Solved

MSI Package in User Config is not installing with elevated admin privliges

Posted on 2008-10-01
18
1,502 Views
Last Modified: 2011-10-19
Computer is XP SP3 and Domain is 2003 R2 SP2.

I have a program that comes as an *.msi  that I would like to install under the User and NOT the Computer.
I have the package set under User Configuration, set as Assigned, with the Uninstall out of Scope selected.

Also, I have even tried this with the policy "Always install with elevated privileges" Enabled in BOTH the "User Configuration\Administrative Templates\Windows Components\Windows Installer" and the "Computer Configuration\Administrative Templates\Windows Components\Windows Installer" locations.

When installed with a non-admin user, the program seems to partially install. It will show up in the PC's Add/Remove Programs, but with the generic icon (similar to a msi icon) and the program does not function properly; but everything "thinks" it installed fully.

When I make that user a local admin, the program fully and properly installs. It shows up in the PC's Add/Remove Programs with the proper logo of the company that made it, and everything works as it should.

Any help to get this to install as a regular user instead of one with admin rights, is greatly appreciated.
0
Comment
Question by:npcincadmin
  • 9
  • 9
18 Comments
 
LVL 4

Expert Comment

by:lscapa
Comment Utility
can you export your GP to an xml file or html and post it?
0
 

Author Comment

by:npcincadmin
Comment Utility
I apologize for taking so long getting back to you. Had items that I had to take care of here first.

Here is the link to the *.htm file you were asking about:
http://65.98.120.5/~gpfiles/TEST%20User%20Goup%20Test.htm

Thank you for any help you can provide.
0
 
LVL 4

Expert Comment

by:lscapa
Comment Utility
Ok take a look at this section:
Deployment type Assigned Deployment
source \\local.DOMAIN.com\NETLOGON\Installers\DeviceLock Service.msi
Installation user interface options Basic
Uninstall this application when it falls out of the scope of management Enabled
Do not display this package in the Add/Remove Programs control panel Disabled
Install this application at logon Disabled

Since you have this set under User Configuration we are working with a "Publish" scenerio. If your looking at a mandentory package (ie lab machines in a school ect) then this needs to go under Computer Configuration.
Now it's been awhile since I've used GPO to do software installs (we use SMS now) but you have both the installation types set to Disabled.
Are you wanting it to auto install or the users have the option to install?
 
0
 
LVL 4

Expert Comment

by:lscapa
Comment Utility
Take a look at http://support.microsoft.com/kb/816102. notice you can't have both these selected or the software doesn't take any action. It gets assigned but it won't run. And the user can't request it because it is hidden.
0
 

Author Comment

by:npcincadmin
Comment Utility
I want this to auto-install on a per user basis, so that when User-A has to go to another PC temporarily, the program goes with them. But then when they are done at that temp PC, the program will not be there for others to use. But, I do not want any user interaction and the program cannot be fired of from a file extension activation.

This is why i have it set to "Assigned" and "Uninstall When out of Scope". After everything works fine, I planned on selecting the "Do Not Display in Add/Remove" so it will not show up under the Add New Programs portion of Add/Remove Programs.

I have tried this with the "Install this application at logon" enabled and disabled, with the same results.

The thing that I don't understand, everything works exactly as I want it to IF the user is a Local Admin of the machine, but fails if they are not an admin, even though I have the "Always install with elevated privileges" set.
0
 
LVL 4

Expert Comment

by:lscapa
Comment Utility
First off to accomplish what you are after you will need the "Install this application at logon" selected.
Also run gpresult /v > gp.txt & gp.txt from a client with a user that would have this assigned. Post the results in a file.
0
 

Author Comment

by:npcincadmin
Comment Utility
That option is now selected and the file should be attached.

Thank you again for your help and time with this.
0
 

Author Comment

by:npcincadmin
Comment Utility
Apparently the site doesnt like IE8, as far as file attachments.
NOW . .  .the file should be attched.

gp.txt
0
 
LVL 4

Expert Comment

by:lscapa
Comment Utility
For one it looks as if you have the install in twice...

Resultant Set Of Policies for User:
    ------------------------------------
        Software Installations
        ----------------------
            GPO: TEST DeviceLock User Goup Test
                Name:             DeviceLock Service
                Version:          6.21
                Deployment State: Assigned
                Source:           \\local.DOMAIN.com\NETLOGON\Installers\DeviceLock Service.msi
                AutoInstall:      True
                Origin:           ARP List item
            GPO: TEST DeviceLock User Goup Test
                Name:             DeviceLock Service
                Version:          6.21
                Deployment State: Assigned
                Source:           \\local.DOMAIN.com\NETLOGON\Installers\DeviceLock Service.msi
                AutoInstall:      True
                Origin:           Applied Application
 
Lets do this to test:
1. Remove both
2. Add only one (it resets the hash assigned to the msi) as published other than that don't select anything, just keep it at default.
3. Run gpupdate /force and reboot if prompted.
Does it show up in Add/Remove software (make sure to select Install from network... i know all the small things...)?
Look in the system log is there a failure from MSIEXEC on boot?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 4

Expert Comment

by:lscapa
Comment Utility
Second question:
Does the polregcl.msi install ok to the machines?
0
 

Author Comment

by:npcincadmin
Comment Utility
Yes it does.
0
 

Author Comment

by:npcincadmin
Comment Utility
OK, just saw that you posted 2 things. The answer to the second was Yes, polregcl.msi installs properly. But it is on the Computer Config side.

Now for the first . . . I recreated the package, set it to Assigned, Uninstall out of scope, Install at logon, and Basic.

The Installer is showing up in the "Add programs from your network" portion of Add/Remove.
BUT this time there is no goofed install showing in the main page of Add/Remove.
And it is FINALLY showing some errors in the Application Event Logs; it was not doing this before, thats why I said everything appeared to install fine.

For some reason, the errors show that: Fatal error during installation and does not give more info.

I logged off, made that user a Local Admin, logged back on, and *poof* it worked just fine.
0
 
LVL 4

Expert Comment

by:lscapa
Comment Utility
Ok so the issue liews within the MSI file. Does it require a installation key to be entered?
Run the msi like this as a user and see what it says:
msiexec /i MSIFILE.MSI /qb
That is basically what the GP will be sending to the local clients. Does it run?
0
 

Author Comment

by:npcincadmin
Comment Utility
No, it does not require a key or any user input for installation.
It is a similar idea as GPPE, it is the client end of a program installed on my domain controller and that is how they "interact".


When I run that as a normal user I get an error box that pops up and says:
   10/2/2008 14:21:00: RemoveService - Access is denied. (5)

When I run that with the user as Local Admin, it installs perfectly fine.
0
 
LVL 4

Expert Comment

by:lscapa
Comment Utility
You'll need Process Explorer from sysinternals (oh wait I mean TechNet)
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Start the monitoring then run the app again as a user. Look to see what regkey is getting access denied.
Alternatively,
You could set a batch script and run "runas /profile /env /user:domain\adminaccount MSIFILE.MSI" but you'll need to specify the password in clear text and thats not really secure.
0
 

Author Comment

by:npcincadmin
Comment Utility
Attached is a xls of the csv of the results from with filtering so that only "msiexec.exe" and "ACCESS DENIED" show.

Only thing is, I don't see anything that really corresponds to the RemoveService - Access is denied. (5) error. The worse thing I see is the CreateFile towards the bottom. Everything else seems to be different types of certificate errors.

What is your opinion?
Logfile.xls
0
 
LVL 4

Accepted Solution

by:
lscapa earned 500 total points
Comment Utility
It's trying to update the Certificates registry keys and the joystick??? I get the Certs but the joystick? Anyhow, it looks as if the developers didn't include the needed support to install without being the admin or an admin account (you could ask for a rewrite and hold your breath) or create a exe to kick off the install using runas so the password is hidden. Either way this is not an issue with AD or the Group Policy settings at this point. I think we've cleared that up.
It seems the MSI itself will not support a non admin user account from installing it.
Options at this point would be:
1. Use RUNAS (very unsecure since the password is in clear text if in  a vb script)
2. Ask for rewrite of the MSI (very unlikely)
3. Purchase a management tool that runs a service that can install this (such as SMS, LanDesk or Desktop Central - cheaper and still does the job)
http://manageengine.adventnet.com/products/desktop-central/index.html
 
0
 

Author Comment

by:npcincadmin
Comment Utility
I am glad I am not the only one confused on the joystick part.
WOW.

We have been thinking about going with System Center Configuration Manager 2007.
I may have to move that higher into my priority list.

I also may attempt to modify that package with WinInstall LE.
I am pretty novice at it, but failing at this task may still be worth the experience gained.

I again want to thank you for all of the time you put into helping with this.
Have a great weekend.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

There are two modes of restricted groups GPOs. Replacing mode:   Additive mode:   How do they work? Replacing mode: Everything (users, groups, computers) that is member of the local administrators group will be cleared out. After th…
Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now