having trouble deploying firefox via GPO

Post Reply
robertkwild
Posts: 5
Joined: Sun Feb 03, 2013 6:08 pm

having trouble deploying firefox via GPO

Post by robertkwild » Sun Feb 03, 2013 6:18 pm

hi guys,

having problems, deploying it via GPO, i create a network share to the msi package, i then include full access to all the domain computers (for them to install the msi package)

create a new GPO - computer config > software settings > right click add new package and add the network location to the msi package

Security Filtering for the GPO i created i add the domain computers to it

then i link the GPO to the domain computers tree (where all my domain computers are located)

on the client pc, i type gpupdate /force to get the new policy and then i restart my pc

next time i log it hasnt installed mozilla firefox

any help as im totally lost and i really dont understand why

many thanks

Rob

char0n
Posts: 5
Joined: Tue Nov 29, 2011 11:30 am
Location: Berlin, Germany.

Re: having trouble deploying firefox via GPO

Post by char0n » Mon Feb 04, 2013 5:28 am

Anything in eventlog? First place to search for deployment errors.
If there are none, check using cmd -> gpresult /R if the deployment policy should be applied.

Generally speaking you should make sure, that you don't deploy software from netlogon share (that worked with 2003, but isn't supposed to from 2008 and above), and very important: the share you are using is accessible by your Domain-Computers.

Good luck.

robertkwild
Posts: 5
Joined: Sun Feb 03, 2013 6:08 pm

Re: having trouble deploying firefox via GPO

Post by robertkwild » Mon Feb 04, 2013 9:32 am

in the end i followed the link below and all worked great!

the video tells you how to disable UAC for admins to install on the client computer aswell

http://www.youtube.com/watch?v=jXAz6vrWMP0

robertkwild
Posts: 5
Joined: Sun Feb 03, 2013 6:08 pm

Re: having trouble deploying firefox via GPO

Post by robertkwild » Tue Feb 05, 2013 12:16 pm

i ve succesfully done it but in doing so i have disabled UAC for all of the domain users, LOL (i had to for it to install) so can anyone help me out as that be really great,

basically i only want UAC to be disabled for admins NOT users (for the GPO to install the .msi package), and when i edit the GPO they give me these options for UAC -

admin approval mode for the built-in admin account - disabled

allow UIAccess apps to prompt for elevation without using the secure desktop - disabled

behavior of the elevation prompt for admins in admin approval mode - elevate without prompting

behavior of the elevation prompt for standard users - prompt for credentials

detect apps installations and prompt for elevation - enabled

only elevate executables that are signed and validated - not defined

only elevate UIAccess apps that are installed in secure location - not defined

run all admins in admin approval mode - not defined

switch to the secure desktop when prompting for elevation - not defined

virtualize file and registry write failures to per user location - not defined

jpa
Posts: 122
Joined: Fri May 01, 2009 5:06 pm

Re: having trouble deploying firefox via GPO

Post by jpa » Wed Feb 06, 2013 11:26 am

I think you've got something simple not quite correct. Software deployed in the Computer config of a GPO runs under the SYSTEM account which is not subject to UAC. I would try setting the Network share to ReadOnly Everyone and see what happens. Make sure to follow the earlier advice and look for problems in the event logs. You could also use psexec or something like it to run the "msiexec /i Firefox.msi" in the System account. You could also pass log options to msiexec so you can get a more detailed view of any problems.

I have not gone to extraordinary lengths to get Firefox installed by a GPO.

robertkwild
Posts: 5
Joined: Sun Feb 03, 2013 6:08 pm

Re: having trouble deploying firefox via GPO

Post by robertkwild » Thu Feb 07, 2013 12:51 pm

so your saying in the folder share that i have created let everyone have read/execute access to it, also in the gpo i created under where it says "Security Filtering" what users or computer accounts should i put in there aka everyone/authenticated users or domain computers?

jpa
Posts: 122
Joined: Fri May 01, 2009 5:06 pm

Re: having trouble deploying firefox via GPO

Post by jpa » Thu Feb 07, 2013 2:39 pm

It looks like I've cheated a bit and set the share to "Everyone - ReadOnly" and the GPO Security Filtering to "Authenticated Users". I would think that if this worked you could test locking this down a bit more by using "Domain Computers" in the GPO filtering and share.

robertkwild
Posts: 5
Joined: Sun Feb 03, 2013 6:08 pm

Re: having trouble deploying firefox via GPO

Post by robertkwild » Fri Feb 08, 2013 11:42 am

this worked like a charm and whats best i didnt have to touch the UAC configuration

http://www.youtube.com/watch?v=ONRzrODglKk

Post Reply