Solved

MSI Package in User Config is not installing with elevated admin privliges

Posted on 2008-10-01
18
1,534 Views
Last Modified: 2011-10-19
Computer is XP SP3 and Domain is 2003 R2 SP2.

I have a program that comes as an *.msi  that I would like to install under the User and NOT the Computer.
I have the package set under User Configuration, set as Assigned, with the Uninstall out of Scope selected.

Also, I have even tried this with the policy "Always install with elevated privileges" Enabled in BOTH the "User Configuration\Administrative Templates\Windows Components\Windows Installer" and the "Computer Configuration\Administrative Templates\Windows Components\Windows Installer" locations.

When installed with a non-admin user, the program seems to partially install. It will show up in the PC's Add/Remove Programs, but with the generic icon (similar to a msi icon) and the program does not function properly; but everything "thinks" it installed fully.

When I make that user a local admin, the program fully and properly installs. It shows up in the PC's Add/Remove Programs with the proper logo of the company that made it, and everything works as it should.

Any help to get this to install as a regular user instead of one with admin rights, is greatly appreciated.
0
Comment
Question by:npcincadmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 9
18 Comments
 
LVL 4

Expert Comment

by:lscapa
ID: 22616105
can you export your GP to an xml file or html and post it?
0
 

Author Comment

by:npcincadmin
ID: 22623471
I apologize for taking so long getting back to you. Had items that I had to take care of here first.

Here is the link to the *.htm file you were asking about:
http://65.98.120.5/~gpfiles/TEST%20User%20Goup%20Test.htm

Thank you for any help you can provide.
0
 
LVL 4

Expert Comment

by:lscapa
ID: 22623904
Ok take a look at this section:
Deployment type Assigned Deployment
source \\local.DOMAIN.com\NETLOGON\Installers\DeviceLock Service.msi
Installation user interface options Basic
Uninstall this application when it falls out of the scope of management Enabled
Do not display this package in the Add/Remove Programs control panel Disabled
Install this application at logon Disabled

Since you have this set under User Configuration we are working with a "Publish" scenerio. If your looking at a mandentory package (ie lab machines in a school ect) then this needs to go under Computer Configuration.
Now it's been awhile since I've used GPO to do software installs (we use SMS now) but you have both the installation types set to Disabled.
Are you wanting it to auto install or the users have the option to install?
 
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 4

Expert Comment

by:lscapa
ID: 22623921
Take a look at http://support.microsoft.com/kb/816102. notice you can't have both these selected or the software doesn't take any action. It gets assigned but it won't run. And the user can't request it because it is hidden.
0
 

Author Comment

by:npcincadmin
ID: 22624289
I want this to auto-install on a per user basis, so that when User-A has to go to another PC temporarily, the program goes with them. But then when they are done at that temp PC, the program will not be there for others to use. But, I do not want any user interaction and the program cannot be fired of from a file extension activation.

This is why i have it set to "Assigned" and "Uninstall When out of Scope". After everything works fine, I planned on selecting the "Do Not Display in Add/Remove" so it will not show up under the Add New Programs portion of Add/Remove Programs.

I have tried this with the "Install this application at logon" enabled and disabled, with the same results.

The thing that I don't understand, everything works exactly as I want it to IF the user is a Local Admin of the machine, but fails if they are not an admin, even though I have the "Always install with elevated privileges" set.
0
 
LVL 4

Expert Comment

by:lscapa
ID: 22624719
First off to accomplish what you are after you will need the "Install this application at logon" selected.
Also run gpresult /v > gp.txt & gp.txt from a client with a user that would have this assigned. Post the results in a file.
0
 

Author Comment

by:npcincadmin
ID: 22625083
That option is now selected and the file should be attached.

Thank you again for your help and time with this.
0
 

Author Comment

by:npcincadmin
ID: 22625286
Apparently the site doesnt like IE8, as far as file attachments.
NOW . .  .the file should be attched.

gp.txt
0
 
LVL 4

Expert Comment

by:lscapa
ID: 22625366
For one it looks as if you have the install in twice...

Resultant Set Of Policies for User:
    ------------------------------------
        Software Installations
        ----------------------
            GPO: TEST DeviceLock User Goup Test
                Name:             DeviceLock Service
                Version:          6.21
                Deployment State: Assigned
                Source:           \\local.DOMAIN.com\NETLOGON\Installers\DeviceLock Service.msi
                AutoInstall:      True
                Origin:           ARP List item
            GPO: TEST DeviceLock User Goup Test
                Name:             DeviceLock Service
                Version:          6.21
                Deployment State: Assigned
                Source:           \\local.DOMAIN.com\NETLOGON\Installers\DeviceLock Service.msi
                AutoInstall:      True
                Origin:           Applied Application
 
Lets do this to test:
1. Remove both
2. Add only one (it resets the hash assigned to the msi) as published other than that don't select anything, just keep it at default.
3. Run gpupdate /force and reboot if prompted.
Does it show up in Add/Remove software (make sure to select Install from network... i know all the small things...)?
Look in the system log is there a failure from MSIEXEC on boot?
0
 
LVL 4

Expert Comment

by:lscapa
ID: 22625377
Second question:
Does the polregcl.msi install ok to the machines?
0
 

Author Comment

by:npcincadmin
ID: 22625534
Yes it does.
0
 

Author Comment

by:npcincadmin
ID: 22626376
OK, just saw that you posted 2 things. The answer to the second was Yes, polregcl.msi installs properly. But it is on the Computer Config side.

Now for the first . . . I recreated the package, set it to Assigned, Uninstall out of scope, Install at logon, and Basic.

The Installer is showing up in the "Add programs from your network" portion of Add/Remove.
BUT this time there is no goofed install showing in the main page of Add/Remove.
And it is FINALLY showing some errors in the Application Event Logs; it was not doing this before, thats why I said everything appeared to install fine.

For some reason, the errors show that: Fatal error during installation and does not give more info.

I logged off, made that user a Local Admin, logged back on, and *poof* it worked just fine.
0
 
LVL 4

Expert Comment

by:lscapa
ID: 22626680
Ok so the issue liews within the MSI file. Does it require a installation key to be entered?
Run the msi like this as a user and see what it says:
msiexec /i MSIFILE.MSI /qb
That is basically what the GP will be sending to the local clients. Does it run?
0
 

Author Comment

by:npcincadmin
ID: 22627023
No, it does not require a key or any user input for installation.
It is a similar idea as GPPE, it is the client end of a program installed on my domain controller and that is how they "interact".


When I run that as a normal user I get an error box that pops up and says:
   10/2/2008 14:21:00: RemoveService - Access is denied. (5)

When I run that with the user as Local Admin, it installs perfectly fine.
0
 
LVL 4

Expert Comment

by:lscapa
ID: 22627529
You'll need Process Explorer from sysinternals (oh wait I mean TechNet)
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Start the monitoring then run the app again as a user. Look to see what regkey is getting access denied.
Alternatively,
You could set a batch script and run "runas /profile /env /user:domain\adminaccount MSIFILE.MSI" but you'll need to specify the password in clear text and thats not really secure.
0
 

Author Comment

by:npcincadmin
ID: 22635096
Attached is a xls of the csv of the results from with filtering so that only "msiexec.exe" and "ACCESS DENIED" show.

Only thing is, I don't see anything that really corresponds to the RemoveService - Access is denied. (5) error. The worse thing I see is the CreateFile towards the bottom. Everything else seems to be different types of certificate errors.

What is your opinion?
Logfile.xls
0
 
LVL 4

Accepted Solution

by:
lscapa earned 500 total points
ID: 22635347
It's trying to update the Certificates registry keys and the joystick??? I get the Certs but the joystick? Anyhow, it looks as if the developers didn't include the needed support to install without being the admin or an admin account (you could ask for a rewrite and hold your breath) or create a exe to kick off the install using runas so the password is hidden. Either way this is not an issue with AD or the Group Policy settings at this point. I think we've cleared that up.
It seems the MSI itself will not support a non admin user account from installing it.
Options at this point would be:
1. Use RUNAS (very unsecure since the password is in clear text if in  a vb script)
2. Ask for rewrite of the MSI (very unlikely)
3. Purchase a management tool that runs a service that can install this (such as SMS, LanDesk or Desktop Central - cheaper and still does the job)
http://manageengine.adventnet.com/products/desktop-central/index.html
 
0
 

Author Comment

by:npcincadmin
ID: 22635840
I am glad I am not the only one confused on the joystick part.
WOW.

We have been thinking about going with System Center Configuration Manager 2007.
I may have to move that higher into my priority list.

I also may attempt to modify that package with WinInstall LE.
I am pretty novice at it, but failing at this task may still be worth the experience gained.

I again want to thank you for all of the time you put into helping with this.
Have a great weekend.
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

689 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question