Vista Forums - View Single Post

permalink · 07-06-2007

On Jul 5, 10:39 am, Superfreak3 <Matt.Wal...@synergis.com> wrote:
> On Jul 2, 11:47 am, Jimmy Brush <j...@mvps.org> wrote:
>
>
>
>
>
> > > More information requests for help....
>
> > > (From a different/previous post reply...) You say...
>
> > > "Signing will not negatively affect your MSI file use downlevel from
> > > Vista.
> > > However it won't suddenly allow you to by-pass UAC prompts. Your
> > > application will have to be elevated in order to silently run the
> > > installation without prompts -- either that or have a service perform
> > > the
> > > installation for you. "
>
> > > What do you mean by 'your application will have to be elevated in
> > > order to silently run the installation without prompts'? Do you mean
> > > there is a way to elevate the .msi so it can be run silently?
>
> > Elevated means that the program is running with adminpower- which
> > means it was either started by an administrator interactively, or it was
> > started by the system outside of anyuseraccount(invisible), for
> > example, from a service or a scheduled task.
>
> > The important point here is that non-admins cannot install random
> > machine-wide programs.
>
> > An actual administrator will have to in some fashion choose to install
> > your program, since it needs to do muck about with system files and
> > settings. Standard users just can't do it.
>
> > Now, there are many ways an admin can install your program. This doesn't
> > necessarily mean that an admin will have to physically go to each
> > computer to perform the installation.
>
> > They can use group policy if in a domain environment to push the program
> > down to people.
>
> >http://www.windowsnetworking.com/art...t-Practices-Gr......
>
> > Or, they can use alternative deployment methods to get the app there.
> > (It can be as simple as making a program or script that connects to all
> > the computers, creates a scheduled task that runs as system and launches
> > an msi file in silent mode located on a network share somewhere).
>
> > > Also, you follow that up with 'either that or have a service perform
> > > the installation for you'. How can this be accomplished, with a
> > > service? Is there any documentation out there to explain this?
>
> > Basically, you create a service program that starts msiexec against your
> > msi, with the correct flags to run in quiet mode (since a service runs
> > outside of anyuseraccount, no UI is visible to any users).
>
> > > The reason I ask these questions it because we currently have an
> > > install that is basically writing 'stuff' all over the place with
> > > regards to the registry. It also defaults to an installation location
> > > under Program Files, which most end users leave unchanged, but is now
> > > considered sacred in VISTA so if they are not an Admin (this occurs
> > > with UAC disabled in my testing as well) they receive a message
> > > indicating the install cannot continue.
>
> > Which is how it was in every previous version of Windows NT.
>
> > It worked for you before because you made your users administrators (akapowerusers).
>
> > > Our mechanism of updating our client piece is that our application
> > > looks to an .ini for various information. If the information
> > > indicates an update is available, our .msi is installed silently.
> > > This probably will not work any longer in VISTA so I will have to
> > > search for an alternative here as well.
>
> > You need to separate out your update logic into its own program that
> > will run privileged outside of any specificuseraccount, and so will be
> > invisible - it cannot show UI.
>
> > You could either rewrite your update program as a service, or you could
> > just use it as-is and register it as a scheduled task that runs under a
> > system account.
>
> > Your initial setup program would register the update service or
> > scheduled task programmatically.
>
> > Alternatively, you might look into turning your updates into MSP's
> > (windows installer patches). If you follow the correct procedures, MSP's
> > can be launched and installed inside of a standarduseraccount.
>
> >http://msdn2.microsoft.com/en-us/library/Aa372388.aspx
>
> > > I've inherited these various installs since starting my new job last
> > > December. They basically have to be reworked. Its difficult because
> > > there is some third party stuff in there that writes to HKLM, etc.,
> > > which is tough to deal with in locked down environments where
> > > installing users are not Admin's. The workaround in earlier OSs to
> > > VISTA was to indicate thatPowerUsers would be an acceptable means of
> > > installation. In Vista, this concept seems to no longer apply really.
>
> > You're right,powerusers aren't supported anymore because there really
> > is no such thing as apoweruserfrom a security perspective.Power
> > users = administrators.
>
> > > If anyone out there knows of where I can turn for possible consulting
> > > services with regard to installation and security, please let me
> > > know. It seems as though you really need someone close to or part of
> > > Microsoft to guide you through.
>
> > > THANKS IN ADVANCE FOR ANY HELP, INFORMATION, LINKS PROVIDED!!
>
> > Hope this information helps.
>
> > --
> > -JB
> > Microsoft MVP - Windows Shell/User
> > Windows Vista Support FAQ -http://www.jimmah.com/vista/-Hide quoted text -
>
> > - Show quoted text -
>
> Earlier in our thread, you mentioned:
>
> "However, the Power Users group still exists in Vista, but like the
> document says, they are not ACL'ed access to system resources, so you
> have to run the special file first to grant them extra access."
>
> What 'special file' do you mean? I guess I need to know what exactly
> do I have to do to mimic the Power Users group of XP.
> I don't know if I mentioned this before, but I'm getting the no access
> to Program Files messages with UAC Disabled. If I install with my
> Power User with UAC enabled, I simply have to apply credentials
> currently.
>
> Any more info in setting up Power Users as in XP on VISTA would be
> GREATLY APPRECIATED!
>
> Thanks for the help/great information so far!!- Hide quoted text -
>
> - Show quoted text -

Also, if I write a service to launch our silent updates, what would I
have to set ALLUSERS to, I wonder?

07-06-2007	#9 (permalink)
Superfreak3 n/a posts	Re: VISTA and Power Users? On Jul 5, 10:39 am, Superfreak3 <Matt.Wal...@synergis.com> wrote: > On Jul 2, 11:47 am, Jimmy Brush <j...@mvps.org> wrote: > > > > > > > > More information requests for help.... > > > > (From a different/previous post reply...) You say... > > > > "Signing will not negatively affect your MSI file use downlevel from > > > Vista. > > > However it won't suddenly allow you to by-pass UAC prompts. Your > > > application will have to be elevated in order to silently run the > > > installation without prompts -- either that or have a service perform > > > the > > > installation for you. " > > > > What do you mean by 'your application will have to be elevated in > > > order to silently run the installation without prompts'? Do you mean > > > there is a way to elevate the .msi so it can be run silently? > > > Elevated means that the program is running with adminpower- which > > means it was either started by an administrator interactively, or it was > > started by the system outside of anyuseraccount(invisible), for > > example, from a service or a scheduled task. > > > The important point here is that non-admins cannot install random > > machine-wide programs. > > > An actual administrator will have to in some fashion choose to install > > your program, since it needs to do muck about with system files and > > settings. Standard users just can't do it. > > > Now, there are many ways an admin can install your program. This doesn't > > necessarily mean that an admin will have to physically go to each > > computer to perform the installation. > > > They can use group policy if in a domain environment to push the program > > down to people. > > >http://www.windowsnetworking.com/art...t-Practices-Gr...... > > > Or, they can use alternative deployment methods to get the app there. > > (It can be as simple as making a program or script that connects to all > > the computers, creates a scheduled task that runs as system and launches > > an msi file in silent mode located on a network share somewhere). > > > > Also, you follow that up with 'either that or have a service perform > > > the installation for you'. How can this be accomplished, with a > > > service? Is there any documentation out there to explain this? > > > Basically, you create a service program that starts msiexec against your > > msi, with the correct flags to run in quiet mode (since a service runs > > outside of anyuseraccount, no UI is visible to any users). > > > > The reason I ask these questions it because we currently have an > > > install that is basically writing 'stuff' all over the place with > > > regards to the registry. It also defaults to an installation location > > > under Program Files, which most end users leave unchanged, but is now > > > considered sacred in VISTA so if they are not an Admin (this occurs > > > with UAC disabled in my testing as well) they receive a message > > > indicating the install cannot continue. > > > Which is how it was in every previous version of Windows NT. > > > It worked for you before because you made your users administrators (akapowerusers). > > > > Our mechanism of updating our client piece is that our application > > > looks to an .ini for various information. If the information > > > indicates an update is available, our .msi is installed silently. > > > This probably will not work any longer in VISTA so I will have to > > > search for an alternative here as well. > > > You need to separate out your update logic into its own program that > > will run privileged outside of any specificuseraccount, and so will be > > invisible - it cannot show UI. > > > You could either rewrite your update program as a service, or you could > > just use it as-is and register it as a scheduled task that runs under a > > system account. > > > Your initial setup program would register the update service or > > scheduled task programmatically. > > > Alternatively, you might look into turning your updates into MSP's > > (windows installer patches). If you follow the correct procedures, MSP's > > can be launched and installed inside of a standarduseraccount. > > >http://msdn2.microsoft.com/en-us/library/Aa372388.aspx > > > > I've inherited these various installs since starting my new job last > > > December. They basically have to be reworked. Its difficult because > > > there is some third party stuff in there that writes to HKLM, etc., > > > which is tough to deal with in locked down environments where > > > installing users are not Admin's. The workaround in earlier OSs to > > > VISTA was to indicate thatPowerUsers would be an acceptable means of > > > installation. In Vista, this concept seems to no longer apply really. > > > You're right,powerusers aren't supported anymore because there really > > is no such thing as apoweruserfrom a security perspective.Power > > users = administrators. > > > > If anyone out there knows of where I can turn for possible consulting > > > services with regard to installation and security, please let me > > > know. It seems as though you really need someone close to or part of > > > Microsoft to guide you through. > > > > THANKS IN ADVANCE FOR ANY HELP, INFORMATION, LINKS PROVIDED!! > > > Hope this information helps. > > > -- > > -JB > > Microsoft MVP - Windows Shell/User > > Windows Vista Support FAQ -http://www.jimmah.com/vista/-Hide quoted text - > > > - Show quoted text - > > Earlier in our thread, you mentioned: > > "However, the Power Users group still exists in Vista, but like the > document says, they are not ACL'ed access to system resources, so you > have to run the special file first to grant them extra access." > > What 'special file' do you mean? I guess I need to know what exactly > do I have to do to mimic the Power Users group of XP. > I don't know if I mentioned this before, but I'm getting the no access > to Program Files messages with UAC Disabled. If I install with my > Power User with UAC enabled, I simply have to apply credentials > currently. > > Any more info in setting up Power Users as in XP on VISTA would be > GREATLY APPRECIATED! > > Thanks for the help/great information so far!!- Hide quoted text - > > - Show quoted text - Also, if I write a service to launch our silent updates, what would I have to set ALLUSERS to, I wonder?
My System Specs