How to move MSI installation share without GPO reinstallation

**TheFopp** · 17th November 2008, 12:13 PM

Just in the process of locking down our servers a bit more and noticed that the share on which our MSI Packages for deployment via GPO isn't hidden (... no $ after the share name). Would like to change the share from \\server\MSIPackages to \\server\MSIPackages$ . Is there anyway of doing this without having to remake all the GPOs and therefore forcing the system to all PCs to uninstall and then reinstall the MSI'd software?

Obviously we don't want out students to be able to browse to the share from their own PCs and start installing software that they aren't licenced for. Am I correct in thinking that access permissions for this share need to be set at Everyone to Read so that the networked PCs can read the MSI Packages and install them before anyone is logged on? What are the permissions on your shares for your MSI deployments?

Cheers in advance
Adrian

**jsnetman** · 17th November 2008, 12:17 PM

We share our application folder without the hidden attribute. It's no problem as staff and pupils cannot install software, they do not have permisions.

**Ric_** · 17th November 2008, 12:20 PM

I did the share moving recently, after a lot of deliberation I decided it would be best to allow the re-installation to occur.

The way that the re-installation works is that it checks the installed software and then only updates what it has to (i.e. it isn't a full installation). I simply removed the old software from teh GPOs and told them computers not to uninstall it and then added the new software paths. At reboot the re-installation occurred but it only took about 5-10 minutes... I did this after school too.

As for the permissions, I'm not sure.

**dgsmith** · 17th November 2008, 12:20 PM

Originally Posted by jsnetman

We share our application folder without the hidden attribute. It's no problem as staff and pupils cannot install software, they do not have permisions.

Can they not copy the contents onto a pen drive and use for personal use, thus illegally using the school's licenced software, if they are able to view the folder?

**jsnetman** · 17th November 2008, 12:24 PM

I suppose so, but then they would be using software illegally.

**powdarrmonkey** · 17th November 2008, 12:24 PM

Why not set a deny on the share for your student security group?

**TheFopp** · 17th November 2008, 12:31 PM

Originally Posted by powdarrmonkey

Why not set a deny on the share for your student security group?

Seems like a good idea... but...

As a boarding school many students have their own laptops. As the MSI share has to be Read enabled to Everybody so that PCs on our domain can get install the MSIs before anyone logs on. Therefore if a student uses his own laptop what is to stop them browsing the network on that laptop (not logged on to our domain) to find the share which will let them get access to the files as they won't be logged in as Students to be denied access, and would just come under the 'Everybody' permissions and be able to Read the files.

**TheFopp** · 17th November 2008, 12:35 PM

Originally Posted by Ric_

I did the share moving recently, after a lot of deliberation I decided it would be best to allow the re-installation to occur.

The way that the re-installation works is that it checks the installed software and then only updates what it has to (i.e. it isn't a full installation). I simply removed the old software from teh GPOs and told them computers not to uninstall it and then added the new software paths. At reboot the re-installation occurred but it only took about 5-10 minutes... I did this after school too.

As for the permissions, I'm not sure.

Interesting... in the past I've found that trying to re-install an MSI over the same program already installed causes it to try to install everytime the PC is booted up. It usually goes through the Installing Software bit a lot faster than it would if it was installing it properly, but I presume it must fail as it retries each time......

... however this has been when I've already had the software manually installed. It may be different if the software was originally installed via GPO in the first place.

**apeo** · 17th November 2008, 12:45 PM

Originally Posted by TheFopp

Seems like a good idea... but...

As a boarding school many students have their own laptops. As the MSI share has to be Read enabled to Everybody so that PCs on our domain can get install the MSIs before anyone logs on. Therefore if a student uses his own laptop what is to stop them browsing the network on that laptop (not logged on to our domain) to find the share which will let them get access to the files as they won't be logged in as Students to be denied access, and would just come under the 'Everybody' permissions and be able to Read the files.

Why do you need Everybody permissions again? thought these msi's are for gpo deployment. If that is the case the you only need Domain Computer rights and not user rights.

**TheFopp** · 17th November 2008, 12:50 PM

Originally Posted by apeo

Why do you need Everybody permissions again? thought these msi's are for gpo deployment. If that is the case the you only need Domain Computer rights and not user rights.

Ahhhh... hadn't thought of that! Brilliant stuff. Cheers.

**kmount** · 17th November 2008, 01:28 PM

What would happen if you did this and then ran office for the first time ... it looks to the MSI to do the "first run" stuff, would it use the users permissions or the machines?

An alternative would be to remove the "List" permission from everyone which is how we stop nosy users browsing our shares.

**CyberNerd** · 17th November 2008, 01:46 PM

We have ours setup using computer rights rather than user rights.
I don't bother using $ shares at all anymore, it is folly.
If you want shares hidden - use SAMBA.

**powdarrmonkey** · 17th November 2008, 04:28 PM

Originally Posted by kmount

What would happen if you did this and then ran office for the first time ... it looks to the MSI to do the "first run" stuff, would it use the users permissions or the machines?

An alternative would be to remove the "List" permission from everyone which is how we stop nosy users browsing our shares.

I'm not sure. I don't know whether the engine will use its local cache of the MSI if it can't reach the share, or whether it runs as system or the user if it can. You could suck it and see, but removing List would be a good compromise.

**kmount** · 17th November 2008, 05:19 PM

Does the local PC hold a copy of the MSI? Our experience is that if a machine is "away" from the domain and someone tries to use something like an Outlook Import tool or something converter not already installed it fails looking for our server... Same principle I guess?

**User3204** · 17th November 2008, 09:52 PM

If the Students laptops are on a different IP range than the servers, with a router in between the ranges, then you could amend the security on the Router/Firewall to block access to this server.
Or change the routing on the Server so that the IP range is not visible.

This assumes that:
a) the IP ranges are different.
b) there's nothing on the server that the users would need.
c) the firewall/router between them is clever enough.
d) there's nothing else within this workstation range that would need access to the server in question.

LinkBack

Thread Tools

Search Thread

How to move MSI installation share without GPO reinstallation

Similar Threads

Modifying GPO software installation source retrospectively

Anyone willing to share common MSI packages with me?

need to move home folders retaining share & permissions

Cannot apply a MST to a software installation using a GPO

location of msi install gpo

Thread Information

Users Browsing this Thread

Posting Permissions