Why Enable GPO WindowsInstaller elevated rights
Hello Jim, and others
I hope this is a good question
I install all programs by GPO mostly computer packages
Deployment:
Assigned
Deployment option:
Uninstall when it falls out of scope
In GPO I have not enabled the settings USER or COMPUTER for Elevated Privileges
And I don’t intend to do so.
Why? should I ?
“This setting extends elevated privileges to all programs and all usersâ€Â
I don’t like this
I know you can set up settings that prevents users from running some predefined extensions.
My users are not members of local admins group, and they should not be able to install all sort of programs that I don’t know of.
And I see it as a great risk if they could.
I see a lot of recommending of using Elevated Privileges, which in my opinion should no stand alone.
I think there could be some misunderstanding.
Elevated rights are already there when you install or offer by GPO.
Am I totally wrong or what ?
Sweede [:D]
I hope this is a good question
I install all programs by GPO mostly computer packages
Deployment:
Assigned
Deployment option:
Uninstall when it falls out of scope
In GPO I have not enabled the settings USER or COMPUTER for Elevated Privileges
And I don’t intend to do so.
Why? should I ?
“This setting extends elevated privileges to all programs and all usersâ€Â
I don’t like this
I know you can set up settings that prevents users from running some predefined extensions.
My users are not members of local admins group, and they should not be able to install all sort of programs that I don’t know of.
And I see it as a great risk if they could.
I see a lot of recommending of using Elevated Privileges, which in my opinion should no stand alone.
I think there could be some misunderstanding.
Elevated rights are already there when you install or offer by GPO.
Am I totally wrong or what ?
Sweede [:D]
0 Comments
[ + ] Show comments
Answers (3)
Please log in to answer
Posted by:
Bladerun
19 years ago
Maybe I'm misunderstanding, but are you referring to the AlwaysInstallElevated key?
Setting that allows your msi packaged to install with elevated rights, allowing users with restricted permissions to install the package you assign them.
Without setting this, normal or restricted users could never install the packages you assign them.
Setting that allows your msi packaged to install with elevated rights, allowing users with restricted permissions to install the package you assign them.
Without setting this, normal or restricted users could never install the packages you assign them.
Posted by:
curtis.sawin
19 years ago
Sweede,
You are correct. If an MSI is deployed with Group Policy, it installs elevated. Setting the "AlwaysInstallElevated" registry keys/policy settings has the same effect for MSIs installed outside of Group Policy.
Thus, setting these policies has no effect on installations performed from GP. This can be verified by looking in an MSI log file and searching for the "Privileged" property, which gets set for "elevated" installations.
Hope this helps!
Curtis
You are correct. If an MSI is deployed with Group Policy, it installs elevated. Setting the "AlwaysInstallElevated" registry keys/policy settings has the same effect for MSIs installed outside of Group Policy.
Thus, setting these policies has no effect on installations performed from GP. This can be verified by looking in an MSI log file and searching for the "Privileged" property, which gets set for "elevated" installations.
Hope this helps!
Curtis
Posted by:
Sweede
19 years ago
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
so that the conversation will remain readable.