GPO software install fails with event log %%1612

If you are ever receiving this event when attempting to deploy a MSI via GPO and this MSI package lives on a DFS target don’t forget ‘Domain Computers’ needs Read access to the MSI package. You’ve given ‘Domain Computers’ access to the DFS target folder but you still get the error? There is one other place that you need to give access and that is on the share on the DFSRoot. Navigate to the DFSRoot level of the share.

Example: We had \\domain\IS and the package was located at \\domain\IS\SoftwareDeployments\… and it was failing. We added the NTFS permissions for ‘domain computers’ to the root folders. Went into DFS Management and went to the folder target’s share permissions and the ‘Everyone’ was checked as read, so what was up? You have to actually log into the DFS server and navigate to the DFSRoots folder and find the shared dfs root there and give the permissions at that folder.

Powershell NTFSSecurity – Apply permissions

I had a need for support staff to quickly apply permissions to project folders as they are created.

Requirements:

Make the root project folder read/execute only while maintaining all other inherited permissions.
Inherit those permissions for 2 folder levels before resetting the grandchildren folders to be modify for domain users. Essentially locking down the permissions to modify any of the project folder templates but allowing users to create their own files/folders.
And have it automated.

Get-ACL and Set-ACL work great if you are a domain admin. But it requires a not so fun workaround using VB function calls if you are not. I went that route initially and it worked fine until I had someone other than myself test it.

Using NTFSSecurity Module you can quickly implement the solution by just extracting the module into the support staffs C:\Users\username\Documents\WindowsPowerShell\Modules\NTFSSecurity folder and using their remove-ace, add-ace, and other functions.

Download NTFSSecurity

——————————Script——————————
Set Folder Permissions 1.0
Developed by Creighton Barnes
Script will set permissions on root folder and 1 level down as read only for domain users and remove inheritance.
It will then set the 2nd level permission for domain users to modify and inherit.

Import-Module NTFSSecurity

function getProjectFolder
{
Param([string]$path)
# Prompt user for the project folder and begins at the root of the offices dfs path
$app = new-object -com Shell.Application
$folderToModify = $app.BrowseForFolder(0, “Select Project Folder”, 0, “\domain\dfs\Offices”)
$script:path = $folderToModify.Self.Path
}

function setProjectFolderPermissions
{
# Define variables
$subDirs = @(Get-ChildItem -path $path | ? {$_.psIscontainer})
$domainUsers = “domain\domain users”

write-host “”
write-host “Applying permissions to root project folder:”
write-host $path

# Removes inheritance or root project folder
Get-Item $path | Disable-Inheritance

# Removes all domain user settings from root project folder
get-item $path | Get-Ace -Account $domainUsers | Remove-Ace

# Set domain users as read and execute only on root project folder
get-item $path | Add-Ace -Account $domainUsers -AccessRights ReadAndExecute -InheritanceFlags ContainerInherit,ObjectInherit -PropagationFlags None

# For each 1st subfolder level set permissions for domain users to be read and execute only
write-host “”
write-host “”
write-host “Applying permissions to subfolders:”

foreach($subDir in [Array] $subDirs)
{
# Define the subfolder path
$subFolderPath = $path + “” + $subDir
$lvl2SubFolders = @(Get-ChildItem -path $subFolderPath | ? {$_.psIscontainer})

foreach($lvl2SubFolder in [Array] $lvl2SubFolders)
{
# Define the subfolder path for 2nd level subfolders to apply Modify rights for domain users recursively

$lvl2CurrentDir = $subFolderPath + “” + $lvl2SubFolder
Write-Host $lvl2CurrentDir

# Removes all domain user settings from root project folder
get-item $lvl2CurrentDir | Get-Ace -Account $domainUsers | Remove-Ace

# Set domain users as read and execute only on root project folder
get-item $lvl2CurrentDir | Add-Ace -Account $domainUsers -AccessRights Modify -InheritanceFlags ContainerInherit,ObjectInherit -PropagationFlags InheritOnly

}
}
}

#———————-Begin body————————

# Set project folders script body
getProjectFolder($path)

# Prompt user to verify folder path they selected and perform appropriate actions.
[void][System.Reflection.Assembly]::LoadWithPartialName(“Microsoft.VisualBasic”)

$verifyFolder = [Microsoft.VisualBasic.Interaction]::MsgBox($path,’YesNoCancel’, “Is this the correct folder path?”)

If ($verifyFolder -eq “Yes”)
{
setProjectFolderPermissions
$a = new-object -comobject wscript.shell
$b = $a.popup(“Successfully set permissions.“,0,”Folder Permissions Script”)
exit
}

if ($verifyFolder -eq “No”)
{
getProjectFolder
}

if ($verifyFolder -eq “Cancel”)
{
write-host “Exiting project folder permissions script.”
exit
}