Impact of Active Directory policies on Packaging Process

Hi ,

Quick Question :

Can someone explain the Impact of Active directory security policies on Packaging process .

Do we need to consider the role of Active directory during Packaging activity .

Kindly suggest any good articles on the same .

Cheers ,

0 Comments   [ + ] Show comments

Answers (7)

Posted by: Bladerun 15 years ago
Green Belt
The only thing to really consider is how you want to setup the policy for your installs.

If you set up the installs on a per computer basis, no user specific settings will be installed (ie HKCU, profile specific files, etc.). Instead they will be applied to the all user profile.

If you set up the installs per user, then your user specific settings are installed.

So if you plan on installing all apps per computer, so that applications are available to anyone that logs onto a certain machine, then some tweaking to your MSI's will be necessary. (There's a number of good posts on this site regarding installing MSI's per computer, then using the self-healing property to set userspecific setings.)

If you plan on installing all apps per user, so that applications will be installed on any machine a user logs in to, then no modification is usually necessary.
Posted by: Thaiboxer 15 years ago
Orange Belt
I don't think AD has much impact on packaging an app. It may change how you want to deliver the application, but probably not packaging.
Posted by: viv_bhatt1 15 years ago
Senior Purple Belt
Thanks for reply .
Yes we are installing all applications per machine .

Few more questions with regards to the topic of discussion :

1) What about packaging applications which install unsigned drivers ?
Which one of following is a better option :
1) Try repackaging the unsigned driver
2) Changing GPO settings for allowing unsigned drivers

2) Are there any cases experienced when repackaged MSI works without AD but gives unexpected results when installed using AD + GPO ?

Cheers ,
Posted by: Bladerun 15 years ago
Green Belt
I recently had a problem with a piece of software produced by AMBest. It installed fine when run normally, yet when I tried to create a package in policy for it, it wouldn't import it.

I ran a validation on it and found ICE errors all over the place. With much help from the good people here I was able to fix all the issues & eliminate all the ICE errors, and I could then create the policy without issue.
Posted by: viv_bhatt1 15 years ago
Senior Purple Belt
HI ,

Thanks could you please elaborate more on the type of error (cause mainly) and may be the resolution for it .

I am doing an Impact analysis for my current project . I want to understand if I can use this as yet another concern .

Really appreciate your suggestions .

Cheers ,
Posted by: plangton 15 years ago
Second Degree Blue Belt

For group policies, there are certain settings that affect how packages deploy. have a look at:


And you'll see they are:

Enables the Browse button on the Use feature from dialog box, even when an installation is running with system permissions.

Allows users to install programs from removable media, such as floppy disks and CD-ROMs, during installations running with system permissions. Installations offered on the desktop or displayed in Add/Remove Programs run with system permissions.

Permits all users to install patches, even when an installation program is running with elevated system permissions.


Directs Windows Installer to use system permissions when it installs a program. By default, Windows Installer uses the user's permissions to install programs.

Disables the Browse button beside the Use feature from list in the Windows Installer dialog box. By default, the Browse button is disabled only when users who are not administrators are using system permissions to install a program.

Disables or restricts the use of Windows Installer. This entry can prevent users from installing software on their systems or permit users to install only those programs offered by a system administrator.

Prevents users from using Windows Installer to install patches.

Prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation.

Allows Terminal Services administrators to install and configure programs remotely.

Permits users to change installation options that typically are available only to system administrators.

Specifies the types of events that Windows Installer records in its transaction log. The log, Msi.log, appears in the Temp directory of the system volume.


Allows Web-based programs to install software on the computer without notifying the user.

Saves copies of transform files in a secure location on the local computer, instead of in the user's profile.

Hope that helps

Posted by: viv_bhatt1 15 years ago
Senior Purple Belt
Thanks Paul ,

Really appreciate your help .

This has given me a good start .

I have found out that sometimes GPO settings have to be changed inorder to be ableto install applications which install unsigned device drivers .

I still haven't got a definite way to avoid this .

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ