I have setup Advanced Group Policy Management twice over the last 3 years. It is quite a useful tool for Administrators giving the ability to track GPO updates; who changed them, what did they change, when was it changed etc. It also allows you the ability to roll back the changes if you get complaints from users that something broke after the updates had been rolled out. The previous times I set this up, I didn’t have any issues, it was a very straight forward setup and simple to follow. This time however, I hit a few issues. I must admit, I hit these issues because of my own assumptions, when you work in Software Management and go through hundreds of installs a month, you learn how a lot of installers act or should act. So this is why I didn’t figure out this first issue right away.
During the install of the server piece, you get prompted to provide a service account which must have access to modify GPO settings, fair enough, that makes sense. Now, I was logged into the server as myself which I’d imagine most of you would be too. I wanted to input an account here that differed to mine and was more of a service account. So I input my username e.g. Domain\GPOServ and my passwords. Hit next and assume since it went to the next screen what I inputted was correct but as I later discovered the password does not get verified. So if you don’t get it right during the install you won’t know until it fails on you. I don’t understand why anybody thought that was a good idea especially when other installers use something similar and do perform the validation.
I thought that was my only issue but what I neglected to realize, that even though the installer gives you the option to select a different user account to the one you are logged in as, the account you pick must have have full permissions to the AGPM archive folder which is created during the install!!!
If you wanted you could create the folder beforehand and grant the correct permissions manually but what I ended up doing was logging in as the service account and performing the install.
That’s not the end of it unfortunately. I kept receiving an error:
Windows Installer installed the product. Product Name: Microsoft Advanced Group Policy Management – Server. Product Version: 3.0. Product Language: 1033. Installation success or error status: 1603.
So for this one, basically even though I had my firewall switched off, the installer was failing because it could not set the firewall exception. I even had unchecked the option to add the exception. When I started the firewall service and ran the install again it completed the install. So the install must be calling the firewall, causing the issue. It kept me busy for a while, I hope this little run down helps anybody that might be seeing the same issues.
Any other time I set this up the environment had Windows Firewall enabled. So it will be interesting to see if the client works properly now that I’ve disabled the firewall again. I assume it should and this was just a case of a bad installer. Let’s See eh!?
