ConfigMgr 2012 RTM/SP1 : Applications failed to install during OSD with error code 16389 and “Denied Logon for Domain Users” Policy
2:17 pm in Uncategorized by Kenny Buntinx [MVP]
Hi Guys ,
Just something I wanted to share with you guys around failed application installs during OSD and High secure environments. At that specific customer all my apps failed one by one (not my packages) during OSD with error 16389.
At first guess , you would say that your detection methods where not ok , but it worked before when they where targeted in the full OS . So , why would they fail now ?
The failure is very clearly visible in the status messages :
The issue was also occurring on a specific HW model , a HP 8530P … Strange.
Knowing this is a highly secured environment , my first guess would be policies. However I overruled this thinking strategy because normally during the OSD process , GPO’s aren’t applied …
However , guess again .. It was indeed a policy , but defined on another level . They deny by GPO that if a computer is not sitting in a specific AD security group , a “Domain user” is denied from logging on to any resource.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
<span class="kwrd">On</span> <span class="kwrd">Error</span> <span class="kwrd">Resume</span> <span class="kwrd">Next</span> strComputer = <span class="str">"."</span> <span class="kwrd">Set</span> objGroup = GetObject(<span class="str">"WinNT://"</span> & strComputer & <span class="str">"/Gebruikers"</span>) <span class="kwrd">For</span> <span class="kwrd">Each</span> objUser <span class="kwrd">In</span> objGroup.Members <span class="kwrd">If</span> objUser.Name = <span class="str">"Everyone"</span> <span class="kwrd">or</span> objUser.Name = <span class="str">"Domain Users"</span> <span class="kwrd">or</span> objUser.Name = <span class="str">"Geverifieerde gebruikers"</span> <span class="kwrd">Or</span> LCase (objUser.Name) = <span class="str">"interactief"</span> <span class="kwrd">Then</span> objGroup.Remove(objUser.AdsPath) <span class="kwrd">End</span> <span class="kwrd">If</span> <span class="kwrd">Next</span> strComputer = <span class="str">"."</span> <span class="kwrd">Set</span> objGroup = GetObject(<span class="str">"WinNT://"</span> & strComputer & <span class="str">"/Users"</span>) <span class="kwrd">For</span> <span class="kwrd">Each</span> objUser <span class="kwrd">In</span> objGroup.Members <span class="kwrd">If</span> objUser.Name = <span class="str">"Everyone"</span> <span class="kwrd">or</span> objUser.Name = <span class="str">"Domain Users"</span> <span class="kwrd">or</span> objUser.Name = <span class="str">"Authenticated users"</span> <span class="kwrd">or</span> LCase (objUser.Name) = <span class="str">"interactive"</span> <span class="kwrd">Then</span> objGroup.Remove(objUser.AdsPath) <span class="kwrd">End</span> <span class="kwrd">If</span> <span class="kwrd">Next</span> |
Solution : My advise here was to block the inheritance on a specific staging OU . So if you have failing apps , think about the network access account not having the proper rights.
Hope it Helps ,
Kenny Buntinx
System Center Configuration Manager MVP