Solved

Can Windows Terminal Server run a GPO to install a program -- as a standard (non-admin) user?

Posted on 2011-03-15
11
1,121 Views
Last Modified: 2012-06-21
This occurs on Windows 2003 Servers, with the Terminal Services role activated, in a corporate environment.

The following error occurs:
This installation is forbidden by system policy.  Contact your system administrator.

The error occurs when a non-administrator runs an MSI package on any of our Windows 2003 Terminal Servers.

The error does NOT occur when an administrator runs the MSI package.

The error does NOT occur on workstations (XP, Vista, Win7-32, Win7-64) for any user.

More Detail:
The Group Policy containing a software installation package (MSI) successfully installs a program shortcut, but when the shortcut is clicked, the above error occurs.

The GPO has "Computer Configuration Settings" disabled - so it can only apply "User Configuration Settings".

The MSI places three files (.exe .ico .ini) in the user's "AppData" folder (within their roaming profile) plus a program shortcut pointing to the .exe - no other files, no registry entries.

The shortcut gets installed, the other 3 files do not get installed.

The error occurs when the shortcut is clicked.
0
Comment
Question by:ITMystery
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 32

Expert Comment

by:nappy_d
ID: 35141708
Non admin users should not be installing apps and admins should not be installing apps when the server is in execute mode on terminal servers.

Please put your terminal server into install mode prior to installation of additional apps.

Also, youncould give your non admins elevated permissions to install apps, nutni wouldn't do this.
0
 

Author Comment

by:ITMystery
ID: 35141816
The user was unable to do "Change User /Install" (it complains that only admins can do that).
So I did "Change User /Install" in an admin, then had the user logon. Same problem,
 - install MSI starts up
 - MSI verifies and/or installs the shortcut in the user's "Programs" profile folder
 - MSI does NOT install the 3 files it should in the user's "AppData" folder
 - then the error: "Installation Forbidden by System Policy" pops up
And, the MSI still runs fine as the administrator, or on any workstation the GPO is applied to
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 35142867
That's right only an admin can perform that action.  If the user is NOT part of the admin group, such administrative action cannot and should not be performed by a non admin user.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:ITMystery
ID: 35143218
Is there a Local Security Policy setting that enforces this restriction on regular users?  Is there a GPO setting I can use to override it?  Note: since the MSI only places files in the AppData folder of the user's profile, no harm can come to the terminal server.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 35146490
The problem s that if you allow it for one, you allow it for all installers the user can run. Just be warned!!


Enter gpedit.msc at the command line.
Enable elevated privileges for the computer.
Click on Computer Configuration –> Administrative Templates –>Windows Components –> Windows Installer.
Enable the following Group Policy settings:
Always install with elevated privileges (mandatory)
Enable user control over installs (mandatory)
Disable Windows Installer. Then set it to Never.
Enable user to patch elevated products (optional)
Enable user to use media source while elevated (optional)
Enable user to browse for source while elevated (optional for new installations, mandatory for fix pack upgrades)
Enable elevated privileges for the user account that will be performing the installation.
Click on User Configuration –> Administrative Templates –>Windows Components –> Windows Installer.
Enter the following Group Policy settings:
Enable: Always install with elevated privileges (mandatory)
0
 

Author Comment

by:ITMystery
ID: 35152920
Thanks so much for getting me into the correct area.  I did each setting you explained, and now I get a different error message saying:
Only administrators have permission to add, remove, or configure server software during a Terminal services remote session.  If you want to install or configure software on the server, contact your network administrator.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 35153102
You can't do it thru a remote session the server needs to be in admin mode.

0
 

Author Comment

by:ITMystery
ID: 35157624
The only way our users use the Terminal Servers is through remote desktop connections (RDP).  Having a GPO linked to the Users OU in our Active Directory (so they could run the program whether they are on a workstation or a terminal server) would be so convenient - especially since the program only requires an .ico, .ini, .exe (all placed in the user's AppData folder so there are no UAC issues with C:\Program Files in Windows 7). This seems so simple, but it's now sounding impossible!
0
 
LVL 32

Accepted Solution

by:
nappy_d earned 500 total points
ID: 35158384
So if I understand you, you have a .ico, .ini and .exe and this is ALL the msi deploys?

Why not then create a barch script that runs at login. It would copy the files to their respective locations.
0
 

Author Comment

by:ITMystery
ID: 35159900
Fantastic idea - thanks for thinking outside the box!
I'll experiment with it and reply tomorrow with the results.
0
 

Author Comment

by:ITMystery
ID: 35169453
Your thinking outside the box has served me well.  Wrote a nice little VB Script that I can call from a login script.  It works perfectly on WinXP, WinVista, Win7-32, Win7-64, Windows 2003 Terminal Server, Windows 2008 Terminal Server - and that's all I need!  I really appreciate your getting me out of the corner I was banging my head in...
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question