/build/static/layout/Breadcrumb_cap_w.png

Why Enable GPO WindowsInstaller elevated rights

Hello Jim, and others

I hope this is a good question

I install all programs by GPO mostly computer packages

Deployment:
Assigned
Deployment option:
Uninstall when it falls out of scope

In GPO I have not enabled the settings USER or COMPUTER for Elevated Privileges

And I don’t intend to do so.

Why? should I ?

“This setting extends elevated privileges to all programs and all users”

I don’t like this

I know you can set up settings that prevents users from running some predefined extensions.
My users are not members of local admins group, and they should not be able to install all sort of programs that I don’t know of.

And I see it as a great risk if they could.

I see a lot of recommending of using Elevated Privileges, which in my opinion should no stand alone.

I think there could be some misunderstanding.

Elevated rights are already there when you install or offer by GPO.

Am I totally wrong or what ?

Sweede [:D]

0 Comments   [ + ] Show comments

Answers (3)

Posted by: Bladerun 19 years ago
Green Belt
0
Maybe I'm misunderstanding, but are you referring to the AlwaysInstallElevated key?

Setting that allows your msi packaged to install with elevated rights, allowing users with restricted permissions to install the package you assign them.

Without setting this, normal or restricted users could never install the packages you assign them.
Posted by: curtis.sawin 19 years ago
Yellow Belt
0
Sweede,

You are correct. If an MSI is deployed with Group Policy, it installs elevated. Setting the "AlwaysInstallElevated" registry keys/policy settings has the same effect for MSIs installed outside of Group Policy.

Thus, setting these policies has no effect on installations performed from GP. This can be verified by looking in an MSI log file and searching for the "Privileged" property, which gets set for "elevated" installations.

Hope this helps!

Curtis
Posted by: Sweede 19 years ago
Second Degree Green Belt
0
Curtis,

Thank you!

so I got that one right and it was a god question after all.

Bladerun,

Yes i was referring to that key, and wrong by GPO it installs just fine.

Sweede;-)
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ