MSI Rights problem
Hello All,
I got a MSI file from OpenText, Livelink Explorer 4.5. I created a MST file with Admin Studio 10.5 and put one feature with 2 components to apply HKCU settings to new logged on users.
This all works great for admin users and get no error messages. But when I log in as a normal user, I get 2 error messages that I do not have rights and have to restart pc. When I am checking the registry by next logon as user the HKCU keys are (all?) there.
I just do not want those error messages. Can someone give me advice how to solve this problem?
We using WIndows NT2000 with Active Directoy to deploy MSI packages. So the packages are sent to the PC before te login screen if the software is in the PC group.
I hope that someone can help.
Many thanks.
Gert-Tom
I got a MSI file from OpenText, Livelink Explorer 4.5. I created a MST file with Admin Studio 10.5 and put one feature with 2 components to apply HKCU settings to new logged on users.
This all works great for admin users and get no error messages. But when I log in as a normal user, I get 2 error messages that I do not have rights and have to restart pc. When I am checking the registry by next logon as user the HKCU keys are (all?) there.
I just do not want those error messages. Can someone give me advice how to solve this problem?
We using WIndows NT2000 with Active Directoy to deploy MSI packages. So the packages are sent to the PC before te login screen if the software is in the PC group.
I hope that someone can help.
Many thanks.
Gert-Tom
0 Comments
[ + ] Show comments
Answers (19)
Please log in to answer
Posted by:
MSIMaker
19 years ago
Hang on Hang on.....Something isnt right here.
He is trying to write to HKCU. Users have that right by default. Tthere is no ACLS needed to write to your own profile.
gertitombo,
The first thing I have to ask is. Have you set your msi installations to run with Elevated Privileges? This should be done via Group Policy so that when a user clicks on a shortcut the installation takes place and uses the system account to do the install. BTW you have to set this policy is both the Computer OU and the User OU of Active Directory.
You do NOT need to do this to prompt a self repair. Put the HKCU keys in a parent feature called CURRENTUSER and place your COMPLETE feature as a child of that and the self repair will happen the minute the user clicks on the advertised shortcut on the start menu.
If your users can not write to their own HKCU keys...then something is terribly wrong with your build/OS.
He is trying to write to HKCU. Users have that right by default. Tthere is no ACLS needed to write to your own profile.
gertitombo,
The first thing I have to ask is. Have you set your msi installations to run with Elevated Privileges? This should be done via Group Policy so that when a user clicks on a shortcut the installation takes place and uses the system account to do the install. BTW you have to set this policy is both the Computer OU and the User OU of Active Directory.
ORIGINAL: Ilikebananas
I have put a shortcut to the STARTUP folder to heal the MSI process. This will put the HKCU settings (if not there) to the user profile HKCU registry.
You do NOT need to do this to prompt a self repair. Put the HKCU keys in a parent feature called CURRENTUSER and place your COMPLETE feature as a child of that and the self repair will happen the minute the user clicks on the advertised shortcut on the start menu.
If your users can not write to their own HKCU keys...then something is terribly wrong with your build/OS.
Posted by:
plangton
19 years ago
Hi Gerttom,
I use the setacl command (setacl.sourceforge.net) as a custom action, I usually run it in the deffered execution context with a command line like:
SetACL.exe -on "C:\my dir" -ot file -actn ace -ace "n:Users;p:full"
This will give the local users group full access over "c:\my dir"
Hope that helps.
Rgds
Paul
I use the setacl command (setacl.sourceforge.net) as a custom action, I usually run it in the deffered execution context with a command line like:
SetACL.exe -on "C:\my dir" -ot file -actn ace -ace "n:Users;p:full"
This will give the local users group full access over "c:\my dir"
Hope that helps.
Rgds
Paul
Posted by:
Thaiboxer
19 years ago
I might be able to help on this one, but I have a few questions first.
1. You never answered whether the errors occur at login or when you run the application. Which is it? What exactly are the errors? Can you post the error messages and codes please?
2. Admin rights - the only way an application will absolutely not run as a user or power user is if the developer hard-coded the program to look for admin rights. I really doubt that's the case here. Use regmon and filemon and watch the process you're running, then look down the right side for "Access denied" or similar messages. When you see the failure, you'll know what the application is trying to write that's being denied.
3. Word and Excel - I've spent a LOT of time working with apps that integrate with both. Are your macro settings low enough or is your app trusted by Word and Excel?
4. Permissions - xcacls is available from Microsoft.com. They have an EXE version and a newer VBS version. They're slow, but work really well.
I'd love to help, but need more information.
1. You never answered whether the errors occur at login or when you run the application. Which is it? What exactly are the errors? Can you post the error messages and codes please?
2. Admin rights - the only way an application will absolutely not run as a user or power user is if the developer hard-coded the program to look for admin rights. I really doubt that's the case here. Use regmon and filemon and watch the process you're running, then look down the right side for "Access denied" or similar messages. When you see the failure, you'll know what the application is trying to write that's being denied.
3. Word and Excel - I've spent a LOT of time working with apps that integrate with both. Are your macro settings low enough or is your app trusted by Word and Excel?
4. Permissions - xcacls is available from Microsoft.com. They have an EXE version and a newer VBS version. They're slow, but work really well.
I'd love to help, but need more information.
Posted by:
gertitombo
19 years ago
Sorry Bladerun, I forgot to mention,
The application will be pushed to all computers by AD. That will go fine. All on computer level. I have put a shortcut to the STARTUP folder to heal the MSI process. This will put the HKCU settings (if not there) to the user profile HKCU registry. The package is thus already installed before CTRL-ALT-DEL screen.
When a admin user logs onto PC and then a user. He/She still gets the probem. The admin doesn't get a error message at all.
Regards,
Gert-Tom
The application will be pushed to all computers by AD. That will go fine. All on computer level. I have put a shortcut to the STARTUP folder to heal the MSI process. This will put the HKCU settings (if not there) to the user profile HKCU registry. The package is thus already installed before CTRL-ALT-DEL screen.
When a admin user logs onto PC and then a user. He/She still gets the probem. The admin doesn't get a error message at all.
Regards,
Gert-Tom
Posted by:
Bladerun
19 years ago
I was of the impression that user-initiated repairs run with user right. I could be wrong.
Have you used this process before?
Have you used this process before?
Posted by:
gertitombo
19 years ago
No this is the first time. I really need this feature, otherwise the software won't run correctly for the user.
Posted by:
plangton
19 years ago
Hi Gertitombo,
Either use a combination of Regmon and filemon (from www.Sysinternals.com) to monitor the registry and file access of the process to tell you what it requires rights to, or use auditing to do the same thing. I prefer the regmon/filemon method myself, from this you can see the process having access denied error messages.
Hope that helps
Rgds
Paul
Either use a combination of Regmon and filemon (from www.Sysinternals.com) to monitor the registry and file access of the process to tell you what it requires rights to, or use auditing to do the same thing. I prefer the regmon/filemon method myself, from this you can see the process having access denied error messages.
Hope that helps
Rgds
Paul
Posted by:
venki_msi
19 years ago
hi Gertitombo,
i do have repaclaged the same application but the version is 4.4 on clicking the shortcut
proffesional activator in power user or in user mode it will throw an error it requires
admin privilage i also tried running tools like filemon,regmon and also i manually given
permission to whole keys and also c drive full permission it really didnt help me
according to my view the shortcut will work only if user has an admin previlage.
I also came to know that functionality of the shortcut it is searching for registry keys
under hklm\software\adobe\adobe acrobat\5.0\insatll and also execl path these is one of
the sample key it is seareching and once these key is present it confirms adobe is
installed on the machine, so that live link will support to use these application on it.
i do have repaclaged the same application but the version is 4.4 on clicking the shortcut
proffesional activator in power user or in user mode it will throw an error it requires
admin privilage i also tried running tools like filemon,regmon and also i manually given
permission to whole keys and also c drive full permission it really didnt help me
according to my view the shortcut will work only if user has an admin previlage.
I also came to know that functionality of the shortcut it is searching for registry keys
under hklm\software\adobe\adobe acrobat\5.0\insatll and also execl path these is one of
the sample key it is seareching and once these key is present it confirms adobe is
installed on the machine, so that live link will support to use these application on it.
Posted by:
gerttom
19 years ago
Hello venki_msi
Thanks a bunch. How did you give the users rights under HKCU\Software\OpenText ?
Can you send me a mail how you did it, please?
Thanks a lot.
Gert-Tom
Thanks a bunch. How did you give the users rights under HKCU\Software\OpenText ?
Can you send me a mail how you did it, please?
Thanks a lot.
Gert-Tom
Posted by:
venki_msi
19 years ago
giving permission to HKCU\Software\OpenText will not solve the problem
the shortcut will work only if the user has admin privilage.
the shortcut will work only if the user has admin privilage.
Posted by:
gerttom
19 years ago
Hello Venki_MSI,
Is there another way to implement the HKCU settings by MSI? I do not want to do it by AD policies.
Thanks in advance.
Is there another way to implement the HKCU settings by MSI? I do not want to do it by AD policies.
Thanks in advance.
Posted by:
gertitombo
19 years ago
Is there someone that can help me with above problems?
regards,
Gert-Tom
regards,
Gert-Tom
Posted by:
gertitombo
19 years ago
Hello MSIMaker,
Thank you very much for your help. The Livelink MSI file gets installed by AD on computer policy level (not user policy level, why in here too?). It will install fine. Also the HKCU settings will be written fine (I think) but get an install error and a restart message.
I need the repair function as the Livelink function must work in Microsoft Word and Excel without clickin the Livelink Shortcut, that's why it is in the start up folder.
I have done the healing process in a separate Feature.
Can you give me more possible options?
Many thanks,
Gert-Tom
Thank you very much for your help. The Livelink MSI file gets installed by AD on computer policy level (not user policy level, why in here too?). It will install fine. Also the HKCU settings will be written fine (I think) but get an install error and a restart message.
I need the repair function as the Livelink function must work in Microsoft Word and Excel without clickin the Livelink Shortcut, that's why it is in the start up folder.
I have done the healing process in a separate Feature.
Can you give me more possible options?
Many thanks,
Gert-Tom
Posted by:
plangton
19 years ago
Hi Gertitombo,
Do a verbose log file of the installation and post it here so that the error messages can be diagnosed. Log files (and the event viewer) should be the first port of call with problems like this (in my humble opinion at least).
Rgds
Paul
Do a verbose log file of the installation and post it here so that the error messages can be diagnosed. Log files (and the event viewer) should be the first port of call with problems like this (in my humble opinion at least).
Rgds
Paul
Posted by:
gertitombo
19 years ago
Thanks all,
for the tips, I think I found the problem. The Livelink package gets distributed by GPO. If the first user is a normal user. I had 2 error messages because Livelink package wanted to write the code to HKLM\Software\Opentext key to write that the package has been registerd. I added this key to my package and all was fine.
Thanks to the file REGMON.
Best regards,
Gert-Tom[:)]
for the tips, I think I found the problem. The Livelink package gets distributed by GPO. If the first user is a normal user. I had 2 error messages because Livelink package wanted to write the code to HKLM\Software\Opentext key to write that the package has been registerd. I added this key to my package and all was fine.
Thanks to the file REGMON.
Best regards,
Gert-Tom[:)]
Posted by:
Swipe
19 years ago
ORIGINAL: gertitombo
Thanks all,
for the tips, I think I found the problem. The Livelink package gets distributed by GPO. If the first user is a normal user. I had 2 error messages because Livelink package wanted to write the code to HKLM\Software\Opentext key to write that the package has been registerd. I added this key to my package and all was fine.
Thanks to the file REGMON.
Best regards,
Gert-Tom[:)]
I am having exactly the same problem with this app. WHat key was it trying to write to HKLM\Software\Opentext to say it's registered. I can't see anything extra being written.
Posted by:
gertitombo
19 years ago
I took the LLAddin.dll out as I added the llexplorer.dot manual to the startup directory under office.
You might install the MSI on a clean pc and make your own capture. I didn't do it with Livelink but did it with SPSS.
WIth your own MSI, you turn off the automatic install (like some dll's) when someone logs on. Livelink does it and so SPSS.
Good luck,
Gert-Tom
You might install the MSI on a clean pc and make your own capture. I didn't do it with Livelink but did it with SPSS.
WIth your own MSI, you turn off the automatic install (like some dll's) when someone logs on. Livelink does it and so SPSS.
Good luck,
Gert-Tom
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.