Software Deployment

Not sure what packaging tool your using, but with InstallShield Editor you can right click on any file in your MSI and select "permissions" and explicitly define permissions on it.

My experience is that whatever NTFS permissions you put on a given file end up being the entire ACL of the file - meaning that that file will lose any inherited permissions. I've also never been able to specify any users or groups from my AD in the permissions, just local groups. To specify the local group Administrators type in:
BUILTIN\Administrators
and for the local Users group type in:
BUILTIN\Users

Then grant whatever rights you want to grant to that file. I've noticed that InstallShield is hit or miss with any NTFS settings in between no rights and Full Control - so if you're not giving up the keys to the farm by doing so, I'd recommend full control for both the groups above.

I am using Installshield 11.5

I have set the permissions on the file, in the package to administratos and users full control already. The package will fail on install however when it sees the existing file and does not have the privs to modify it.

I was hoping to somehow have the sequence that sets permissions (is there such a sequence?) to happen before the file install. Not sure if this is even feasable however.

Here's what I do...

Leave the domain blank and fill in the username as "everyone", then assign full control. Works if you want to give rights to the file to every possible person.

Some places only want authenticated users to have control.. so fill in the domain and put in "domain users".

It's always worked for me.

If you don't want it to write over the existing permissions you could always set "Never Overwrite" to Yes.

Oh, that's a problem then.

If you've got AD and whatnot:

Maybe push a VBscript via a Computer assigned GPO to achieve elevated privs, the script would use CACLS or XCACLS or something to modify the offending file's ACL so that a standard user can overwrite it. Not sure of any other ways.

I don't recommend CACLS or XCACLS though, there's a non-MS freeware utility called FILEACL that works much better.

If file already exsit then follow the below way

try deleting the particular file entry from MsiFileHash Table, and use lock permission table for applying permission.

For example sample.txt is file already exist in the system then in your script go to MsiFileHash Table and delte the entry related to sample.txt or keep the entry and make the values
Hash part1, Hash part2,Hash part3,Hash part4 to 0,0,0,0

Please try and let me know.

Thanks for the replies.

Still having the problem, the msifilehash did not help unfortunately.

it turns out that I had the original problem incorrect. The file has the Everyone group added with deny access to the write attributes. this is what is causing the issue.

It seems that Installshiled cannot/ does not handle deny permissions.

So the question is, does anyone know how to incorporate into a package the ability to remove a deny permission?

I have tried the same it worked for me.. Is there is any other policy running on ur

desktop?

Thanks,

venki

Yesterday I tried to use the file permissions feature in Installshield 11.5 and it doesn't work at all. It did in the previous version. I think they've screwed something up.
I use SetACL for most of the time anyway, so I guess I'll go back to that. As a general rule, one shouldn't be using the MSI permissions table anyway.

eric_m,

I would seriously think about using a Custom Action to set the permissions on this file during the install. It will give you greater control over the uninstall as well.

Set the perms you need on install and place the custom action in the section before Install Files. You can use Xcacls or Secedit to do this. Also make sure you set the CA to run in System Context so that the permissions can be set properly.

On uninstall you can set it back to the way it was if you choose to.