• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 444
  • Last Modified:

Unable to "removing managed software" with non-admin user

I'm having trouble with SW deployment via GPO's

After successfull deployment (via GPOx that applies the SW package at user level to specific security groups within AD) of a vendor-specific application located on a local distr. point...
months later i now need to remove this application as it has recently been implemented as HTTP, which means the local application on each client is no longer needed.
- Assuming the package would be removed without any hickups, the GPO was deleted in order to force this action.
- When the clients retrieve new policy settings user login, they initiate the "removing managed software" but never advance any further and gets stuck there.
- I found a quick "work-around" by reseting the machine, assign the specific user local admin group membership, and this then successfully removes the app. during user login.

I was later required to RE-install the same app. for temp use for a week (which was deployed via a new GPO...lets call it GPOz), which has come and gone and i now need to remove the application again (obviously this time i want to avoid the same scenario).

I have created a test GPOy, OU, computer & user to simulate the production environment. I have tried all possible combinations of removal of the package (with out deleting GPOy) but it hangs everytime removal during login is attempted through a non-admin user.
NB: no related event is ever created in EVENT LOG

Any and all solutions welcome, my aim is to automate the removal of the application!
0
rpgsi
Asked:
rpgsi
  • 3
  • 3
2 Solutions
 
mcse2007Commented:
when you deploy the application through GPO, you have the option to uninstall the application?
0
 
rpgsiAuthor Commented:
Are you refering to the "uninstall this application when it falls out of the scope of management" option in the deployment tab?

because this option is selected, and when i diable the link to the OU container, at the next user login it gets stuck at "removing managed software".
0
 
Netman66Commented:
Make sure in this same GPO you set the "Always Install with elevated privileges" element.

Computer Config>Admin Templates>Windows Components>Windows Installer.

0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
rpgsiAuthor Commented:
before commenting i decided to read in a little about this policy setting you mentioned.
ALWAYS INSTALL WITH ELEVATED PRIVILEGES properties:
"Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders.

Caution: Skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure."

So according to this info (found on the GPO editor console), this policy must be applied to both user&computer config.
BUT i have another question... Does this now grant user local admin group membership ?... how exactly can users "take advantage of the permissions this settings grants"  as stated above ?
0
 
Netman66Commented:
No, by setting this element, you are giving the computer elevate privileges for Windows Installer.  Since it's during the boot process that this is happening you don't want to give the user's elevated rights to use the Installer Service.

If that doesn't work, then make the setting under the User Configuration setting.  This will affect their ability to install software as long as the policy is in effect.  So you want to unlink it AFTER the software gets removed on all machines.

This does NOT give the user Admin rights - only elevated Installer rights.

0
 
rpgsiAuthor Commented:
"Since it's during the boot process that this is happening you don't want to give the user's elevated rights to use the Installer Service."
Not quite, as i had said before, this package was applied on the user config. therefor this occurs during user login, and not during boot up.

Eitherway, i have performed this on the test environment and so far so good, im glad to see my problem solved !   Now all that is left is to do the same on the prod. OU.

Thanx for your help !
0
 
Netman66Commented:
No problem, I didn't catch it when you stated after logon.  Regardless, you've gotten things in hand now.

Thanks
NM
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now