+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
Windows Thread, How to move MSI installation share without GPO reinstallation in Technical; Just in the process of locking down our servers a bit more and noticed that the share on which our ...
  1. #1

    Join Date
    Nov 2007
    Location
    Manchester
    Posts
    206
    Thank Post
    2
    Thanked 13 Times in 7 Posts
    Rep Power
    16

    How to move MSI installation share without GPO reinstallation

    Just in the process of locking down our servers a bit more and noticed that the share on which our MSI Packages for deployment via GPO isn't hidden (... no $ after the share name). Would like to change the share from \\server\MSIPackages to \\server\MSIPackages$ . Is there anyway of doing this without having to remake all the GPOs and therefore forcing the system to all PCs to uninstall and then reinstall the MSI'd software?

    Obviously we don't want out students to be able to browse to the share from their own PCs and start installing software that they aren't licenced for. Am I correct in thinking that access permissions for this share need to be set at Everyone to Read so that the networked PCs can read the MSI Packages and install them before anyone is logged on? What are the permissions on your shares for your MSI deployments?

    Cheers in advance
    Adrian

  2. #2
    jsnetman's Avatar
    Join Date
    Oct 2007
    Posts
    887
    Thank Post
    23
    Thanked 134 Times in 126 Posts
    Rep Power
    39
    We share our application folder without the hidden attribute. It's no problem as staff and pupils cannot install software, they do not have permisions.

  3. #3

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,590
    Thank Post
    109
    Thanked 762 Times in 593 Posts
    Rep Power
    180
    I did the share moving recently, after a lot of deliberation I decided it would be best to allow the re-installation to occur.

    The way that the re-installation works is that it checks the installed software and then only updates what it has to (i.e. it isn't a full installation). I simply removed the old software from teh GPOs and told them computers not to uninstall it and then added the new software paths. At reboot the re-installation occurred but it only took about 5-10 minutes... I did this after school too.

    As for the permissions, I'm not sure.

  4. #4
    dgsmith's Avatar
    Join Date
    Nov 2007
    Location
    Merseyside, England
    Posts
    1,104
    Thank Post
    118
    Thanked 90 Times in 78 Posts
    Rep Power
    36
    Quote Originally Posted by jsnetman View Post
    We share our application folder without the hidden attribute. It's no problem as staff and pupils cannot install software, they do not have permisions.
    Can they not copy the contents onto a pen drive and use for personal use, thus illegally using the school's licenced software, if they are able to view the folder?

  5. #5
    jsnetman's Avatar
    Join Date
    Oct 2007
    Posts
    887
    Thank Post
    23
    Thanked 134 Times in 126 Posts
    Rep Power
    39
    I suppose so, but then they would be using software illegally.

  6. #6

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,859
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    Why not set a deny on the share for your student security group?

  7. #7

    Join Date
    Nov 2007
    Location
    Manchester
    Posts
    206
    Thank Post
    2
    Thanked 13 Times in 7 Posts
    Rep Power
    16
    Quote Originally Posted by powdarrmonkey View Post
    Why not set a deny on the share for your student security group?
    Seems like a good idea... but...

    As a boarding school many students have their own laptops. As the MSI share has to be Read enabled to Everybody so that PCs on our domain can get install the MSIs before anyone logs on. Therefore if a student uses his own laptop what is to stop them browsing the network on that laptop (not logged on to our domain) to find the share which will let them get access to the files as they won't be logged in as Students to be denied access, and would just come under the 'Everybody' permissions and be able to Read the files.

  8. #8

    Join Date
    Nov 2007
    Location
    Manchester
    Posts
    206
    Thank Post
    2
    Thanked 13 Times in 7 Posts
    Rep Power
    16
    Quote Originally Posted by Ric_ View Post
    I did the share moving recently, after a lot of deliberation I decided it would be best to allow the re-installation to occur.

    The way that the re-installation works is that it checks the installed software and then only updates what it has to (i.e. it isn't a full installation). I simply removed the old software from teh GPOs and told them computers not to uninstall it and then added the new software paths. At reboot the re-installation occurred but it only took about 5-10 minutes... I did this after school too.

    As for the permissions, I'm not sure.

    Interesting... in the past I've found that trying to re-install an MSI over the same program already installed causes it to try to install everytime the PC is booted up. It usually goes through the Installing Software bit a lot faster than it would if it was installing it properly, but I presume it must fail as it retries each time......

    ... however this has been when I've already had the software manually installed. It may be different if the software was originally installed via GPO in the first place.

  9. #9
    apeo's Avatar
    Join Date
    Sep 2005
    Location
    Lost
    Posts
    1,612
    Thank Post
    95
    Thanked 115 Times in 111 Posts
    Rep Power
    42
    Quote Originally Posted by TheFopp View Post
    Seems like a good idea... but...

    As a boarding school many students have their own laptops. As the MSI share has to be Read enabled to Everybody so that PCs on our domain can get install the MSIs before anyone logs on. Therefore if a student uses his own laptop what is to stop them browsing the network on that laptop (not logged on to our domain) to find the share which will let them get access to the files as they won't be logged in as Students to be denied access, and would just come under the 'Everybody' permissions and be able to Read the files.
    Why do you need Everybody permissions again? thought these msi's are for gpo deployment. If that is the case the you only need Domain Computer rights and not user rights.

  10. #10

    Join Date
    Nov 2007
    Location
    Manchester
    Posts
    206
    Thank Post
    2
    Thanked 13 Times in 7 Posts
    Rep Power
    16
    Quote Originally Posted by apeo View Post
    Why do you need Everybody permissions again? thought these msi's are for gpo deployment. If that is the case the you only need Domain Computer rights and not user rights.
    Ahhhh... hadn't thought of that! Brilliant stuff. Cheers.

  11. #11


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,688
    Thank Post
    352
    Thanked 794 Times in 714 Posts
    Rep Power
    346
    What would happen if you did this and then ran office for the first time ... it looks to the MSI to do the "first run" stuff, would it use the users permissions or the machines?

    An alternative would be to remove the "List" permission from everyone which is how we stop nosy users browsing our shares.

  12. #12


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    We have ours setup using computer rights rather than user rights.
    I don't bother using $ shares at all anymore, it is folly.
    If you want shares hidden - use SAMBA.

  13. #13

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,859
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    Quote Originally Posted by kmount View Post
    What would happen if you did this and then ran office for the first time ... it looks to the MSI to do the "first run" stuff, would it use the users permissions or the machines?

    An alternative would be to remove the "List" permission from everyone which is how we stop nosy users browsing our shares.
    I'm not sure. I don't know whether the engine will use its local cache of the MSI if it can't reach the share, or whether it runs as system or the user if it can. You could suck it and see, but removing List would be a good compromise.

  14. #14


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,688
    Thank Post
    352
    Thanked 794 Times in 714 Posts
    Rep Power
    346
    Does the local PC hold a copy of the MSI? Our experience is that if a machine is "away" from the domain and someone tries to use something like an Outlook Import tool or something converter not already installed it fails looking for our server... Same principle I guess?

  15. #15
    User3204's Avatar
    Join Date
    Aug 2006
    Location
    Wirral
    Posts
    769
    Thank Post
    55
    Thanked 66 Times in 62 Posts
    Rep Power
    34
    If the Students laptops are on a different IP range than the servers, with a router in between the ranges, then you could amend the security on the Router/Firewall to block access to this server.
    Or change the routing on the Server so that the IP range is not visible.

    This assumes that:
    a) the IP ranges are different.
    b) there's nothing on the server that the users would need.
    c) the firewall/router between them is clever enough.
    d) there's nothing else within this workstation range that would need access to the server in question.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 7
    Last Post: 4th June 2014, 01:55 PM
  2. Anyone willing to share common MSI packages with me?
    By roland in forum Educational Software
    Replies: 13
    Last Post: 20th November 2007, 02:23 PM
  3. Replies: 8
    Last Post: 1st February 2007, 08:42 AM
  4. Replies: 3
    Last Post: 8th September 2006, 07:49 AM
  5. location of msi install gpo
    By russdev in forum Windows
    Replies: 3
    Last Post: 17th October 2005, 08:23 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •