Solved

Unable to "removing managed software" with non-admin user

Posted on 2007-11-21
7
434 Views
Last Modified: 2008-05-31
I'm having trouble with SW deployment via GPO's

After successfull deployment (via GPOx that applies the SW package at user level to specific security groups within AD) of a vendor-specific application located on a local distr. point...
months later i now need to remove this application as it has recently been implemented as HTTP, which means the local application on each client is no longer needed.
- Assuming the package would be removed without any hickups, the GPO was deleted in order to force this action.
- When the clients retrieve new policy settings user login, they initiate the "removing managed software" but never advance any further and gets stuck there.
- I found a quick "work-around" by reseting the machine, assign the specific user local admin group membership, and this then successfully removes the app. during user login.

I was later required to RE-install the same app. for temp use for a week (which was deployed via a new GPO...lets call it GPOz), which has come and gone and i now need to remove the application again (obviously this time i want to avoid the same scenario).

I have created a test GPOy, OU, computer & user to simulate the production environment. I have tried all possible combinations of removal of the package (with out deleting GPOy) but it hangs everytime removal during login is attempted through a non-admin user.
NB: no related event is ever created in EVENT LOG

Any and all solutions welcome, my aim is to automate the removal of the application!
0
Comment
Question by:rpgsi
  • 3
  • 3
7 Comments
 
LVL 7

Expert Comment

by:mcse2007
ID: 20327052
when you deploy the application through GPO, you have the option to uninstall the application?
0
 

Author Comment

by:rpgsi
ID: 20327098
Are you refering to the "uninstall this application when it falls out of the scope of management" option in the deployment tab?

because this option is selected, and when i diable the link to the OU container, at the next user login it gets stuck at "removing managed software".
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 20328210
Make sure in this same GPO you set the "Always Install with elevated privileges" element.

Computer Config>Admin Templates>Windows Components>Windows Installer.

0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:rpgsi
ID: 20328296
before commenting i decided to read in a little about this policy setting you mentioned.
ALWAYS INSTALL WITH ELEVATED PRIVILEGES properties:
"Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders.

Caution: Skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure."

So according to this info (found on the GPO editor console), this policy must be applied to both user&computer config.
BUT i have another question... Does this now grant user local admin group membership ?... how exactly can users "take advantage of the permissions this settings grants"  as stated above ?
0
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 500 total points
ID: 20328578
No, by setting this element, you are giving the computer elevate privileges for Windows Installer.  Since it's during the boot process that this is happening you don't want to give the user's elevated rights to use the Installer Service.

If that doesn't work, then make the setting under the User Configuration setting.  This will affect their ability to install software as long as the policy is in effect.  So you want to unlink it AFTER the software gets removed on all machines.

This does NOT give the user Admin rights - only elevated Installer rights.

0
 

Author Comment

by:rpgsi
ID: 20328662
"Since it's during the boot process that this is happening you don't want to give the user's elevated rights to use the Installer Service."
Not quite, as i had said before, this package was applied on the user config. therefor this occurs during user login, and not during boot up.

Eitherway, i have performed this on the test environment and so far so good, im glad to see my problem solved !   Now all that is left is to do the same on the prod. OU.

Thanx for your help !
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20329052
No problem, I didn't catch it when you stated after logon.  Regardless, you've gotten things in hand now.

Thanks
NM
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Windows 7 does not have the best desktop search built in. This is something Windows 7 users have struggled with. You type something in, and your search results don’t always match what you are looking for, or it doesn’t actually work at all. There ar…
I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now