Upgrade to / install Adobe Acrobat Reader 9 centrally using Active Directory group policies.

In January 2008 I published an article Installing Adobe Acrobat Reader centrally with Active Directory group policies. The time has come to upgrade to Acrobat Reader 9 now. So I’ll be taking you through some simple steps today to get that part done.
If you want to push out Adobe Reader for the first time I suggest you follow the old guide located at http://www.nixadmins.net/node/317 and substitute everything Acrobat 8 related with 9.
What you need to complete this how-to is the Adobe Customization Wizard 9 and Acrobat Reader 9.

Download links:
Adobe customization wizard 9:
http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=3993&fileID=3727
Adobe Reader 9
http://www.adobe.com/products/acrobat/readstep2.html?promoid=BUIGO

Getting the MSI package

As you might have noticed the Acrobat Reader 9 is a .exe file. It does include a MSI we just need to get it out of there.
Run the install from a command prompt or a run field.

D:\temp\AdbeRdr90_en_US.exe -nos_ne

You will find your fresh adobe packages in
Windows XP
%Userprofile%\Local Settings\Application Data\Adobe\Reader 9.0\Setup Files\READER9
Windows Vista
%userprofile%\AppData\Local\Adobe\Reader 9.0\Setup Files\READER9
Copy out all the files in that directory. I copied them to the desktop.

Let’s get on to the customization wizard.

Modifying the Adobe reader 9 installation package

Now that we have the MSI package we can start modifying it. So start up Adobe Customization Wizard and open your fresh MSI and let’s get started.

Adobe Customization Wizard 9

Now you should read and understand the settings in the wizard. And also read the End user license agreement (EULA). If you select not to show it YOU agree with it for your whole organization.

The following are the settings I changed.

That’s it, now save the file and copy all the files to the fileshare you use to deploy software, in my case \\server\userapps\Adobe Reader 9. On the next page we continue with assigning the policy to the computers in your organization.

Working with the policy

Start up your Group policy management console and select your Software installation policy. Select edit, go to Computer Configuration\Software Settings\Software Installation.
Group policy editor

Right click and select new package. Browse to the folder where you dropped the MSI and INI file. Select the file and choose open.
Select the Adobe acrobat reader 9 msi file

At the deploy software screen select Advanced to check the following.
Advanced settings
At the Upgrades tab you should see Upgrade Adobe Reader 8.?.?.
Upgrade Adobe reader

Checking the old Acrobat package

This is not generally something you have to do but I like to check and double check before I expect results. So select the old acrobat package and bring up its properties.
Go to the tab Upgrades where you should see the Adobe Reader 9 package.
That’s it, now you can push this out to your test environment and see that everything is working like it should.

Command line tools

Group policies are queried over a period of 30-180 minutes. This is to ensure not all computers query at the same time. So to speed it up you can use.

C:\gpupdate /force

To check which policies are applied to a user/computer you can use

C:\gpresult

This lists all the policies applied to the computer you are at and the user logged in.

Final words

Working with Active directory group policies is a really straight forward process. If something doesn’t work check your event viewer for errors. I’ve even seen out of date network card drivers halt the whole group policy deployment.
If you need help with this comment here and I’ll try to get you trough the process.
I take no responsibility if this doesn’t work or setting this up makes a mess at your organization. This article is written only to help on the way and you should know what you are doing, not just “copy & paste”.

Related posts:

  1. Using restricted groups in Active Directory Using restricted groups is something very simple and still for...
  2. Find stale / dead / removed computers or users from Active Directory using oldcmp from JoeWare.net I noticed our Active Directory domain and Windows Server Update...

Comments

    Anonymous posted the comment on October 22nd, 2008

  1. Hmmm, I can’t find the Software installation policy tab?…

    2. Adam Bunker posted the comment on October 22nd, 2008

  2. The serial is in the .mst that i setup with the customization wizard, so that’s not it. I’ve figured out that the problem is that rather than just “assigned”, the package must be setup as advanced. In properties, under the modifications tab, the .mst must be added. A slight oversight that caused my install to fail every time. But it works as of 5 minutes ago! Thanks for the help looking into it.

    3. AC posted the comment on October 30th, 2008

  3. After I’ve pushed the Adobe Reader 9, I’ve lost the icon on my PDF-files… I’ve really tried everything….
    When i install the same package locally, it works – but when i do it with a domain user – the icon is gone…
    I’ve postet a question on Exchange Experts – but I really hope i can correct the “error” thru the AD.

    Help?

    4. Adam Bunker posted the comment on September 26th, 2008

  4. Great guide! I’ve tried replicating this on several test computers in my Win2008 / WinXP (SP3) environment to deploy a new installation of Acrobat Pro 9 to no avail. The Application logs on the target computers report an error eventID 1013, then a Fatal error during installation eventID 102. These very same computers are assigned a policy to install Adobe CS3 via script, and it works without a problem. Any ideas? Thanks for the help.

    5. Diezel posted the comment on September 26th, 2008

  5. Hi Adam.
    I’ll just post a quick answer now. I’m quite busy this weekend so I’ll take a look at that first thing Monday morning.

    6. Adam Bunker posted the comment on September 26th, 2008

  6. Thanks for giving it a look. I’ll check back next week.

    7. Adam posted the comment on October 6th, 2008

  7. Any luck?

    8. Diezel posted the comment on October 6th, 2008

  8. I’m setting up a new test environment tonight. I just can’t replicate that error.
    Does the MSI work normally if you do a normal install using it?

    9. Mike posted the comment on November 14th, 2008

  9. I have tried to install adobe 9, am it’s not working, I have attached a log file. I have also read in another post that the .mst must be added, can you advise.

    Thanks Mike

    === Verbose logging started: 11/14/2008 11:02:05 Build type: SHIP UNICODE 3.01.4001.5512 Calling process: \??\C:\WINDOWS\system32\winlogon.exe ===
    MSI (c) (B4:70) [11:02:05:609]: Resetting cached policy values
    MSI (c) (B4:70) [11:02:05:609]: Machine policy value ‘Debug’ is 0
    MSI (c) (B4:70) [11:02:05:609]: ******* RunEngine:
    ******* Product: {ac76ba86-7ad7-1033-7b44-a90000000001}
    ******* Action:
    ******* CommandLine: **********
    MSI (c) (B4:70) [11:02:05:609]: Client-side and UI is none or basic: Running entire install on the server.
    MSI (c) (B4:70) [11:02:05:609]: Grabbed execution mutex.
    MSI (c) (B4:70) [11:02:05:781]: Cloaking enabled.
    MSI (c) (B4:70) [11:02:05:781]: Attempting to enable all disabled priveleges before calling Install on Server
    MSI (c) (B4:70) [11:02:05:781]: Incrementing counter to disable shutdown. Counter after increment: 0
    MSI (s) (5C:84) [11:02:05:828]: Grabbed execution mutex.
    MSI (s) (5C:88) [11:02:05:828]: Resetting cached policy values
    MSI (s) (5C:88) [11:02:05:828]: Machine policy value ‘Debug’ is 0
    MSI (s) (5C:88) [11:02:05:828]: ******* RunEngine:
    ******* Product: {ac76ba86-7ad7-1033-7b44-a90000000001}
    ******* Action:
    ******* CommandLine: **********
    MSI (s) (5C:88) [11:02:05:828]: Machine policy value ‘DisableUserInstalls’ is 0
    MSI (s) (5C:88) [11:02:05:828]: User policy value ‘SearchOrder’ is ‘nmu’
    MSI (s) (5C:88) [11:02:05:828]: User policy value ‘DisableMedia’ is 0
    MSI (s) (5C:88) [11:02:05:828]: Machine policy value ‘AllowLockdownMedia’ is 0
    MSI (s) (5C:88) [11:02:05:828]: SOURCEMGMT: Media enabled only if package is safe.
    MSI (s) (5C:88) [11:02:05:828]: SOURCEMGMT: Looking for sourcelist for product {ac76ba86-7ad7-1033-7b44-a90000000001}
    MSI (s) (5C:88) [11:02:05:828]: SOURCEMGMT: Adding {ac76ba86-7ad7-1033-7b44-a90000000001}; to potential sourcelist list (pcode;disk;relpath).
    MSI (s) (5C:88) [11:02:05:828]: SOURCEMGMT: Now checking product {ac76ba86-7ad7-1033-7b44-a90000000001}
    MSI (s) (5C:88) [11:02:05:828]: SOURCEMGMT: Media is enabled for product.
    MSI (s) (5C:88) [11:02:05:828]: SOURCEMGMT: Attempting to use LastUsedSource from source list.
    MSI (s) (5C:88) [11:02:05:828]: SOURCEMGMT: Processing net source list.
    MSI (s) (5C:88) [11:02:05:828]: SOURCEMGMT: Trying source \\spring-lake\shared\Userapps\reader9\.
    MSI (s) (5C:88) [11:02:06:156]: Note: 1: 2303 2: 5 3: \\spring-lake\shared\
    MSI (s) (5C:88) [11:02:06:156]: Note: 1: 2303 2: 5 3: \\spring-lake\shared\
    MSI (s) (5C:88) [11:02:06:156]: Note: 1: 2303 2: 5 3: \\spring-lake\shared\
    MSI (s) (5C:88) [11:02:06:156]: Note: 1: 2203 2: \\spring-lake\shared\Userapps\reader9\AcroRead.msi 3: -2147287035
    MSI (s) (5C:88) [11:02:06:156]: Note: 1: 1706 2: -2147483646 3: AcroRead.msi
    MSI (s) (5C:88) [11:02:06:156]: SOURCEMGMT: Processing media source list.
    MSI (s) (5C:88) [11:02:07:234]: Note: 1: 2203 2: 3: -2147287037
    MSI (s) (5C:88) [11:02:07:234]: SOURCEMGMT: Source is invalid due to missing/inaccessible package.
    MSI (s) (5C:88) [11:02:07:234]: Note: 1: 1706 2: -2147483647 3: AcroRead.msi
    MSI (s) (5C:88) [11:02:07:234]: SOURCEMGMT: Processing URL source list.
    MSI (s) (5C:88) [11:02:07:234]: Note: 1: 1402 2: UNKNOWN\URL 3: 2
    MSI (s) (5C:88) [11:02:07:234]: Note: 1: 1706 2: -2147483647 3: AcroRead.msi
    MSI (s) (5C:88) [11:02:07:234]: Note: 1: 1706 2: 3: AcroRead.msi
    MSI (s) (5C:88) [11:02:07:234]: SOURCEMGMT: Failed to resolve source
    MSI (s) (5C:88) [11:02:07:234]: MainEngineThread is returning 1612
    MSI (c) (B4:70) [11:02:07:234]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
    MSI (c) (B4:70) [11:02:07:234]: MainEngineThread is returning 1612
    === Verbose logging stopped: 11/14/2008 11:02:07 ===

    10. Adam posted the comment on October 16th, 2008

  10. Yes, the MSI works by itself; of course I have to input the serial, and attend the whole install.

    11. Diezel posted the comment on October 20th, 2008

  11. I just noticed you are installing Acrobat, not Reader. I’m guessing your problem is that it asks for a serial. When you assign a MSI to a computer it can’t interact with the installer so I’m guessing that’s your problem. You need to get the serial into to MSI or use an MST, I’ve never deployed Acrobat so I really can’t help you there.

    12. Greyshark posted the comment on December 3rd, 2009

  12. I noticed that if we use local administrator to uninstall the package adobe reader 8, then once i reboot, and unlink the PC from OU and link to another OU with adobe9 , it failed to install, but from log on status, we can see the application of removal take place, but not the installation.

    Any idea ?

    13. Mats Hellman posted the comment on December 3rd, 2009

  13. Try to run the package with the Sysinternals tool PsExec and run the MSI package from one of your clients. Using PsExec will allow you to run msiexec with the local System account(the same is used when installing from a GPO) this way you’ll make sure the MSI works as it should. If this works then we need to take a look at the group policies. You can get PsExec from http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx.
    Run PsExec:

    psexec.exe -sid “msiexec.exe -i \\Server\Share\AdobeREader.msi

    Let me know how if it works.

    14. Chris Bailey posted the comment on May 21st, 2010

  14. I know this is a pretty old post, so if you dont respond, no worries… we have just moved out application deployment folder to a new machine (decomissioned the old machine). So as it is now, I have a Reader 9.1 GPO pulling from the old source that installs on users desktops… I want to modify that to install 9.3.1 but I cant modify the old GPO because it points to a non-existant folder where Reader used to be….

    So I tried to just create a new one… to install the new reader… but it seems to install EVERYTIME I reboot a machine, and Adobe Reader 9.1 shows on the desktop still (we keep the link on the desktop) but its greyed out, Reader 9.3 works… but once I reboot it re-runs the installatino over and over again…

    Any suggestions?

    15. Mats Hellman posted the comment on May 21st, 2010

  15. I’m not sure what’s going on there but you should be able to do an upgrade GPO, so is upgrades from 9.1 to 9.3. The upgrade install should uninstall the old version. Also check your eventlog to see why it keeps reinstalling the 9.3 version.
    Also you’d be better of to put any GPO installs to an DFS share. Otherewise when you move an package from one server to another it will reinstall the package.
    I’ll help if I can, old post or not.

    16. Chris Bailey posted the comment on May 25th, 2010

  16. I have only been at this company for a year, so I didnt have a say in where this package was originally.

    So I was thinking over the weekend…. if I was to delete the existing 9.1 GPO (that points to the soon to be non-existant share) – recreate it, pointing it to the new location for 9.1. After this I will do what the article says with the 9.3.1 installation package as an upgrade to 9.1.

    When this is done, in theory… the new GPO should uninstall 9.1 and install 9.3.1…. I will test this today in my test OU to see if I can get that working. Thanks for the reply… I am going to discuss some DFS stuff with my CIO also to choose a better location for our installation directory.

    17. Chris Bailey posted the comment on May 25th, 2010

  17. Update – did what I said – it worked – 9.1 is uninstalled and 9.3 is now installed – only issue is that I get the dreaded “The Adobe Acrobat/Reader that is running cannot be used to view PDF files in a web browser…”.

    Before this upgrade I was able to open PDFs just fine on my test machine in a browser… some posts I saw said it has to do with an old installation directory… could this be because I re-created the GPO and am not modifying the exisiting one? (the one that points to the old location so I had to recreate)

    Obviously if I cant get this to work I’ll have to stick with the old version… kind of unfortunate considering how many vulnerabilities it has…