| Author | Messages | |
JamieNelson
Posts:166
 | | 12/16/2009 2:11 PM |
| Well for starters, if you need to install this "per-user" but it still
requires administrative rights to install, then your application is
poorly designed. If I were you, I would be letting the application
vendor know, and complaining until they fix it. It amazes me how
clueless most of them are when it comes to packaging an application to
comply with LUA principles that have been around since Windows XP hit
the scene over 8 years ago. Those same vendors are now running into all
kinds of problems getting their apps to install/run on Windows Vista/7,
because they still assume that every user has admin rights. Anyone in a
decent sized company knows this is a big pain in the rear. Don't ever
accept a vendor response of "give them admin rights and it will work" as
that only makes the problem worse in the long run. Doing it as a
temporary workaround is one thing, assuming the vendor has committed to
correcting the problem, but it should never be accepted as a "fix."
Sorry for the rant, but I really feel this is an important issue to
bring up. Too many people just accept it for what it is, when in reality
a simple phone call to the right people is all it takes to get things
going in the right direction. You'd be surprised how willing most
vendors are to work with you, given you politely and tactfully point out
how this is no longer accepted in the industry. If they refuse to
change, then refuse to continue buying their product. Anyways, on to
your question...
A user-based package does not elevate permissions by default, but there
is a policy setting called "Always install with elevated privileges"
that should do the trick. Keep in mind, however, that this a blanket
setting. It won't apply just to the package(s) you are installing. It
directs Windows Installer to use SYSTEM permissions when installing ANY
program on the system. It is a bit of a security risk, so you definitely
would want to take this in consideration before turning it on.
The setting is in both User and Computer Configuration under
Administrative Templates > Windows Components > Windows Installer. It
must be enabled in both areas for the setting to be effective. One thing
you could do to limit where this applies is to enable the computer
setting to all computers with one GPO. Then, for each "per-user" package
you need to install, create a new GPO containing your application and
the user-based setting. This way, the "Always install with elevated
privileges" only applies when a user is in scope of a GPO with a
"per-user" package. Of course, if your "per-user" package(s) needs to be
applied to everyone in your domain, this approach wouldn't really do you
much good.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon
Energy Corporation | Work: ' 405.552.8054 | Mobile: ' 405.248.7963 |
http://www.dvn.com <http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Robert Mariani
Sent: Tuesday, November 10, 2009 5:06 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] User Software Installation
Hi All,
We have a piece of software that needs to be installed per user.
Normally I would use a computer based GPO but this will not work as it
needs to be user based. I cannot even use "runas" on the workstation as
the software installs into the local user profile rather than the
"runas" user profile.
Does anyone have any tips on this? Does using a user based package
temporarily elevate privileges to allow installation?
At the moment I need to (manually) add the user to local admin group,
log on as the user, install the software and then remove from the local
admin group.
Regards,
Robert Mariani
Applications Manager
--
The Buchan Group, Melbourne
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged.
If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
| | | |
|
|