I have a VirtualBox laboratory with a Windows Server 2019 machine and two Windows 10 machines. Each machine can ping the other ones and the Server machine is a Domain Controler. The clients are part of the domain that is labs.local. The Server has a static IP, and the IP of clients are given by the DHCP Server.
Then I built an Active Directory structure of OUs, users and groups. There are three independent OUs from each others. My goal is to deploy an MSI file only in one OU, lets say "IT". For that, I downloaded the MSI file and put it in a shared folder in the Server. I can access the shared folder from the clients by its UNC path with any user.
Now in Group Policy Management I created a new GPO and then I edited it. In the Group Policy Editor I chose User Configuration > Software Settings > Software Installation. Then I created a new assigned package with the UNC path of the MSI file. At the end I closed the Group Policy Editor and linked the GPO with the OU "IT".
However, after updating the group policies it seems that the GPO applies to the computer (Windows 10 machine) and not to the users because users from other OUs also have the MSI installed, in this case it's Firefox.
Can you give me a hint on how to deploy (and install) a MSI file only in a singles OU ? Thanks.
• Please check the ‘OU’ that you have applied the GPO to whether it has only computer systems or does it include users also. If it includes users also, then this group policy will be applied to the systems on which these users will be logged on to. This is the publishing method of installing a package in AD environment wherein the software package will be installed in those systems where the users in selected OUs have logged on to. This software package will be available in ‘Add or Remove Programs’ section of the control panel.
• Similarly, if the OU has computer systems only, and you have applied the GPO as specified in the question, then no computer system or user will be able to install that software package. And if the following GPO setting has been applied with users as well as computer systems in the OU, then when the user logs on to the computer, the software package gets installed and when the computer system starts, the software package gets installed. This is known as assigning method of software package deployment in AD environment.
‘ Group policy Management --> Select the GPO --> Edit --> Computer Configuration --> Software settings --> Software Installation --> New --> Package --> Type the UNC path of the share where the software package is placed --> Open --> Ok --> Save ’
Please find the below link for more information on the above topics: -
https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/use-group-policy-to-install-software
Related
I can't get ClearTeam Explorer to register a new license server. It keeps referring to the old one.
The error I get back when I try to connect is that it can't connect to LICENSE_HOST_X.
I've changed the setting in 'Home Base's control panel to point to the new LICENSE_HOST_Y, which works for the clearlicense tool and clearcase doctor but not for the team explorer.
The license settings are contained in the Windows Registry at HKLM\Software\Wow6432Node\Atria\ClearCase\CurrentVersion\Licensehost for Atria licenses.
For FlexNet licenses, the PortAtHost value at HKLM\Software\Wow6432Node\Rational Software\Licensing\8.0\ServerList comes into play as well.
The odds are VERY good that you're dealing with Windows registry virtualization. If you open the legacy "control panel" on Windows 10, run the "ClearCase" control panel as Administrator (or open "cc.cpl" from an elevated command prompt) and check the server information there. If you see different values for EXPLICITLY elevated and non-explicltly elevated control panel starts, you have entries in the "user specific" virtual registry store. Please note that this is a WINDOWS function, and not a ClearCase one.
Disabling the albd service on the license server is a very bad idea unless that is the only function the albd is providing. Disabling it on the client will essentially kill any local views AND the ability to map views to drives when the "credential manager" service that depends on this service fails to start.
Check if any of elements mentioned in "How to change the hostname in the IBM Rational ClearCase environment" might have an influence in your case.
IBM Rational ClearCase supports two types of licenses, the Rational Common Licensing (FlexLM) and the Classic Atria licensing.
Update these files with the new host name:
Rational common licensing (FlexLM):
/var/adm/rational/clearcase/config/flexlm_host
Rational ClearCase Classic/Atria licensing:
/var/adm/rational/clearcase/config/license_host
So it can help to know if the new license server is of a different nature than the old one.
At the client level:
UNIX/Linux clients:
Update the new registry server's host name in the file /var/adm/rational/clearcase/config/rgy_svr.conf
Update the License Server using the instructions in the server configuration guidelines.
Windows clients:
Update the new registry and license server hostname information using the IBM Rational ClearCase control panel located under the Windows control panel.
If nothing work, I would, if my client is on Windows, search for the old license server name in the Windows Registry, and replace or even delete those entries.
On Windows, the OP V.Bogd confirms in the comments:
The problem went away after I disabled an "Atria Location Broker" service.
That was the service needed, as seen in this thread, for the old license manager:
No license available from ClearCase license manager;
Use clearlicense to display license usage
You can see more on albd_server.exe here.
On my domain server 2012r2I am trying to deploying office 2007 but not all of the office I need to install only excel and word
I found an .msi file within the dvd installation and found many .msi packages
called ExcelMUI.msiand WordMUI.msi at directory
...\English\Excel.en-us\ExcelMUI.msi
...\English\Excel.en-us\WordMUI.msi
can I use them to deploy only excel and word through domain server 2012r2?
are they valid as .msi packages installer ?
Best Guess: I wonder if those MUI-setups are Multilingual User Interface setups. I think you should get on a virtual machine and try to run the setup.exe instead (if there is one) and then go to "Custom" or equivalent to see if you get a feature selection dialog. Then you should select Word and Excel to install fully and you can disable most other features (don't disable the shared features, just the other apps would be my suggestion - Outlook, PowerPoint, etc...). It is possible that those MSI files you mention can be used directly. You could try to run them - but only on a virtual of course. Or on a computer which does not matter - test computer of some sort. Look for a custom option and a feature dialog there too. Sorry, all I can suggest without installation media access.
Sure?: With all that said, Office on a domain server? Do you mean domain controller? (hope not). Sounds like a very dangerous move if you ask me - with all the security holes Office contains. At least make sure to run Windows Update or Office Update or whatever mechanism you have to deploy security fixes. Can I be curious and ask why the server needs Office? Is it for automation only?
Viewer for MSI Files: You can open and inspect MSI files using the free tools Orca, SuperOrca or InstEd (links towards bottom). I have an old answer on superuser showing how MSI features can be seen inside the MSI file.
I am trying to associate .hod files to IBM i Access Client Solution.
IBM site says to use "open with" Windows menu, but in terminal server 2008 R2 if an user associates .hod file to that program, on the next logon (maybe for redirecting or policy reasones) it becomes an unidentifyed file.
Is there a way to fix that extension with that program even if it is only an executable file without installation? And for all users?
I have just found that the HKEY_LOCAL_MACHINE -> SOFTWARE -> CLASSES contains the same registry Keys as HKEY_CURRENT_USER -> SOFTWARE -> CLASSES.
I have associated my .hod file with i Access Client Solution and copied the Keys from HKCU to HKLM.
Now it works for all users and persists after restart.
I'm writing a WPF .NET application (fwk 4.0) which references log4Net and must be installed in the 'Program Files(x86)' directory on a Windows 7/8/10 64bits OS.
The application logs created by the application are .txt files created in the installation sub-directory of the 'Program Files(x86)'
This application also uses on the SQL Server CE 4.0 in the same subdirectory.
C:\Program Files(x86)\MYAPP\APP1\APP1.txt
C:\Program Files(x86)\MYAPP\APP1\CEDatabase.sdf
The application is installed by a local administrator.
To start the application, a standard user is prompted by UAC to start with an elevated acess token (admin privileges) to run the application because it won't start otherwise (I think ACL not granted to create and write logs).
The WPF application build holds no application manifest.
My client is frustrated by the fact that a standard user can not start the application without the UAC elevation. Moreover, it wants to keep on installing in the 'Program Files (x86)'.
What can I do to manage this situation?
I'd strongly suggest not writing the log files to the same location as you install your application, but instead to one of the standard public locations, which you can access by environment variables.
See this link for more details on how to set this in Log4Net : How to specify common application data folder for log4net?
The two common locations to log to which avoid UAC restrictions are:
CommonApplicationData (https://msdn.microsoft.com/en-us/library/windows/desktop/aa367992(v=vs.85).aspx) which is a location where all users can write to, so you might want to use this if you want a common logging location regardless of who is logged on to Windows and running your application.
LocalAppData (https://msdn.microsoft.com/en-us/library/windows/desktop/aa369768(v=vs.85).aspx) which is a location specified to your currently logged on user. This would allow you to keep your log files from different Windows users separate from each other.
I'm not sure off the top of my head whether you'd have the same issue with writes to the SQL Server CE database. The pattern I've followed in the past to work with UAC is to install all static files under Program Files, then all data under one of the above 2 mentioned folders depending on whether the application data and logging was per-user or per-installation.
OK since I am in a holding pattern on this issue perhaps someone has seen these symptoms and can provide some sage advice. (Note: I have learned only enough Active Directory information to build this feature and I only have read access to the Active Directory.)
I updated the company intranet to allow the automatic entry/modification of employee phone/address information; it uses a web service to connect to the company Active Directory so I can call it from multiple locations in the main application.
The AD has two domains (A and B) in the same forest. Each domain has an ‘ADS update user’ group and an ‘ADSupdate’ account (which belongs to ‘ADS update user’).
Problem: Entries in Domain A update fine for Local Development Servers, Test Servers, and Production Servers. Entries in Domain B update only when run from Local Development Servers. When you run the same code (verified multiple times) on either Test or Production you get a (General access denied error).
The domain name is stored in the employee record so the exact same code is called for all employees.
All Local Development Servers, Test, and Production servers reside in Domain A.
This has the Active Directory Admin for Domain B stumped and to be honest I am thankful that the Local Development Servers are able to update the Active Directory entries in domain B. It proves that the code works at least in one location
I have looked at machine permissions, permissions on the group and user, and IIS and I can spot no significant differences.
Any help would be appreciated…
Is integrated authentication enabled on any of the web service applications?
Are the production application on domain A installed on a domain controller?
Does the updates from the development workstation work when you call the web service from a remote machine?
This was not caused by any code changes. The Production and Test servers were upgraded and run a newer version of IIS (6.0). The newer version of IIS will not work accross Active Directory domains.
My development machine is running the older version of IIS (5.1)
This explains why everthing was working last year and then suddenly stopped working. There are so few employees in the other domain that it was not immediatly noticed.