|
I am trying to get Java 6.22 and Adobe Acrobat Reader 10 deployed to a network of 60 machines. With Reader 9.4 you could run the exe and it would extract the MSI file to like users\you\local\adobe\poo poo\ and you just grab the MSI and data.cab, etc and work with it. How have you handled the Acrobat 10 deploy? How about the best way to deploy Java? Kind of getting my butt kicked here. Do you HAVE to create a transform file to deploy an MSI using active directory and GPOs?
|
# ? Nov 30, 2010 18:08 |
|
|
# ? Jun 10, 2024 12:22 |
|
Defghanistan posted:I am trying to get Java 6.22 and Adobe Acrobat Reader 10 deployed to a network of 60 machines. With Reader 9.4 you could run the exe and it would extract the MSI file to like users\you\local\adobe\poo poo\ and you just grab the MSI and data.cab, etc and work with it. ftp://ftp.adobe.com/pub/adobe/reader/win/
|
# ? Nov 30, 2010 18:14 |
|
FISHMANPET posted:ftp://ftp.adobe.com/pub/adobe/reader/win/ Oh god you're a good person, thank you.
|
# ? Nov 30, 2010 18:22 |
|
Hold off on rolling out Reader/Acro 10 until Adobe updates their customization wizard. Trying to do it yourself with InstEdit/Orca will drive you insane. They're still doing security updates to v9 so that shouldn't be too much of an issue.
|
# ? Nov 30, 2010 19:44 |
|
BangersInMyKnickers posted:Mapped drives through policy have been known to be spotty and I don't believe anyone had come to a solid conclusion on the cause. You might be better off with logon scripts. I think I got it to work (or at least solve my one problem) by setting the reconnect flag. Testing now!
|
# ? Nov 30, 2010 20:10 |
|
Moey posted:Users don't know how to restart/shutdown... There's probably a few things you could do to help this out without pushing policies too far. You can disable shutdown for the users via GPO. That's pretty easy and doesn't affect anything unless they are logged in. If you're worried about systems being off at a certain time you could look into some wake-on-lan stuff. Some of the implementations will allow a wake from power off. It would probably help if you explain what you want your users to do and for what purpose and someone can make better suggestions about how to achieve your goal.
|
# ? Dec 1, 2010 04:44 |
|
Moey posted:So when I got to the place I'm working at, we used something called Desktop Authority. Its basically a program that makes any kind of GPO you can think of point and click. We just recently decided to get rid of it, and make GPOs ourselves. Nothing was real difficult, but we have one problem. Is removing the shutdown option from the start menu a workable solution? User Config -> Policies -> Admin Templates -> Start Menu and Taskbar -> Remove and prevent access to the Shut Down, Restart…
|
# ? Dec 2, 2010 02:44 |
|
Many people have asked for the opposite of what I am about to ask for. How can I make Adobe Flash/Reader/Java update itself silently without prompting the user? Is there any way to do this? Any idea when the Adobe Customisation Wizard will include Reader 10? I'm having to deploy it to hundreds of machines and I don't want to put 9 out when 10 is out.
|
# ? Dec 3, 2010 21:30 |
|
If you're in a domain with restricted admin rights, either push the installs out over policy/scripts or you're going to need 3rd party tools like Shavlik to manage patching of 3rd part components. All those update things run within a user context so you're better off disabling them and finding a different way to manage it.
|
# ? Dec 3, 2010 21:36 |
|
BangersInMyKnickers posted:If you're in a domain with restricted admin rights, either push the installs out over policy/scripts or you're going to need 3rd party tools like Shavlik to manage patching of 3rd part components. All those update things run within a user context so you're better off disabling them and finding a different way to manage it. If I was on one domain that would be fine but I have close to a hundred seperate domains to manage making updating GPOs a bit of a nightmare Any other ideas?
|
# ? Dec 3, 2010 21:52 |
|
Trinitrotoluene posted:If I was on one domain that would be fine but I have close to a hundred seperate domains to manage making updating GPOs a bit of a nightmare Any other ideas? SMS (or whatever they call it now) is probably the route you should be looking at if you don't have it in place already. Or possibly this http://w3sus.com/
|
# ? Dec 3, 2010 22:05 |
|
I used to be a SMS Infrastructure Analyst before I changed careers. It's much too expensive for administering across 100 different sites and networks and companies, which is a shame because it is awesome. I will look into w3sus thanks for the suggestions
|
# ? Dec 3, 2010 22:17 |
|
I have a logon script that just won't run. I set it up like I normally would, as a group policy. I never see abox pop up where it runs after you login, and the drives never map. GPRESULT shows it as being applied. Any ideas? It's basically: NET USE U: /DELETE NET USE T: /DELETE NET USE U: \\DATA\USERS NET USE T: \\DATA\COMPANY edit: all my other GPO's are working fine Bob Morales fucked around with this message at 22:07 on Dec 16, 2010 |
# ? Dec 16, 2010 21:50 |
|
Bob Morales posted:I have a logon script that just won't run. I set it up like I normally would, as a group policy. I would start by putting some debug code in it that echos out a timestamp to a text file in the user profile so you can figure out of the script is even launching or not.
|
# ? Dec 16, 2010 23:05 |
|
BangersInMyKnickers posted:I would start by putting some debug code in it that echos out a timestamp to a text file in the user profile so you can figure out of the script is even launching or not. echo bob >> bob.txt That works....the net use lines don't seem to, though.
|
# ? Dec 16, 2010 23:14 |
|
Bob Morales posted:echo bob >> bob.txt Pipe the output from the net use commands in to that file as well to see if they are throwing errors or something.
|
# ? Dec 16, 2010 23:18 |
|
BangersInMyKnickers posted:Pipe the output from the net use commands in to that file as well to see if they are throwing errors or something. It was asking if I was sure I Wanted to delete one of the driving mappings... Thanks.
|
# ? Dec 17, 2010 14:57 |
|
What is the proper way of updating Flash Player via group policy? I currently have a software installation setup for 10.1 for IE. When flash player gets updated with a minor revision 10.1.x how do I reflect this and update it via GPO? I know the function 10 update is still there but the MSI seems to be for 10.1 only and not for sub revisions.
|
# ? Jan 7, 2011 15:27 |
|
When you add the new msi to the existing GPO, it's recognised as newer and will install. If you go into properties of the msi file, there's a signature timestamp from Adobe. I guess it's using this.
|
# ? Jan 7, 2011 16:39 |
|
Trinitrotoluene posted:What is the proper way of updating Flash Player via group policy? The MSI you download from here http://www.adobe.com/products/flashplayer/fp_distribution3.html will always been the most recent build. Just dump that updated MSI in to your policy and the logic in the installation package will take care of installing over the old one. alanthecat posted:When you add the new msi to the existing GPO, it's recognised as newer and will install. If you go into properties of the msi file, there's a signature timestamp from Adobe. I guess it's using this. There is a table in the MSI package that references all the old package IDs that this one will upgrade. Most vendors do this this day and it keeps you from having multiple versions of the same software sitting side by side. For those that don't however, you can use the the Upgrade tab of the package assignment to specify the packages it is upgrading. That will basically recreate this functionality and remove the old before the new is installed. Don't bother doing this though unless you know your software won't upgrade cleanly in the first place.
|
# ? Jan 10, 2011 23:37 |
|
When you say dump the updated MSI do you literally mean replace the one that is there in the actual file share and don't even touch group policy? It may sound a bit overboard but could you give a quick over view as to what you would do? What kind of behaviour can I expect from a MSI that does not have the package id in for a previous version? Say there were on a stupidly old flash player, or Adobe Reader 6 for example.
|
# ? Jan 11, 2011 01:34 |
|
Trinitrotoluene posted:When you say dump the updated MSI do you literally mean replace the one that is there in the actual file share and don't even touch group policy? It may sound a bit overboard but could you give a quick over view as to what you would do? Either you can overwrite the old MSI with the new one and choose "Redeploy" from the package options in the policy, or keep each version in it's each directory and manually remove the old package from the GPO and add in the new one. I do the latter because it gives me an easy way to revert to the prior version of things go badly. Generally two things will happen with old software versions that don't recognize their older version: With simple things like Flash, it will just overwrite the old version and take over the flash handling in the browser. Some leftover files and registry entries from the old version might still hang around but they won't do anything bad so who care. With things like Acrobat Reader, the new and old versions will be installed concurrently, but the newest one will take ownership of the PDF filetype. The newest one will also take care of MIME handling of PDFs in the browser. Its up to you if you want to bundle those installs with a script that will uninstall the old version.
|
# ? Jan 12, 2011 18:43 |
|
Hey has anyone had issues deploying drive letters in group policy preferences? The only thing that fails in testing and actual deployment are drive letter maps. I can create folders, apply registry edits, and deploy software etc etc but drive letters seem to fail at a server side, not a user/desktop side.
|
# ? Jan 15, 2011 18:55 |
|
incoherent posted:Hey has anyone had issues deploying drive letters in group policy preferences? The only thing that fails in testing and actual deployment are drive letter maps. I can create folders, apply registry edits, and deploy software etc etc but drive letters seem to fail at a server side, not a user/desktop side. Policy drive mapping has been inconsistent for quite a few people that tried it here. Haven't figured out a cause to it, but some people got it working by toggling the reconnect switch on the mapping. If it gives you grief I would say just stick to a logon script to do the work.
|
# ? Jan 16, 2011 14:59 |
|
BangersInMyKnickers posted:Policy drive mapping has been inconsistent for quite a few people that tried it here. Haven't figured out a cause to it, but some people got it working by toggling the reconnect switch on the mapping. If it gives you grief I would say just stick to a logon script to do the work. I have a horribly weird domain setup, SBS 2003 box with a 2008R2 alternate AD, mix of XP, vista, windows 7 clients, and drive mapping works fine, even with heavy use of the expressions/filters you can make for them. If you are drive mapping for XP, you MUST have the group policy client side extensions installed, but otherwise it's been painless for me.
|
# ? Jan 16, 2011 19:18 |
|
Thanks guys, i'll move forward with the script. The dream of a ~~script~~ free login will remain just that .
|
# ? Jan 16, 2011 22:39 |
|
BangersInMyKnickers posted:Policy drive mapping has been inconsistent for quite a few people that tried it here. Haven't figured out a cause to it, but some people got it working by toggling the reconnect switch on the mapping. If it gives you grief I would say just stick to a logon script to do the work. When we switched from Script Logic to using GPO for things, drive mapping worked pretty well (220 something users), but I have still had the rare issue here or there (maybe like 3-4 users) where the drives won't map. At that point I just manually map them, knowing if I make server changes, I will end up with another helpdesk. Also I was reading over your post about updating flash/adobe via GPO, will probably be testing/pushing that out this week. We just had vuln testing done and internally our only big problem was the disgusting amount of outdated software (mostly adobe).
|
# ? Jan 17, 2011 04:55 |
|
I am trying to set up a script to install some software that I just quite cant get to work in msi. My mind is telling me I need to set this as a startup script so it will install in the context of the system account rather than the user account context so I can avoid UAC prompts. Is my memory serving me correctly or am I totally bonked out on this?
|
# ? Jan 17, 2011 19:27 |
|
Syano posted:I am trying to set up a script to install some software that I just quite cant get to work in msi. My mind is telling me I need to set this as a startup script so it will install in the context of the system account rather than the user account context so I can avoid UAC prompts. Is my memory serving me correctly or am I totally bonked out on this? What scripting language, VB? We have a few setup at a few of our clients but they are shutdown scripts rather than startup scripts to minimise disruption to the client. We do have a few startup scripts running (yes they run in the context of the system account) and have no UAC issues. As all us techs know though, that doesn't mean there isn't going to be any UAC issues
|
# ? Jan 17, 2011 23:17 |
|
Syano posted:I am trying to set up a script to install some software that I just quite cant get to work in msi. My mind is telling me I need to set this as a startup script so it will install in the context of the system account rather than the user account context so I can avoid UAC prompts. Is my memory serving me correctly or am I totally bonked out on this? If your script is doing software installations then yes. Startup scripts in GPO will run with system credentials and UAC elevation will not be a problem.
|
# ? Jan 18, 2011 14:32 |
|
Are PowerShell scripts only guaranteed to run on Windows 7/2008 R2? That's what the property page for logon/startup scripts implies but I would think that as long as PS is installed they should run.
|
# ? Jan 18, 2011 15:58 |
|
Derpes Simplex posted:Are PowerShell scripts only guaranteed to run on Windows 7/2008 R2? That's what the property page for logon/startup scripts implies but I would think that as long as PS is installed they should run. I believe the default execution policy for Win7/2008R2 is RemoteSigned so your local script should work. XP/Vista/2003/2008 default to Restricted so you'll have to change it before anything will work. Also make sure you specify that the PS1 scripts launch using powershell.exe as the handler otherwise they'll just come up in notepad or whatever under the system account.
|
# ? Jan 18, 2011 16:06 |
|
Anyone know of a good guide to get me started with updating or uninstalling/reinstalling software through GPO? Have a list of things I need to work on, seems like some will be easy, and some will be a pain. -Adobe Reader, Flash, Shockwave -Java -Firefox -VLC -Quicktime
|
# ? Jan 19, 2011 22:35 |
|
Moey posted:Anyone know of a good guide to get me started with updating or uninstalling/reinstalling software through GPO? Adobe Reader: http://www.adobe.com/products/reader/distribution.html Apply for distribution rights (automated and free) and you can download the msi installer of Reader. Use the customization tool to build your package and transform. Only works for version 9 so don't do X yet. http://www.adobe.com/support/downloads/detail.jsp?ftpID=3993 Flash: Just push out the msi from here http://www.adobe.com/products/flashplayer/fp_distribution3.html Shockwave: The shockwave msi is a broken piece of poo poo that won't install through policy. Nobody in their right mind uses shockwave for anything these days so why bother installing it? Java: Download the offline installer and open it. Wait until the first window opens, then go to appdata\locallow\sun\java\yourversion and copy out the installer files. Delete the .mst it comes with. Use InstEd to make a transform for the package that sets the following properties to 0: AUTOUPDATECHECK, JAVAUPDATE, JU Firefox: Use this http://www.frontmotion.com/Firefox/ VLC: Doesn't appear to be an msi package. Read the documentation for command line switches to run the install silently and do it through a system startup script. Quicktime: Download the Quicktime installer. Extract the contents with an archive tool and delete AppleSoftwareupdate.msi and QuickTimeInstallerAdmin.exe. Make a transform for Quicktime.msi with the follow changes; Property table: set SCHEDULE_ASUW to 0, REGSRCH_DESKTOP_SHORTCUTS to 0. Shortcut table: Delete the QuicktimePlayer_Desktop row. Registry table: Delete the row containing entries for the SOFTWARE\Microsoft\Windows\CurrentVersion\Run key. The quicktime msi and the AppleApplicationSupport msi both need to be installed so make sure they are both linked in the policy.
|
# ? Jan 19, 2011 23:12 |
|
BangersInMyKnickers posted:awesome info Thanks for the awesome info. Will start running some tests and see how things go. For shockwave, we had like 60-something instances that the scanner found, with about 10 different vulns. So I either need to get it updated on those machines, or just get it uninstalled.
|
# ? Jan 19, 2011 23:17 |
|
Moey posted:Thanks for the awesome info. Will start running some tests and see how things go. For shockwave, we had like 60-something instances that the scanner found, with about 10 different vulns. So I either need to get it updated on those machines, or just get it uninstalled. The easiest thing to do is go to the systems where it is installed with regedit and open the HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall key. Look through there to find the Shockwave installs and use the UninstallString value to collect the msiexec.exe /x {jglasdjkghaslkdghas} things you need to put in your system startup script to clear them out.
|
# ? Jan 19, 2011 23:22 |
|
BangersInMyKnickers posted:Adobe Reader: http://www.adobe.com/products/reader/distribution.html The Customization Wizard X has been released, and works in our environment: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4950 However, Reader X has two major flaws for us; opening PDF's from a DFS share will give you "Access is Denied", and printing random PDFs to an HP Designjet 4000/4500 plotter fails with "No pages Selected". Regarding the DFS issue, the solution is to disable Protected Mode, which is kinda the whole point of Reader X. Nice one Adobe.
|
# ? Jan 20, 2011 00:04 |
|
Jadus posted:The Customization Wizard X has been released, and works in our environment: About a year back, one of their patches for 9 broke the product entirely for anyone redirecting the appdata folder. Gotta love their quality control. Glad that customization wizard x is finally out, though.
|
# ? Jan 20, 2011 00:15 |
|
Anecdotally, I'm having one hell of a loving time with GPE drive mappings. It works for me every time I log in, but it randomly does or does not work for my users. And the same users will have it work one day, and not the next. What a pain in the rear end.
|
# ? Jan 20, 2011 17:08 |
|
|
# ? Jun 10, 2024 12:22 |
|
Jadus posted:The Customization Wizard X has been released, and works in our environment: For what it is worth the last time I looked into it McAfee prevents the Protected Mode from working and causes Reader X to throw up some scary error when it opens. There is an exception that can be made in McAfee Access Protection except the list doesn't actually work.
|
# ? Jan 20, 2011 21:09 |