GPO Software Depolyment

[adamdunford]

Hi There

I have a software package i wish to deploy via GPO, i believe i have setup the GPO fine.

When i test on my own account (Admin account) the software installs fine when i log in.

However when i test it on a standard users account (Power User) it fails to install, and in the log it says the user must be a member of the administrator group to run the install - I thought as it runs from the GPO it should install it anyway?

Any help you guys could give me would be great!!

Cheers

Adam

[cluberti]

First, are you assigning the package, or publishing it? Also, make sure you're targeting the computer account with the package, not the user account. If you HAVE to assign or publish it to the user, there are some things to think about that won't apply if you're assigning it to a computer account. First, if you are assigning to a user, you will likely need to have the Windows Installer "Always Elevate" policy enabled in both the computer and user GPO(s) that apply to this user. The stub is loaded via the system account's msiexec, but the install actually happens in the context of the user (even from a GPO), hence this policy, if needed to be configured, must be set to always elevate in both the computer and the user portions of policy that apply to this user. Note that this is a security risk, so it's not a recommended method (but can be used if needed).

[adamdunford]

Hi There, thanks for the reply

The policy is set to Assigned and to install at logon at the user level.

I have tried to set it at computer level but get the following error - "The error was : The group policy framework should call the extension in the synchronous foreground policy refresh"

This has something to do with fast user switch and fast logon times which i googled and turned off via GPO.

Once you restart the machine the program is there... The only problem with that is we have 650 PC with a program called Faronics Deepfreeze on, that basically returns the machine to its install state once the machine is booted/rebooted - Unless we visit each machine manually and put them in to maintenance mode and do the install.....

If i do this elevated priviallages - what security risks does this make?

I have toyed with the idea of making a bat file with the runas permissions set - but you can only make the password clear text - has anyone got work arrounds for this?

Many Thanks

Adam

[cluberti]

If i do this elevated priviallages - what security risks does this make?

Anything that's an .msi package can be installed by any user, without any security checking. So, conceivably, someone could wrap some malware or virus in an MSI and a non-admin user can install it.