In January 2008 I published an article Installing Adobe Acrobat Reader centrally with Active Directory group policies. The time has come to upgrade to Acrobat Reader 9 now. So I’ll be taking you through some simple steps today to get that part done.
If you want to push out Adobe Reader for the first time I suggest you follow the old guide located at http://www.nixadmins.net/node/317 and substitute everything Acrobat 8 related with 9.
What you need to complete this how-to is the Adobe Customization Wizard 9 and Acrobat Reader 9.
Download links:
Adobe customization wizard 9:
http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=3993&fileID=3727
Adobe Reader 9
http://www.adobe.com/products/acrobat/readstep2.html?promoid=BUIGO
Getting the MSI package
As you might have noticed the Acrobat Reader 9 is a .exe file. It does include a MSI we just need to get it out of there.
Run the install from a command prompt or a run field.
You will find your fresh adobe packages in
Windows XP
%Userprofile%\Local Settings\Application Data\Adobe\Reader 9.0\Setup Files\READER9
Windows Vista
%userprofile%\AppData\Local\Adobe\Reader 9.0\Setup Files\READER9
Copy out all the files in that directory. I copied them to the desktop.
Let’s get on to the customization wizard.
Modifying the Adobe reader 9 installation package
Now that we have the MSI package we can start modifying it. So start up Adobe Customization Wizard and open your fresh MSI and let’s get started.
Now you should read and understand the settings in the wizard. And also read the End user license agreement (EULA). If you select not to show it YOU agree with it for your whole organization.
The following are the settings I changed.
- Installation options
- Make Adobe Acrobat reader the default viewer if Acrobat and Reader are installed. I set this because there are some new features in reader 9 and our organization still uses Acrobat 8.
- Enable optimization
- Enable caching of installer files on local harddrive
- Run installation silently, we don’t want the user to participate at all in the process.
- Suppress reboot, users reboot often enough and most our computers are set to install updates 3 A.M so they will reboot soon enough.
- Shortcuts
- I left Programs->Adobe Reader 9 but removed the desktop icon. I see no reason at all in having it clutter the desktop. Most I’d guess over 99% of users click the file to open not start up Adobe Acrobat reader and then open the file.
- EULA and document status
- Suppress display of End User license agreement. I really don’t want the users to see it. Bu be sure to read it yourself BEFORE you accept it.
- Hide document message bar
- Online and Acrobat.com features
- Disable all updates, I want to see to the updates myself, to keep application compatibility.
- Load trusted root certificates from adobe, check Enable and install silently
- In adobe reader, disable Help purchase of Adobe Acrobat. All our software is bought by the IT apartment, not single users.
- Disable product improvement program. I really hate theese.
- Disable viewing of PDF with ads for Adobe PDF
- Display in browser, enable
- Disable all acrobat.com access including initiation and participation.
That’s it, now save the file and copy all the files to the fileshare you use to deploy software, in my case \\server\userapps\Adobe Reader 9. On the next page we continue with assigning the policy to the computers in your organization.
Working with the policy
Start up your Group policy management console and select your Software installation policy. Select edit, go to Computer Configuration\Software Settings\Software Installation.
Right click and select new package. Browse to the folder where you dropped the MSI and INI file. Select the file and choose open.
At the deploy software screen select Advanced to check the following.
At the Upgrades tab you should see Upgrade Adobe Reader 8.?.?.
Checking the old Acrobat package
This is not generally something you have to do but I like to check and double check before I expect results. So select the old acrobat package and bring up its properties.
Go to the tab Upgrades where you should see the Adobe Reader 9 package.
That’s it, now you can push this out to your test environment and see that everything is working like it should.
Command line tools
Group policies are queried over a period of 30-180 minutes. This is to ensure not all computers query at the same time. So to speed it up you can use.
To check which policies are applied to a user/computer you can use
This lists all the policies applied to the computer you are at and the user logged in.
Final words
Working with Active directory group policies is a really straight forward process. If something doesn’t work check your event viewer for errors. I’ve even seen out of date network card drivers halt the whole group policy deployment.
If you need help with this comment here and I’ll try to get you trough the process.
I take no responsibility if this doesn’t work or setting this up makes a mess at your organization. This article is written only to help on the way and you should know what you are doing, not just “copy & paste”.
Hmmm, I can’t find the Software installation policy tab?…
The serial is in the .mst that i setup with the customization wizard, so that’s not it. I’ve figured out that the problem is that rather than just “assigned”, the package must be setup as advanced. In properties, under the modifications tab, the .mst must be added. A slight oversight that caused my install to fail every time. But it works as of 5 minutes ago! Thanks for the help looking into it.
After I’ve pushed the Adobe Reader 9, I’ve lost the icon on my PDF-files… I’ve really tried everything….
When i install the same package locally, it works – but when i do it with a domain user – the icon is gone…
I’ve postet a question on Exchange Experts – but I really hope i can correct the “error” thru the AD.
Help?
Great guide! I’ve tried replicating this on several test computers in my Win2008 / WinXP (SP3) environment to deploy a new installation of Acrobat Pro 9 to no avail. The Application logs on the target computers report an error eventID 1013, then a Fatal error during installation eventID 102. These very same computers are assigned a policy to install Adobe CS3 via script, and it works without a problem. Any ideas? Thanks for the help.
Hi Adam.
I’ll just post a quick answer now. I’m quite busy this weekend so I’ll take a look at that first thing Monday morning.
Thanks for giving it a look. I’ll check back next week.
Any luck?
I’m setting up a new test environment tonight. I just can’t replicate that error.
Does the MSI work normally if you do a normal install using it?
I have tried to install adobe 9, am it’s not working, I have attached a log file. I have also read in another post that the .mst must be added, can you advise.
Thanks Mike
=== Verbose logging started: 11/14/2008 11:02:05 Build type: SHIP UNICODE 3.01.4001.5512 Calling process: \??\C:\WINDOWS\system32\winlogon.exe ===
MSI (c) (B4:70) [11:02:05:609]: Resetting cached policy values
MSI (c) (B4:70) [11:02:05:609]: Machine policy value ‘Debug’ is 0
MSI (c) (B4:70) [11:02:05:609]: ******* RunEngine:
******* Product: {ac76ba86-7ad7-1033-7b44-a90000000001}
******* Action:
******* CommandLine: **********
MSI (c) (B4:70) [11:02:05:609]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (B4:70) [11:02:05:609]: Grabbed execution mutex.
MSI (c) (B4:70) [11:02:05:781]: Cloaking enabled.
MSI (c) (B4:70) [11:02:05:781]: Attempting to enable all disabled priveleges before calling Install on Server
MSI (c) (B4:70) [11:02:05:781]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (5C:84) [11:02:05:828]: Grabbed execution mutex.
MSI (s) (5C:88) [11:02:05:828]: Resetting cached policy values
MSI (s) (5C:88) [11:02:05:828]: Machine policy value ‘Debug’ is 0
MSI (s) (5C:88) [11:02:05:828]: ******* RunEngine:
******* Product: {ac76ba86-7ad7-1033-7b44-a90000000001}
******* Action:
******* CommandLine: **********
MSI (s) (5C:88) [11:02:05:828]: Machine policy value ‘DisableUserInstalls’ is 0
MSI (s) (5C:88) [11:02:05:828]: User policy value ‘SearchOrder’ is ‘nmu’
MSI (s) (5C:88) [11:02:05:828]: User policy value ‘DisableMedia’ is 0
MSI (s) (5C:88) [11:02:05:828]: Machine policy value ‘AllowLockdownMedia’ is 0
MSI (s) (5C:88) [11:02:05:828]: SOURCEMGMT: Media enabled only if package is safe.
MSI (s) (5C:88) [11:02:05:828]: SOURCEMGMT: Looking for sourcelist for product {ac76ba86-7ad7-1033-7b44-a90000000001}
MSI (s) (5C:88) [11:02:05:828]: SOURCEMGMT: Adding {ac76ba86-7ad7-1033-7b44-a90000000001}; to potential sourcelist list (pcode;disk;relpath).
MSI (s) (5C:88) [11:02:05:828]: SOURCEMGMT: Now checking product {ac76ba86-7ad7-1033-7b44-a90000000001}
MSI (s) (5C:88) [11:02:05:828]: SOURCEMGMT: Media is enabled for product.
MSI (s) (5C:88) [11:02:05:828]: SOURCEMGMT: Attempting to use LastUsedSource from source list.
MSI (s) (5C:88) [11:02:05:828]: SOURCEMGMT: Processing net source list.
MSI (s) (5C:88) [11:02:05:828]: SOURCEMGMT: Trying source \\spring-lake\shared\Userapps\reader9\.
MSI (s) (5C:88) [11:02:06:156]: Note: 1: 2303 2: 5 3: \\spring-lake\shared\
MSI (s) (5C:88) [11:02:06:156]: Note: 1: 2303 2: 5 3: \\spring-lake\shared\
MSI (s) (5C:88) [11:02:06:156]: Note: 1: 2303 2: 5 3: \\spring-lake\shared\
MSI (s) (5C:88) [11:02:06:156]: Note: 1: 2203 2: \\spring-lake\shared\Userapps\reader9\AcroRead.msi 3: -2147287035
MSI (s) (5C:88) [11:02:06:156]: Note: 1: 1706 2: -2147483646 3: AcroRead.msi
MSI (s) (5C:88) [11:02:06:156]: SOURCEMGMT: Processing media source list.
MSI (s) (5C:88) [11:02:07:234]: Note: 1: 2203 2: 3: -2147287037
MSI (s) (5C:88) [11:02:07:234]: SOURCEMGMT: Source is invalid due to missing/inaccessible package.
MSI (s) (5C:88) [11:02:07:234]: Note: 1: 1706 2: -2147483647 3: AcroRead.msi
MSI (s) (5C:88) [11:02:07:234]: SOURCEMGMT: Processing URL source list.
MSI (s) (5C:88) [11:02:07:234]: Note: 1: 1402 2: UNKNOWN\URL 3: 2
MSI (s) (5C:88) [11:02:07:234]: Note: 1: 1706 2: -2147483647 3: AcroRead.msi
MSI (s) (5C:88) [11:02:07:234]: Note: 1: 1706 2: 3: AcroRead.msi
MSI (s) (5C:88) [11:02:07:234]: SOURCEMGMT: Failed to resolve source
MSI (s) (5C:88) [11:02:07:234]: MainEngineThread is returning 1612
MSI (c) (B4:70) [11:02:07:234]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (B4:70) [11:02:07:234]: MainEngineThread is returning 1612
=== Verbose logging stopped: 11/14/2008 11:02:07 ===
Yes, the MSI works by itself; of course I have to input the serial, and attend the whole install.
I just noticed you are installing Acrobat, not Reader. I’m guessing your problem is that it asks for a serial. When you assign a MSI to a computer it can’t interact with the installer so I’m guessing that’s your problem. You need to get the serial into to MSI or use an MST, I’ve never deployed Acrobat so I really can’t help you there.
I noticed that if we use local administrator to uninstall the package adobe reader 8, then once i reboot, and unlink the PC from OU and link to another OU with adobe9 , it failed to install, but from log on status, we can see the application of removal take place, but not the installation.
Any idea ?
Try to run the package with the Sysinternals tool PsExec and run the MSI package from one of your clients. Using PsExec will allow you to run msiexec with the local System account(the same is used when installing from a GPO) this way you’ll make sure the MSI works as it should. If this works then we need to take a look at the group policies. You can get PsExec from http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx.
Run PsExec:
psexec.exe -sid “msiexec.exe -i \\Server\Share\AdobeREader.msi
Let me know how if it works.
I know this is a pretty old post, so if you dont respond, no worries… we have just moved out application deployment folder to a new machine (decomissioned the old machine). So as it is now, I have a Reader 9.1 GPO pulling from the old source that installs on users desktops… I want to modify that to install 9.3.1 but I cant modify the old GPO because it points to a non-existant folder where Reader used to be….
So I tried to just create a new one… to install the new reader… but it seems to install EVERYTIME I reboot a machine, and Adobe Reader 9.1 shows on the desktop still (we keep the link on the desktop) but its greyed out, Reader 9.3 works… but once I reboot it re-runs the installatino over and over again…
Any suggestions?
I’m not sure what’s going on there but you should be able to do an upgrade GPO, so is upgrades from 9.1 to 9.3. The upgrade install should uninstall the old version. Also check your eventlog to see why it keeps reinstalling the 9.3 version.
Also you’d be better of to put any GPO installs to an DFS share. Otherewise when you move an package from one server to another it will reinstall the package.
I’ll help if I can, old post or not.
I have only been at this company for a year, so I didnt have a say in where this package was originally.
So I was thinking over the weekend…. if I was to delete the existing 9.1 GPO (that points to the soon to be non-existant share) – recreate it, pointing it to the new location for 9.1. After this I will do what the article says with the 9.3.1 installation package as an upgrade to 9.1.
When this is done, in theory… the new GPO should uninstall 9.1 and install 9.3.1…. I will test this today in my test OU to see if I can get that working. Thanks for the reply… I am going to discuss some DFS stuff with my CIO also to choose a better location for our installation directory.
Update – did what I said – it worked – 9.1 is uninstalled and 9.3 is now installed – only issue is that I get the dreaded “The Adobe Acrobat/Reader that is running cannot be used to view PDF files in a web browser…”.
Before this upgrade I was able to open PDFs just fine on my test machine in a browser… some posts I saw said it has to do with an old installation directory… could this be because I re-created the GPO and am not modifying the exisiting one? (the one that points to the old location so I had to recreate)
Obviously if I cant get this to work I’ll have to stick with the old version… kind of unfortunate considering how many vulnerabilities it has…
[...] Below is an article that I ran across on nixadmins.net that I found very helpful. It can be used along with my blog post that I wrote on 4-8-2001 titled “Installing the Microsoft office 2007 compatibility pack through Group Policy with Server 2003” I take no credit for the following and the original article can be read here. [...]
Hi I have followed your clear instructions, but I can’t get it to install. If manually access \\Servername\Path\to\AcroRead.msi, it installs, but if I use Group Policy as above I get an error message:
“The installation package could not be opened. Verify that the pacjkage exists and that you can access it, or contact the vendor to verify that it is a valid Windows Installer package.” I seem to spend all my time updating Adobe and would like to automate this.
Hi Tony,
as I replied above try to user PSExec to see that the computer account can access the install package.
If you run it manually you will run it with user privileges, but when the GP installation is done it will use the computer account.
psexec.exe -sid “msiexec.exe -i \\Server\Share\AdobeREader.msi”
Should do it. You can get PSExec from http://www.microsoft.com/sysinternals
Let me know if it works using PSExec.
[...] Upgrade to / install Adobe Acrobat Reader 9 centrally using Active Directory group policies. [...]
I’ll right away grasp your rss feed as I can not find your e-mail subscription hyperlink or e-newsletter service. Do you have any? Kindly permit me recognise so that I could subscribe. Thanks.
Like ….
I enjoy what you guys are usually up too. This type of clever work and coverage!
Keep up the wonderful works guys I’ve included you guys to my blogroll.
Very good write-up. I certainly love this website.
Continue the good work!
My weblog … A