Solved

Unable to "removing managed software" with non-admin user

Posted on 2007-11-21
7
439 Views
Last Modified: 2008-05-31
I'm having trouble with SW deployment via GPO's

After successfull deployment (via GPOx that applies the SW package at user level to specific security groups within AD) of a vendor-specific application located on a local distr. point...
months later i now need to remove this application as it has recently been implemented as HTTP, which means the local application on each client is no longer needed.
- Assuming the package would be removed without any hickups, the GPO was deleted in order to force this action.
- When the clients retrieve new policy settings user login, they initiate the "removing managed software" but never advance any further and gets stuck there.
- I found a quick "work-around" by reseting the machine, assign the specific user local admin group membership, and this then successfully removes the app. during user login.

I was later required to RE-install the same app. for temp use for a week (which was deployed via a new GPO...lets call it GPOz), which has come and gone and i now need to remove the application again (obviously this time i want to avoid the same scenario).

I have created a test GPOy, OU, computer & user to simulate the production environment. I have tried all possible combinations of removal of the package (with out deleting GPOy) but it hangs everytime removal during login is attempted through a non-admin user.
NB: no related event is ever created in EVENT LOG

Any and all solutions welcome, my aim is to automate the removal of the application!
0
Comment
Question by:rpgsi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 7

Expert Comment

by:mcse2007
ID: 20327052
when you deploy the application through GPO, you have the option to uninstall the application?
0
 

Author Comment

by:rpgsi
ID: 20327098
Are you refering to the "uninstall this application when it falls out of the scope of management" option in the deployment tab?

because this option is selected, and when i diable the link to the OU container, at the next user login it gets stuck at "removing managed software".
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 20328210
Make sure in this same GPO you set the "Always Install with elevated privileges" element.

Computer Config>Admin Templates>Windows Components>Windows Installer.

0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 

Author Comment

by:rpgsi
ID: 20328296
before commenting i decided to read in a little about this policy setting you mentioned.
ALWAYS INSTALL WITH ELEVATED PRIVILEGES properties:
"Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders.

Caution: Skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure."

So according to this info (found on the GPO editor console), this policy must be applied to both user&computer config.
BUT i have another question... Does this now grant user local admin group membership ?... how exactly can users "take advantage of the permissions this settings grants"  as stated above ?
0
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 500 total points
ID: 20328578
No, by setting this element, you are giving the computer elevate privileges for Windows Installer.  Since it's during the boot process that this is happening you don't want to give the user's elevated rights to use the Installer Service.

If that doesn't work, then make the setting under the User Configuration setting.  This will affect their ability to install software as long as the policy is in effect.  So you want to unlink it AFTER the software gets removed on all machines.

This does NOT give the user Admin rights - only elevated Installer rights.

0
 

Author Comment

by:rpgsi
ID: 20328662
"Since it's during the boot process that this is happening you don't want to give the user's elevated rights to use the Installer Service."
Not quite, as i had said before, this package was applied on the user config. therefor this occurs during user login, and not during boot up.

Eitherway, i have performed this on the test environment and so far so good, im glad to see my problem solved !   Now all that is left is to do the same on the prod. OU.

Thanx for your help !
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20329052
No problem, I didn't catch it when you stated after logon.  Regardless, you've gotten things in hand now.

Thanks
NM
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question