MSI Package in User Config is not installing with elevated admin privliges

Computer is XP SP3 and Domain is 2003 R2 SP2.

I have a program that comes as an *.msi  that I would like to install under the User and NOT the Computer.
I have the package set under User Configuration, set as Assigned, with the Uninstall out of Scope selected.

Also, I have even tried this with the policy "Always install with elevated privileges" Enabled in BOTH the "User Configuration\Administrative Templates\Windows Components\Windows Installer" and the "Computer Configuration\Administrative Templates\Windows Components\Windows Installer" locations.

When installed with a non-admin user, the program seems to partially install. It will show up in the PC's Add/Remove Programs, but with the generic icon (similar to a msi icon) and the program does not function properly; but everything "thinks" it installed fully.

When I make that user a local admin, the program fully and properly installs. It shows up in the PC's Add/Remove Programs with the proper logo of the company that made it, and everything works as it should.

Any help to get this to install as a regular user instead of one with admin rights, is greatly appreciated.
npcincadminAsked:
Who is Participating?
 
lscapaConnect With a Mentor Commented:
It's trying to update the Certificates registry keys and the joystick??? I get the Certs but the joystick? Anyhow, it looks as if the developers didn't include the needed support to install without being the admin or an admin account (you could ask for a rewrite and hold your breath) or create a exe to kick off the install using runas so the password is hidden. Either way this is not an issue with AD or the Group Policy settings at this point. I think we've cleared that up.
It seems the MSI itself will not support a non admin user account from installing it.
Options at this point would be:
1. Use RUNAS (very unsecure since the password is in clear text if in  a vb script)
2. Ask for rewrite of the MSI (very unlikely)
3. Purchase a management tool that runs a service that can install this (such as SMS, LanDesk or Desktop Central - cheaper and still does the job)
http://manageengine.adventnet.com/products/desktop-central/index.html
 
0
 
lscapaCommented:
can you export your GP to an xml file or html and post it?
0
 
npcincadminAuthor Commented:
I apologize for taking so long getting back to you. Had items that I had to take care of here first.

Here is the link to the *.htm file you were asking about:
http://65.98.120.5/~gpfiles/TEST%20User%20Goup%20Test.htm

Thank you for any help you can provide.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
lscapaCommented:
Ok take a look at this section:
Deployment type Assigned Deployment
source \\local.DOMAIN.com\NETLOGON\Installers\DeviceLock Service.msi
Installation user interface options Basic
Uninstall this application when it falls out of the scope of management Enabled
Do not display this package in the Add/Remove Programs control panel Disabled
Install this application at logon Disabled

Since you have this set under User Configuration we are working with a "Publish" scenerio. If your looking at a mandentory package (ie lab machines in a school ect) then this needs to go under Computer Configuration.
Now it's been awhile since I've used GPO to do software installs (we use SMS now) but you have both the installation types set to Disabled.
Are you wanting it to auto install or the users have the option to install?
 
0
 
lscapaCommented:
Take a look at http://support.microsoft.com/kb/816102. notice you can't have both these selected or the software doesn't take any action. It gets assigned but it won't run. And the user can't request it because it is hidden.
0
 
npcincadminAuthor Commented:
I want this to auto-install on a per user basis, so that when User-A has to go to another PC temporarily, the program goes with them. But then when they are done at that temp PC, the program will not be there for others to use. But, I do not want any user interaction and the program cannot be fired of from a file extension activation.

This is why i have it set to "Assigned" and "Uninstall When out of Scope". After everything works fine, I planned on selecting the "Do Not Display in Add/Remove" so it will not show up under the Add New Programs portion of Add/Remove Programs.

I have tried this with the "Install this application at logon" enabled and disabled, with the same results.

The thing that I don't understand, everything works exactly as I want it to IF the user is a Local Admin of the machine, but fails if they are not an admin, even though I have the "Always install with elevated privileges" set.
0
 
lscapaCommented:
First off to accomplish what you are after you will need the "Install this application at logon" selected.
Also run gpresult /v > gp.txt & gp.txt from a client with a user that would have this assigned. Post the results in a file.
0
 
npcincadminAuthor Commented:
That option is now selected and the file should be attached.

Thank you again for your help and time with this.
0
 
npcincadminAuthor Commented:
Apparently the site doesnt like IE8, as far as file attachments.
NOW . .  .the file should be attched.

gp.txt
0
 
lscapaCommented:
For one it looks as if you have the install in twice...

Resultant Set Of Policies for User:
    ------------------------------------
        Software Installations
        ----------------------
            GPO: TEST DeviceLock User Goup Test
                Name:             DeviceLock Service
                Version:          6.21
                Deployment State: Assigned
                Source:           \\local.DOMAIN.com\NETLOGON\Installers\DeviceLock Service.msi
                AutoInstall:      True
                Origin:           ARP List item
            GPO: TEST DeviceLock User Goup Test
                Name:             DeviceLock Service
                Version:          6.21
                Deployment State: Assigned
                Source:           \\local.DOMAIN.com\NETLOGON\Installers\DeviceLock Service.msi
                AutoInstall:      True
                Origin:           Applied Application
 
Lets do this to test:
1. Remove both
2. Add only one (it resets the hash assigned to the msi) as published other than that don't select anything, just keep it at default.
3. Run gpupdate /force and reboot if prompted.
Does it show up in Add/Remove software (make sure to select Install from network... i know all the small things...)?
Look in the system log is there a failure from MSIEXEC on boot?
0
 
lscapaCommented:
Second question:
Does the polregcl.msi install ok to the machines?
0
 
npcincadminAuthor Commented:
Yes it does.
0
 
npcincadminAuthor Commented:
OK, just saw that you posted 2 things. The answer to the second was Yes, polregcl.msi installs properly. But it is on the Computer Config side.

Now for the first . . . I recreated the package, set it to Assigned, Uninstall out of scope, Install at logon, and Basic.

The Installer is showing up in the "Add programs from your network" portion of Add/Remove.
BUT this time there is no goofed install showing in the main page of Add/Remove.
And it is FINALLY showing some errors in the Application Event Logs; it was not doing this before, thats why I said everything appeared to install fine.

For some reason, the errors show that: Fatal error during installation and does not give more info.

I logged off, made that user a Local Admin, logged back on, and *poof* it worked just fine.
0
 
lscapaCommented:
Ok so the issue liews within the MSI file. Does it require a installation key to be entered?
Run the msi like this as a user and see what it says:
msiexec /i MSIFILE.MSI /qb
That is basically what the GP will be sending to the local clients. Does it run?
0
 
npcincadminAuthor Commented:
No, it does not require a key or any user input for installation.
It is a similar idea as GPPE, it is the client end of a program installed on my domain controller and that is how they "interact".


When I run that as a normal user I get an error box that pops up and says:
   10/2/2008 14:21:00: RemoveService - Access is denied. (5)

When I run that with the user as Local Admin, it installs perfectly fine.
0
 
lscapaCommented:
You'll need Process Explorer from sysinternals (oh wait I mean TechNet)
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Start the monitoring then run the app again as a user. Look to see what regkey is getting access denied.
Alternatively,
You could set a batch script and run "runas /profile /env /user:domain\adminaccount MSIFILE.MSI" but you'll need to specify the password in clear text and thats not really secure.
0
 
npcincadminAuthor Commented:
Attached is a xls of the csv of the results from with filtering so that only "msiexec.exe" and "ACCESS DENIED" show.

Only thing is, I don't see anything that really corresponds to the RemoveService - Access is denied. (5) error. The worse thing I see is the CreateFile towards the bottom. Everything else seems to be different types of certificate errors.

What is your opinion?
Logfile.xls
0
 
npcincadminAuthor Commented:
I am glad I am not the only one confused on the joystick part.
WOW.

We have been thinking about going with System Center Configuration Manager 2007.
I may have to move that higher into my priority list.

I also may attempt to modify that package with WinInstall LE.
I am pretty novice at it, but failing at this task may still be worth the experience gained.

I again want to thank you for all of the time you put into helping with this.
Have a great weekend.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.