Edit MSI to allow Power Users to install
I was always undner the impression that publishing software to User GPO lets the users install with elevated privleges. This requires an MSI, and then the user can add it from the Add/Remove Programs control panel.... Is this not the case?
I find it doesn't work with vendor supplied MSIs most of the time. Sometimes I ask the vendor if they will fix it and usually don't even think they understand the question. All our users have Power User (not local admins) on their workstations. Sometimes I can use ORCA and make vendor MSIs work again. E.G. for Adobe Flash 10 MSI I was able to edit the MSI and remove the IsAdmin launch condition then it worked fine!
So now there is a new vendor whos setup.exe is packaged by an MSI, they call it a "workstation silent installer" but the MSI doesn't check for admin as far as I can tell, the check must be part of setup. Why they did this I don't understand? It really makes it pointless to have an MSI for deployment if it just calls an setup.exe requiring administrative rights to continue because I can't deploy it with GPO? Can someone help me see the light? Am I confusing myself by assuming MSIs are meant for this purpose? (deploying software to non-admins)
I find it doesn't work with vendor supplied MSIs most of the time. Sometimes I ask the vendor if they will fix it and usually don't even think they understand the question. All our users have Power User (not local admins) on their workstations. Sometimes I can use ORCA and make vendor MSIs work again. E.G. for Adobe Flash 10 MSI I was able to edit the MSI and remove the IsAdmin launch condition then it worked fine!
So now there is a new vendor whos setup.exe is packaged by an MSI, they call it a "workstation silent installer" but the MSI doesn't check for admin as far as I can tell, the check must be part of setup. Why they did this I don't understand? It really makes it pointless to have an MSI for deployment if it just calls an setup.exe requiring administrative rights to continue because I can't deploy it with GPO? Can someone help me see the light? Am I confusing myself by assuming MSIs are meant for this purpose? (deploying software to non-admins)
0 Comments
[ + ] Show comments
Answers (7)
Please log in to answer
Posted by:
Jsaylor
14 years ago
Have you considered deploying whatever software requires administrative rights to the machine, rather than to a user?
Posted by:
hemlockz
14 years ago
Haven't tried it yet, but if its the only way to get arounud admin rights I can try it in a test. I was concerned with increasing the login time for people. Just a fraction of users will ever need the software insatlled... Will have to just test that one it sounds like.
Posted by:
Jsaylor
14 years ago
Ideally (and what many corporations do) you'll be tracking who owns what asset. That way you only have to target the computers that should get the application. Also, you have your cause and effect a little backwards. Login time is much worse if you assign applications to users rather than to computers.
If you assign an application to a computer, it only has to install once for that machine's lifespan. If you install to user profiles, that application has to install every time a new user logs into each machine, giving you a bunch of extra overhead if you have users swapping machines frequently.
If you assign an application to a computer, it only has to install once for that machine's lifespan. If you install to user profiles, that application has to install every time a new user logs into each machine, giving you a bunch of extra overhead if you have users swapping machines frequently.
Posted by:
hemlockz
14 years ago
Thanks for the reply. I really messed up and should have understood this some more... because currently all my computers are grouped by physical locatiin in OUs under Computers, but about only 1 guy in each physical location will need this software installed. So if I set this Computer Software Installtion GPO on the Computers OU, all the computers get it before anyone logs in? I do have the group of users who need the software in their own OU... I am able to add them to the Security Filtering of the GPO... but this GPO is a computer setting... is this pointless becuase the software is installing before the user logs in anyway?
Posted by:
Jsaylor
14 years ago
Use the scope function to limit which computers the application will install to. A group policy must be both linked and have a scope defined in order to take effect on a given computer. So you make an AD security group, put the computers that you want it installed to in the group, and then add that group as the scope of the group policy. When you link the policy to your computer OU's, it will then only apply to the computers that are both in those OU's, AND a part of the AD security group you set up.
Posted by:
anonymous_9363
14 years ago
...and, of course, as we have discussed earlier this week, user-based deployment brings up licensing issues.
Oh and BTW, of all the sites I've worked at, NO vanilla user EVER get Power User status. In general, they are not to be trusted with that privilege.
Oh and BTW, of all the sites I've worked at, NO vanilla user EVER get Power User status. In general, they are not to be trusted with that privilege.
Posted by:
hemlockz
14 years ago
Yeah good point, and that is an entirely different topic of course... in this case it is a shared network license.. most are in fact.
I do notice power users get just as many spyware infections as local administrators (from another firm I work for where all users have local admin and have fewer spyware infections).. Plus power users have more helpdesk requests for software installs and everything else, so maybe Power Users is the worst of both worlds... not enough locked down to prevent infections, but crippled enough to always need help from IT to update their own software... The worst of it happens when the web guy puts some new flash tutorial on our intranet site without letting us know, and then everybody is calling IT to update their flash player beceause they can't even do that as a power user ever since Flash 9! anyway.. this is a time of change around here, the boss who was here and made all these policies has left, so we can start making changes finally.
I am still testing the computer software installation. Shouhld it be working if I do a GPupdate/force on the client machine and reboot it??
I do notice power users get just as many spyware infections as local administrators (from another firm I work for where all users have local admin and have fewer spyware infections).. Plus power users have more helpdesk requests for software installs and everything else, so maybe Power Users is the worst of both worlds... not enough locked down to prevent infections, but crippled enough to always need help from IT to update their own software... The worst of it happens when the web guy puts some new flash tutorial on our intranet site without letting us know, and then everybody is calling IT to update their flash player beceause they can't even do that as a power user ever since Flash 9! anyway.. this is a time of change around here, the boss who was here and made all these policies has left, so we can start making changes finally.
I am still testing the computer software installation. Shouhld it be working if I do a GPupdate/force on the client machine and reboot it??
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.