Deploying and using Active Sync in a secured (non-admin) environment

We have a Windows Server 2003 SP2 (standard edition) based Active Directory Domain, and all of our users are restricted users (non-admin).

I have added a GPO to Publish Active Sync 4.5 to the user, and it does show up in the user's Add-Remove programs, but when the user tries to install it, they get the error message complaining that they are not an administrative user.

I have also read that Active Sync wants administrative rights simply to synchronize on a daily basis, but I've also heard restricted users are able to use active sync.

Is it possible to publish, install, and use Active Sync 4.5 for non-admins?  If so, how?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

James MontgomeryCommented:
Hello OneSeventeen,

As a first port of call have you seent he comments here:


OneSeventeenAuthor Commented:
Most of those solutions seem to be related to version before 4.5, where the admin needed to create their own .msi out of a .exe file.

There is a link to a forum comment by "WISEUSER" on

The answer is to recondition the "CA_Nt5_PrimeInf" custom action in the "InstallExecuteSequnce" table, by adding "AND ( NOT REINSTALL )" to the condition. Remember to use a transform for this.

What exactly does this mean?  How do perform those instructions?
David Scott, MCSENetwork AdministratorCommented:
if you publish it, users have to be admins to install it.

assign it instead of publishing it
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

OneSeventeenAuthor Commented:
Just published it, I'll have the user log off and log back on to see if it worked.
David Scott, MCSENetwork AdministratorCommented:
you mean assigned it?
David Scott, MCSENetwork AdministratorCommented:
if assigning doesn't work:

in the gpo you used to assign the msi, go to computer configuration\administrative templates\windows components\windows installer

enable "Always install with elevated privileges."

read the explanation of that setting as it opens up some security, so i'd disable it after you're done with the installs

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
OneSeventeenAuthor Commented:
I will read up on that first, because it does look a little scary...

I'm shocked that corporate environments are:
1. the most likely place to use Active Sync
2. the most likely place to restrict user privileges

and that Active Sync doesn't seem to have any easy way to install for users with restricted privileges.

I assigned it, and it installed, but the user cannot configure active sync because admin rights are required.
David Scott, MCSENetwork AdministratorCommented:
i'm in favor of locking down machines via group policy instead of  not giving them admin rights on their machines.  Its more trouble than its worth in my experience.  

have good content filtering and web reporting software (websense, 8e6, etc) and users will be more hesistant to  go to wacky sites and click on links that install stuff. plus have good gateway AV, AS, IPS.  

anyway my 2 cents.  

regarding the active sync, i think the security is by design as active sync allows people to put company data on a mobile device which could be a security nightmare if not controlled.  

how many users do you have that need to configure the active sync?  

you could use the old right click run as and enter admin credentials trick to configure the active sync while logged in as a user, but still you'll have to do on own.

i'd try the install with elevated privleges, i think that will give them admin access to that program, then disable it

OneSeventeenAuthor Commented:
We have gateway AV, content filtering, and web reporting software, but our main problems are with users being able to install software and make system changes.

Anyway, with that said I got fed up and made the user a power user on his box.  I anticipate more problems from this computer now, and we still can't sync because the computer doesn't recognize his phone, but that's another story.

I'm going to accept the solution anyway because it does work.  I'm hesitant because it doesn't meet the requirement of "in a secured (non-admin) environment", but it appears that the true solution is that there isn't one.

Thanks for the help!
OneSeventeenAuthor Commented:
thanks again
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.