I'm deploying VMware player through a GPO, and I'd like to apply specific ACLs to the install folder, and to the D:\VMWARE folder I'm creating during the player install. I also have to add the vmware user account the "can log on locally" right. To do so, I've created a GPO whose scope is the same as my Vmware player install GPO. This GPO works well, BUT when applied at the same time as my deployment GPO, it seems to be applied before the deploy GPO, and then : - Cannot find the vmware user account - Cannot find the c:\program files\vmware folder - Cannot find the D:\vmware folder because none of them have already been created by the vmware player install. And the only way for me to apply my security GPO is to execute gpudate /force command manually, which i don't want to use (it's supposed to be an automatic install)
I've checked the gpo processing order, my security GPO should be applied AFTER my install GPO (security GPO is number 1, deploy GPO is number to), but it don't seem to be the case.
Does anyone got an idea to solve this ?
Seems like there's a timing issue here. Two three things come to mind for changing the processing order of a GPO
1) You can change the link order of the GPO object to adjust its processing order. Go to the OU containing the gpo's in question in the GPMC.
2) You can always make a GPO run last in the processing by enforcing it. So in your case you would enforce the security GPO
3) Use a WMI filter to make the security GPO depend on the installer GPO. Have the WMI filter check add/remove programs (win32_applications I believe) for Vmware player be installed as a condition of execution for the security GPO.
To guarantee this works as expected, I would accomplish this task a little differently, using one of two methods:
1) implementing the entire process in a script that is deployed via GPO. This way you can guarantee a processing order inside the script. The disadvantage is that you can't undeploy vmware player by disabling the GPO. (If you're not installing via MSI, this is a non-issue). This would be my preferred method.
2) Re-package the vmware player MSI to include the necessary ACL changes and the creation of the user account. I avoid MSI repackaging at all costs, because It becomes a maintenance headache.