
Faulting application name: svchost.exe_gpsvc, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec4aa8e
Exception code: 0xc0000024
Fault offset: 0x00000000000cd7d8
Faulting process id: 0x6c0
Faulting application start time: 0x01ce14e1af313fd9
Faulting application path: C:\Windows\system32\svchost.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: ed3d01c4-80d4-11e2-9128-b499baa9e5e8
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-02-27T11:57:58.000000000Z" />
<EventRecordID>286291</EventRecordID>
<Channel>Application</Channel>
<Computer>AAW29033</Computer>
<Security />
</System>
<EventData>
<Data>svchost.exe_gpsvc</Data>
<Data>6.1.7600.16385</Data>
<Data>4a5bc3c1</Data>
<Data>ntdll.dll</Data>
<Data>6.1.7601.17725</Data>
<Data>4ec4aa8e</Data>
<Data>c0000024</Data>
<Data>00000000000cd7d8</Data>
<Data>6c0</Data>
<Data>01ce14e1af313fd9</Data>
<Data>C:\Windows\system32\svchost.exe</Data>
<Data>C:\Windows\SYSTEM32\ntdll.dll</Data>
<Data>ed3d01c4-80d4-11e2-9128-b499baa9e5e8</Data>
</EventData>
</Event>
I've searched and cannot seem to find any information as to what may be causing this, or even really where to start. Would someone be able to help me identify what might be causing this event, specific with the Exception code: 0xc0000024, which causes
the Group Policy Client service to stop?You still out there looking at things? If so I have an update. The issue hasn't stopped, even though it did seemingly die down for awhile, however, it is now back with a vengeance.
I am able to force it to happen by killing the svchost process that is hosting GPSVC. If I run gpupdate /force, then logout/login it does get GPSVC running again. Furthermore, if I simply start svchost again via the Task Manager GPSVC starts running again.
When I access the server remotely with KVM it acts just like it does as if I'm logging into it via Citrix/RDP which for Admin IDs gives an error saying "Failed to connect to a windows service. Windows could not connect to the Group Policy Client service...",
however, normal user accounts just get a message when logging into the server "The Group Policy Client Service Failed the Logon. Access is denied."
I haven't opened a case with Microsoft yet, but we about ready to because of the increase in these errors.
If you have any further suggestions that would be great, otherwise I'll provide an update once I get word back from Microsoft.
**EDIT -- apparently I mistook the the server's SCM's actions as my own. I was able to successfully crash the GPSVC service by killing the hosting svchost process, however, after I crashed it and let it sit crashed for awhile when I attempted
to restart either by starting a svchost task, or running gpupdate /force it failed. Either that, or there is a timing issue where if we don't restart the svchost process, or run gpupdate /force quickly enough it won't be able to recover without a reboot. -
Group Policy For 2008 Terminal Server Users Default Open With Not Working
I'm trying to change the default open with behavior for jpg files on my terminal server. I created a Group Policy that changed it to MS Paint to Office 2010 Picture Manager. The policy appears to apply correctly but jpg files still open in
Paint. When a user is logged on, if they look at the properties of a jpg, it shows Photo Gallery as the program to open it but when opened, it opens in Paint.
Has anyone seen this behavior before?
Orange County District Attorney> did. It would be helpful to know where the changes actually go in the
> registry to see if they did or now.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Group Policy to Allow Non-Administrative Users to View All User Processes in Task Manager
Hi All:
Trying to get users with just Remote Services right (can remote in, no administrative permissions what-so-ever, to have the ability to view all processes by all users on the server.
I would like to do through group policy, however I cannot seem to find a policy doing just this. Any ideas?
2008 R2 Forest btw.Hi,
Thank you for posting in Windows Server Forum.
The connection permissions that are set in Remote Desktop Session Host Configuration also determine the actions that a given user can perform in Remote Desktop Services Manager. For example, a user must have at least the Remote Control special access permission
to remotely control a user session by using Remote Desktop Services Manager.
Please check below article for details.
Configure Permissions for Remote Desktop Services Connections
http://technet.microsoft.com/en-us/library/cc753032.aspx
In regards to viewing process on RDSH server, can view the process in process Tab in RDSH manager.
Managing Users, Sessions, and Processes
http://technet.microsoft.com/en-us/library/cc732808.aspx
Hope it helps!
Thanks.
Dharmesh Solanki -
Outlook 2013 - wrap text group policy applied, not working with or without digital signature
Hello,
I'm adding group policies to apply on our new installations of Windows 8.1 with Office 2013. One of the settings being applied is enforcing plain text emails and wrapping text at a certain number of characters. Policies are being added using the Outlook
2013 admx.
When I check the options inside Outlook 2013 the group policy did apply successfully (File, Options, Mail, scroll down to Message Format) The option to "Automatically wrap text at character:" is set to 132 and not adjustable as it should be.
In the group policy I have it set to wrap at 132 characters, but when I go to a client machine and send a digitally signed email, it wraps at the default 76 characters. This makes for very annoying short blocky emails and multi-line hyperlinks.
If I do not digitally sign the email then the text doesn't wrap at all! (until it meets the end of the window). So under no circumstances is it wrapping at 132 where it's supposed to.
Thanks,
-Nick Hi,
What is your account type in Outlook? Exchange or others?
Please also let me know the email format that you are sending, Plain Text, HTML or Rich Text Format.
You can try sending the same emails in Outlook Safe Mode:
Press Win + R and type “outlook.exe /safe” in the blank box, then press Enter.
If there’s no problem in Safe Mode, disable the suspicious add-ins to verify which add-ins caused this issue.
Thanks,
Melon Chen
Forum Support
Come back and mark the replies as answers if they help and unmark them if they provide no help.
If you have any feedback on our support, please click
here -
Hello,
I have a Windows Server 2012 R2.
I have configured the Group Policy on it to block the usage of USB - Storage Devices @ user level on the client machines. It works properly for my Windows 7 client machines but it's not working on one of the machine having Windows Server 2008 R2 installed
on it (this machine is also a domain client in the same domain).
I will really be thankful if anyone can suggest some solution to this issue.
Please feel free to write back in-case I have missed anything obvious to be shared.
Thanks!
-Vinay Pugalia
If a post answers your question, please click "Mark As Answer" on that post or
"Vote as Helpful".
Web : Inkey Solutions
Blog : My Blog
Email : Vinay PugaliaHi,
Any update?
Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
Best Regards,
Andy Qi
TechNet
Subscriber Support
If you are TechNet
Subscription user and have any feedback on our support quality, please send your feedbackhere.
Andy Qi
TechNet Community Support -
Gourp Policy software installation suddenly stopped working
My GPO'S were all in wonderful working order, I just imaged 30+ machines using the same policies with no problem.
Now I have to deploy more machines but the GPO'S are not applying. I ran gpresult on one of the computers in question and get the message under component status\software installation: "The installation source for
this product is not available. Verify that the source exists and that you can access it."
As far as I know the permissions on the share have not changed. sharing permissions are: domain admins- full control. Everyone- Read access.
Security Permissions are: administrators (servername\administrators)- full control. Creator Owner-Special Permissions. Domain Admins- Full Control. Domain Users- Read & execute, list folder contents. SYSTEM- full control. Users- (servername\users)- Read
& execute, list folder contents.
I could really use some help on this, spent the last few days smashing my head on my desk.> under component status\software installation: "The installation
> source for this product is not available. Verify that the source exists
> and that you can access it."
grab a copy of psexec, open an admin commandline and run "psexec -s
cmd". Can you access your source files in that session? In addition,
examine application event log for the exact source path.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Machine Group Policy seem to be following user(printers following users)
I usually have my workstation GPO and my user GPO's separate that way I can link them to their respective OU's... So I usually organize Branch001->>Accounting and then have a Users and Workstations OU in there. That way I can have accounting software installed on their computers but have their network drives follow them if they login somewhere else.
I deployed two printers from my print server to Computer Lab1 OU on the machine level. I deployed two different printers from my print server to Computer Lab2 OU on the machine level.When logged in with a test student user everything seemed to be working fine in Lab 1. When I logged in to Lab 2 that's where thing got a little odd, Lab 1 and Lab 2 printers where both showing up along with a mapped drive that was set to computers in Lab 1. The same thing happened with Lab1 printers showing up on Lab2 machines. I ran gpresult and there is no sign of the Map drive or lab1s printers on lab2 or lab2s printers on lab1. Both Lab1 OU and Lab2 OU are in the "Master Lab OU." There has to be something I missed. Any Ideas? Could it be a setting that is allowing settings to follow the user? I do have roaming profiles set up. Now that I think of it...
This topic first appeared in the Spiceworks Community -
MSI Package Software Installations and uninstallations by group policy and sccm
Hi,
I have a domain comprising approx. 30 ADCs, 5000 clients and 50 OUs. Our developers have created a c# Program for fetching some information from client machines and displaying them on their
screen on bootup (presence of 2 particular softwares, antivirus presence and its update date, OS patches updation etc... ). This program(.msi) and .net framework 4.0 is required to be pushed to all client machines. We have SCCM server through which we can
push software to be installed on clients. There are no. of ADCs for controlling different sites and OUs. Now I need to push this msi and .net framework to all clients. Dotnet framework I pushed from SCCM & it is successful.
Till today I have pushed this .MSI package using Group policy software installation settings using a local sharepath & sysvol.
In Local Share path , MSI source is availbale at only one ADC and all clients contact this adc only to install software and its taking very long time to boot.
Using Sysvol share path , MSI Source is available at All ADC and All Clients Contact their Site's ADC to install software.Only Win 7, win 8 machines are getting install and software is not able to install on XP and vista machine. What might be the
problem for xp machine getting it from sysvol path?
The error for XP machines is that Sysvol path is not accessible/ source is not available.
Now I need to have some other fullproof method to apply it. How I need to push this .MSI packages to all sites (ADCs) in my child domain from my PDC.
I want to know the steps & methods for installing & uninstalling this .MSI package using Group policy and SCCM as well.
Thanks for replying...Hi,
Based on your description, I want to confirm whether we have more than one domain. If we have more than domain, it is suggested that we can push the
MSI package from each domain.
Regarding how to use Group Policy to remotely install software, the following article can be referred to for more information.
How to use Group Policy to remotely install software in Windows Server 2008 and in Windows Server 2003
http://support.microsoft.com/kb/816102/en-us#method1
In addition, you also mentioned how to use SCCM to do this, in order to get better assistance, we can ask help in the following SCCM forum.
System Center Configuration Manager
http://social.technet.microsoft.com/Forums/systemcenter/en-US/home
Best regards,
Frank Shen -
Deployment of software through Group policy does not work
Hi all,
I am trying to deploy a program through Group policy, specifically winrar, any client computer is able to install the program. Please find below the events from the workstation:
Log Name: Application
Source: Microsoft-Windows-WMI
Date: 4/27/2014 10:06:01 PM
Event ID: 10
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: IRCLIENT0001.corp.healthcareinnovation.com
Description:
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because
of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 4/27/2014 10:04:49 PM
Event ID: 1085
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: IRCLIENT0001.corp.healthcareinnovation.com
Description:
Windows failed to apply the Software Installation settings. Software Installation settings might have its own log file. Please click on the "More information" link.
Log Name: System
Source: Application Management Group Policy
Date: 4/27/2014 10:04:49 PM
Event ID: 108
Task Category: None
Level: Error
Keywords: Classic
User: SYSTEM
Computer: IRCLIENT0001.corp.healthcareinnovation.com
Description:
Failed to apply changes to software installation settings. Software changes could not be applied. A previous log entry with details should exist. The error was : %%1612
Log Name: System
Source: Application Management Group Policy
Date: 4/27/2014 10:04:48 PM
Event ID: 102
Task Category: None
Level: Error
Keywords: Classic
User: SYSTEM
Computer: IRCLIENT0001.corp.healthcareinnovation.com
Description:
The install of application WinRAR from policy Basic Computers GPO failed. The error was : %%1612
I am using windows server 2008 R2 and all my clients are running Windows 7 Enterprise and they are working over a domain, note that I am using VMware.
Below there are a list of the troubleshooting steps that have been already applied:
*Disable the the firewall both in the server and in the clients
*Grant read access to the folder where the the program is shared for installation, it was added the authenticated users and domain computers.
*Group policy modifications:
-> User Account Control
Policy Setting Winning GPO
- User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Elevate without prompting Basic Computers GPO
- User Account Control: Detect application installations and prompt for elevation Disabled Basic Computers GPO
- User Account Control: Only elevate UIAccess applications that are installed in secure locations Disabled Basic Computers GPO
- User Account Control: Run all administrators in Admin Approval Mode Disabled Basic Computers GPO
--> System/Group Policy
Policy Setting Winning GPO
- Startup policy processing wait time Enabled Basic Computers GPO
Amount of time to wait (in seconds): 120
--> System/Logon
Policy Setting Winning GPO
- Always wait for the network at computer startup and logon Enabled Basic Computers GPO
Thank you very much for your time.Hi Marco,
Based on your description, we can enable diagnostic logging of Group Policy Software Installation processing to troubleshoot the issue.
Regarding this point, the following article can be referred to for more information.
How to troubleshoot software installations by using Windows application management debug logging
http://support.microsoft.com/kb/249621
Once you get the log, you may upload it to OneDrive and provide us the download link.
In addition, the following article provides a step-to-step guidance for deploying software via group policy and can be referred to for double check.
How to use Group Policy to remotely install software in Windows Server 2008 and in Windows Server 2003
http://support.microsoft.com/kb/816102
Best regards,
Frank Shen -
Flash Player group policy installation
Hi All,
Consider the following scenario:
BigCorp deploys thier Flash player the Group Policy Software Installation (GPSI).
BigCorp rolls out the latest version of Flash player to thier site. Although BigCorp has followed all thier testing plans, and not noticed errors - users begin to report issues with a line of business app which uses Flash.
Admins at BigCorp disable the policy which installed the latest version of Flash payer, and re-enable the previous version. Affected users reboot thier machines and they hang indefinatley at the GPSI instllation stage.
This behaviour appears to be by design, but the behaviour of the installer is not sane at this point.
I believe that this issue is caused by the feature noted at http://kb2.adobe.com/cps/402/kb402435.html - since removing HKEY_LOCAL_MACHINE\SOFTWARE\Macromedia\FlashPlayer\SafeVersions prevents this from happening. (Specific versions are listed, and appear to work as one might expect; i.e. remove the DWORD value at HKEY_LOCAL_MACHINE\SOFTWARE\Macromedia\FlashPlayer\SafeVersions\10 and earlier versions can be installed)
The reason for the indefinate wait during installation of a downlevel version appears to be that the installer is displaying a dialog box that has been suppressed by GPSI since it is, I imagine, waiting for a response from the user that it will never recieve. At this point the only way to allow the machine to complete a reboot is to either a)disonnect the network b) force the policy to fall out of scope.
Evidence for this can be obtained from the %windir%\system32\macromed\Flash\install.log; specifically the line:
MessageBox: 12582960,"The version of Adobe® Flash® Player ActiveX that you are trying to install is not the most current version. Please visit http://www.adobe.com/go/getflashplayer to obtain the latest, most secure version."
Whilst I can understand (to some extent) the design of this feature - preventing the installation of an older client in this manner is disruptive to Adobe's clients.
It would be advantageous if we could override this using an MSI property. For example the Safe Versions features is in effect, unless the notional IGNORESAFEVERSIONS property is set to 'YES'. (Perhaps Adobe could consider this a feature request?)
This would afford protection for the maximum number of customers, but allow users with a business need to roll back to an older version of Flash player to shoulder the responisbility of running an older version.
http://kb2.adobe.com/cps/141/tn_14157.html is NOT a sensible solution for customer who are relient on GPSI for Flash Player installation. Repeatedly running the downloadable uninstaller is not a sane thing to do, as far as I can tell.
I've only tested this with the Adobe supplied MSI (not the in-browser installer) as I have thousands of machines to deploy this to.
Does anyone else have issues with this, and how do you get around them?Hi,
Apologies for digging up this thread but this issue has meant that I haven't deployed any updates to the Flash Player ActiveX since 10.0.45.2 for fear that it'll break my whole GP software deployment.
Firstly, I don't think Adobe will ever do 'the right thing' and introduce a new MSI property to make the install ignore any existing SafeVersions registry keys because I don't think they can; the actual ActiveX install is a custom action that calls an external executable embedded within the MSI that doesn't use Windows Installer technology so it wouldn't be aware of any MSI properties.
However, I've recently revisited this problem and I think I may have come up with a solution.
The trick I've employed is to ensure that the HKLM\Software\Macromedia\FlashPlayer\SafeVersions registry key gets removed during the MSI uninstall routine. To do this you need to modify the MSI to add a new row into the Registry table.
You can do this by generating a transform using Orca, like so;
Registry = [any unique value you like]
Root = 2
Key = Software\Macromedia\FlashPlayer\SafeVersions
Name = *
Value = [Blank]
Component = ISRegistryComponent
The important bit is the asterix against the Name value. This tells the MSI to always remove that registry key upon uninstall no matter what existing values are contained within the key. Once that key is gone you can install any other version of Flash Player you like, even older versions.
This whole method of deployment relies on a couple of things to work though;
You must ensure that Flash Player auto updates are turned off for all your workstations that have Flash Player installed using Group Policy. http://kb2.adobe.com/cps/167/16701594.html describes this method. Note that for x64 machines you must place the MMS.CFG file under %systemroot%\SysWOW64\Macromed\Flash and not %systemroot\SysWOW64 like the document says. This ensures that your users don't manually update Flash Player out of your control and with an MSI that doesn't employ the fix as above.
Ensure that all future versions of Flash Player are pushed out using Group Policy and that you use the transform file above for each one. If you do this you can roll back to a previous version without issue.
Assign the MSI to your computers rather than users
I've only ever 'replaced' Flash Player in Group Policy when rolling out a new version rather than upgrade it. This means that the existing version is completely uninstalled before the new one. That's not to say that upgrades won't work, it's just that I've never tried it.
EDIT: 'Upgrading' previous MSI's works fine.
One last thing to note though is if you've already assigned Flash Player using Group Policy you can directly modify the install_flash_player_10_active_x.msi that was used to include the above registry row (ie, not using a transform) and then re-deploy it. This ensures that the SafeVersions key will be removed right from the start if it is ever uninstalled. Of course, if any of your users have manually upgraded to a newer version since then this won't work - in that case you'll have to remove the SafeVersions key manually, perhaps using a VB script (ideally at machine shutdown).
I hope this information helps anyone who's had a headache with deploying Flash Player through Group Policies.
Cheers,
Zinc
Message was edited by: Zinc666 -
11.5.2.602 Group Policy Installation issues
Consider the following scenario:
BigCorp wants to deploy a limited amount of software to their MS Windows desktop service, such that they can provide a rich browsing experience at login after a machine is joined to the domain. To facilitate this, they deploy browser plug-ins such as Flash and Shockwave using group policy software installation (GPSI).
This is a sensible decision, as there are vendor provided MSIs available to use and it ensures that the software is easily managed (upgrades, removal etc)
When attempting to deploy Shockwave v11.5.2.602 an incorrect repair of the MSI is triggered on first use of the software for each user.
On a standalone, otherwise clean, Windows XP SP3 machine with IE7:
1. Install the software as a user with the correct rights (AdminUser), using the MSI direct from Adobe.
2. Logout AdminUser and Login StandardUser
3. Visit http://www.adobe.com/shockwave/welcome/ - At this point the MSI runs a repair and logs the following to the application event log:
Event Type: Warning
Event Source: MsiInstaller
Event Category: None
Event ID: 1004
Date: 02/12/2009
Time: 09:30:48
User: IT-2220-VM4\Standard
Computer: IT-2220-VM4
Description:
Detection of product '{7D0F2155-D7D3-42CE-903F-684ADD77FF89}', feature 'Adobe_Shockwave_Player_', component '{E89F323D-7BDB-46E1-A0FD-6227821F94EA}' failed. The resource 'C:\Documents and Settings\AdminUser\Application Data\Adobe\' does not exist.
Event Type: Warning
Event Source: MsiInstaller
Event Category: None
Event ID: 1001
Date: 02/12/2009
Time: 09:30:48
User: IT-2220-VM4\Standard
Computer: IT-2220-VM4
Description:
Detection of product '{7D0F2155-D7D3-42CE-903F-684ADD77FF89}', feature 'Adobe_Shockwave_Player_' failed during request for component '{3D3697FC-DB90-46D8-9ED4-5D54B4901F62}'
*** Please note the path in EventID 1004 above (C:\Documents and Settings\AdminUser\Application Data\Adobe\) has been generated whilst logged in as StandardUser NOT AdminUser. ***
This condition will always be true, since there is no read permission on another users profile for a standard user account. Granting this right is not desirable in a roaming profile environment. This repair will be triggered for each and every user of the machine.
Though this repair appears to be non-destructive and doesn't appear to inhibit successful removal, it is undesirable behaviour.
Furthermore, and as other have mentioned, loading a shockwave item in a browser (IE7 in our case) also results in the following entry in the system event log:
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10000
Date: 02/12/2009
Time: 09:30:49
User: IT-2220-VM4\Standard
Computer: IT-2220-VM4
Description:
Unable to start a DCOM Server: {1F3CB77D-D339-49E0-B8E4-FECD6D6F8CB8}. The error:
"The filename, directory name, or volume label syntax is incorrect. "
Happened while starting this command:
C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE" -Embedding
We are keen to move to the latest version of Shockwave, for the obvious reasons, but these issues are going to make it difficult to get through our change management processes; as the package doesn't meet the requirements we have laid out for our user experiences.
Can someone at Adobe comment on the reason for this undesirable behaviour and how it came about? Can we expect later versions of Shockwave to exhibit the same behaviour?Hi,
I have posted an MST file which fixes this and other issues to the following thread here:
http://forums.adobe.com/message/2697135#2697135
Please post any feedback to that thread!
Kind regards,
Chris Hill -
Programs Won't Uninstall With Group Policy
Thanks for the constant Adobe Flash updates, I'm constantly uninstalling one version, then installing the new version of Flash. I use a separate GPO for each version.
Occasionally, a version doesn't uninstall. I'll remove computers from the Security group tied to the GPO and / or remove the policy from the GPO.
But the program's "stuck" if you run rsop.msc and remains as an installed program. This "stuck mode" seems to block the installation of any other program via Group Policy. Even if you uninstalled it manually, it'd still show up
in rsop.msc
So far, my only recourse has been to remove the computer from the domain and re-add it.
I'm looking for a less tedious method. Anyone know a way to force an uninstall and clear it out so it doesn't appear when you run rsop.msc.
Thanks!Hi,
Before going further, for group policy software installation, to remove a published or assigned package, we can choose to click
Immediately uninstall the software from users and computers to uninstall deployed software when removing the package.
Regarding this point, we can refer to
Remove a package section in the following article.
How to use Group Policy to remotely install software in Windows Server 2008 and in Windows Server 2003
http://support.microsoft.com/kb/816102#method5
However, we can also utilize group policy to upgrade installed software based on previous deployed package, and we can choose to uninstall the existing package before installing
the upgrade package.
Regarding this point, the following article can be referred to for more information.
Upgrade an application
http://technet.microsoft.com/en-us/library/cc783421(v=ws.10).aspx
For we had removed the package, but the software didn’t get uninstalled, as a result, can we try redeploying the package, and then when we remove the redeployed package, we can
choose to immediately uninstall the software?
TechNetSubscriber Support
If you are TechNetSubscription user and have any feedback on our support quality, please send
your feedback here
Best regards,
Frank Shen -
Insufficient permissions for software installation
We are experiencing following error message when installing software from software center using SCCM 2012 SP1 “Insufficient Permissions for software installation”. only when users (without local
admin) are login. This error is only happening to small number of clients while other clients are installing with no issue.
I have found following KB and it is the same issue:
http://social.technet.microsoft.com/Forums/en-US/e2e68509-d6ee-4975-86b5-4894d2d6895f/software-center-permissions-error-sccm-2012?forum=configmanagerapps
Is it possible a GPO policy and if yes what will be the configuration information to verify.Hi,
Are there two clients with this error in the same domain and with the same GPO applied?
Best Regards,
Joyce
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.
Maybe you are looking for
-
Is this even possible with a selectManyCheckbox???
I know I can do one of two layouts with a selectManyCheckbox, line or page. I would like to have the checkboxes go horizontally i.e. line, but after x number of them, say 5, I would like to start a new row rather than scrolling off to the right... I
-
iPhoto was working great, no complaints until last night. Went to edit a photo to email and upon clicking the icon nothing happened. Went thru applications and iPhoto no longer on the list. Now even the icon is gone. I can find my photos, if doing so
-
Binding WinXP Machines to SMB Domain on Mac OS X Server
I've got an Xserve running OS X Server 10.5.6 acting as a Primary Domain Controller (PDC) in SMB using the domain name "DOMAIN". I have set up DNS on the Xserve as well with a primary zone for the domain "domain.lcl" and a machine entry for the serve
-
I have bought monthly subscription for photoshop but I have changed my system so I want it to be working in my new computer. What should I have to do?
-
How can I get FireFox to stop asking me if I want to save a password?
I DO NOT want ANY internet entity saving my webpage passwords. Mozilla/FireFox insists on asking me if I want to save my password to a webpage. How do I get it to STOP asking me if I want to save a password?