VISTA and Power Users?

I'm working on getting our application installation ready for VISTA
and hope I'm almost there. I just want to verify the following...

from technet2.microsoft.com....

Understanding and Configuring User Account Control in Windows Vista
Migrating from the Power Users
"UAC does not leverage the Power Users group, and the
permissions granted to he Power Users group on Windows XP have been
removed from Windows Vista."

Does this mean that the concept of Power Users no longer exists in
Vista at all or only that the PU concept is no longer available if UAC
enabled?

Later in this section I see "To use the Power Users group on Windows
Vista, a new security template must be applied to change the default
permissions on system folders and the registry to grant PU gropu
permissions equivalent to Windows XP."

The reason I pose the question is that in testing the install, it runs
through with UAC enabled. If I disable it and try to install with a
user I've added to the Power Users group (no new security template
applied), I get a 1303 error indicating I don't have permissions to
the Program Files\My App location. If I install with UAC disabled as
an Admin, I'm OK.

I thought I also read somewhere, maybe in the same document, that
Program Files is now similar to System folders with regard to security
now in Vista. ??

A brief answer(s) is all I'm looking for here, nothing too detailed (I
know that may be impossible with Vista.). I think I've read all the
Microsoft 'stuff' I can at this point. My head is spinning.

Any help is greatly appreciated!

Thanks in advance!!

Superfreak3 wrote:
> I'm working on getting our application installation ready for VISTA
> and hope I'm almost there. I just want to verify the following...
>
> from technet2.microsoft.com....
>
> Understanding and Configuring User Account Control in Windows Vista
> Migrating from the Power Users
> "UAC does not leverage the Power Users group, and the
> permissions granted to he Power Users group on Windows XP have been
> removed from Windows Vista."
>
> Does this mean that the concept of Power Users no longer exists in
> Vista at all or only that the PU concept is no longer available if UAC
> enabled?
>
> Later in this section I see "To use the Power Users group on Windows
> Vista, a new security template must be applied to change the default
> permissions on system folders and the registry to grant PU gropu
> permissions equivalent to Windows XP."
>
> The reason I pose the question is that in testing the install, it runs
> through with UAC enabled. If I disable it and try to install with a
> user I've added to the Power Users group (no new security template
> applied), I get a 1303 error indicating I don't have permissions to
> the Program Files\My App location. If I install with UAC disabled as
> an Admin, I'm OK.
>
> I thought I also read somewhere, maybe in the same document, that
> Program Files is now similar to System folders with regard to security
> now in Vista. ??
>
> A brief answer(s) is all I'm looking for here, nothing too detailed (I
> know that may be impossible with Vista.). I think I've read all the
> Microsoft 'stuff' I can at this point. My head is spinning.
>
> Any help is greatly appreciated!
>
> Thanks in advance!!
>

The "concept" of power users is gone.

However, the Power Users group still exists in Vista, but like the
document says, they are not ACL'ed access to system resources, so you
have to run the special file first to grant them extra access.

Program Files has always been "restricted" for standard users in the
manner you speak of. It is important that this be so, because if any
user and any program could just overwrite system-wide .exe's, they could
easily hijack other applications, hijack other users, and elevate their
account/program to administrator status.

Also, in order for your program to use the extra "Power Users" power,
your application must explicitly tell Windows that it wants the extra
power by including a Vista-style manifest with your application that
specifies a requestedExecutionLevel of "highestAvailable".

This will cause your program to prompt for admin power if the user is an
administrator, silently receive the extra power if the user is a power
user, and run with no extra power if the user is a standard user.

The power users "experience" is pretty broken in Vista. For example,
explorer does not ask to use the "power user" power, so power users
cannot use their extra privileges when using windows explorer.

Confused yet?

--
-JB
Microsoft MVP - Windows Shell/User
Windows Vista Support FAQ - http://www.jimmah.com/vista/

On Jun 15, 7:46 pm, Jimmy Brush <j...@mvps.org> wrote:
> Superfreak3wrote:
> > I'm working on getting our application installation ready for VISTA
> > and hope I'm almost there. I just want to verify the following...
>
> > from technet2.microsoft.com....
>
> > Understanding and Configuring User Account Control in Windows Vista
> > Migrating from the Power Users
> > "UAC does not leverage the Power Users group, and the
> > permissions granted to he Power Users group on Windows XP have been
> > removed from Windows Vista."
>
> > Does this mean that the concept of Power Users no longer exists in
> > Vista at all or only that the PU concept is no longer available if UAC
> > enabled?
>
> > Later in this section I see "To use the Power Users group on Windows
> > Vista, a new security template must be applied to change the default
> > permissions on system folders and the registry to grant PU gropu
> > permissions equivalent to Windows XP."
>
> > The reason I pose the question is that in testing the install, it runs
> > through with UAC enabled. If I disable it and try to install with a
> > user I've added to the Power Users group (no new security template
> > applied), I get a 1303 error indicating I don't have permissions to
> > the Program Files\My App location. If I install with UAC disabled as
> > an Admin, I'm OK.
>
> > I thought I also read somewhere, maybe in the same document, that
> > Program Files is now similar to System folders with regard to security
> > now in Vista. ??
>
> > A brief answer(s) is all I'm looking for here, nothing too detailed (I
> > know that may be impossible with Vista.). I think I've read all the
> > Microsoft 'stuff' I can at this point. My head is spinning.
>
> > Any help is greatly appreciated!
>
> > Thanks in advance!!
>
> The "concept" of power users is gone.
>
> However, the Power Users group still exists in Vista, but like the
> document says, they are not ACL'ed access to system resources, so you
> have to run the special file first to grant them extra access.
>
> Program Files has always been "restricted" for standard users in the
> manner you speak of. It is important that this be so, because if any
> user and any program could just overwrite system-wide .exe's, they could
> easily hijack other applications, hijack other users, and elevate their
> account/program to administrator status.
>
> Also, in order for your program to use the extra "Power Users" power,
> your application must explicitly tell Windows that it wants the extra
> power by including a Vista-style manifest with your application that
> specifies a requestedExecutionLevel of "highestAvailable".
>
> This will cause your program to prompt for admin power if the user is an
> administrator, silently receive the extra power if the user is a power
> user, and run with no extra power if the user is a standard user.
>
> The power users "experience" is pretty broken in Vista. For example,
> explorer does not ask to use the "power user" power, so power users
> cannot use their extra privileges when using windows explorer.
>
> Confused yet?
>
> --
> -JB
> Microsoft MVP - Windows Shell/User
> Windows Vista Support FAQ -http://www.jimmah.com/vista/- Hide quoted text -
>
> - Show quoted text -

Oh, big time confused! I guess we'll just have to waddle our way
through.

My immediate concern if for installation of our software at the moment
as that is basically what I do.

Our previous installation was allowed or designed, I should say for
Admins and Power Users, so I was just wondering what the impact would
be to our installations where end users may have utilized Power Users
to install.

Painting with a broad stroke, it looks as though installation Custom
Actions and ensuring their execution is one of the big 'battles' with
readying pre-Vista install packages for Vista.

I guess the other concept would be to develop a purely Standard User
or user install. ??

Any more information with regard to impact on our installs caused by
Vista would be, as always, GREATLY appreciated!

Thanks for the info so far!!!

>
> Oh, big time confused! I guess we'll just have to waddle our way
> through.
>
> My immediate concern if for installation of our software at the moment
> as that is basically what I do.
>
> Our previous installation was allowed or designed, I should say for
> Admins and Power Users, so I was just wondering what the impact would
> be to our installations where end users may have utilized Power Users
> to install.
>
> Painting with a broad stroke, it looks as though installation Custom
> Actions and ensuring their execution is one of the big 'battles' with
> readying pre-Vista install packages for Vista.
>
> I guess the other concept would be to develop a purely Standard User
> or user install. ??
>
> Any more information with regard to impact on our installs caused by
> Vista would be, as always, GREATLY appreciated!
>
> Thanks for the info so far!!!
>

Hello,

I am not very familiar with Windows Installer on a technical level, so
this may be a better question for the more programmer-oriented msdn forums.

However, I think I can kind of explain at a high-level what you will be
working towards..

- you will need to keep your installation program from requiring the
user to be an administrator when the setup first starts (which will lock
out power users). This can be tricky, since windows by default assumes
setup programs require an admin to run them, but if you are using
Windows Installer you should be able to get around this easily.

- Thing is, if the user really IS an administrator, and your setup
program does NOT ask for admin power, then you will end up locking out
administrators!

- And if you get your setup program to NOT prompt for admin power, I'm
not sure if it will run as highestAvailable (where it would be able to
use the extra power user privileges and it would work), or whether it
would just ignore the extra privileges and still locking out power users!

What you really need is for your installer to run under the setting I
mentioned in my previous post ("highestAvailable"), where if it's an
administrator then prompt for admin power, if not, just run with the
highest privilege we can get.

But I really don't know how you would accomplish that using Windows
Installer.

The solution might be to have some sort of bootstrapper program that
determines the type of user and then launches the appropriate setup
program based on that.


--
-JB
Microsoft MVP - Windows Shell/User
Windows Vista Support FAQ - http://www.jimmah.com/vista/

On Jun 19, 8:50 am, Jimmy Brush <j...@mvps.org> wrote:
> > Oh, big time confused! I guess we'll just have to waddle our way
> > through.
>
> > My immediate concern if for installation of our software at the moment
> > as that is basically what I do.
>
> > Our previous installation was allowed or designed, I should say for
> > Admins and Power Users, so I was just wondering what the impact would
> > be to our installations where end users may have utilized Power Users
> > to install.
>
> > Painting with a broad stroke, it looks as though installation Custom
> > Actions and ensuring their execution is one of the big 'battles' with
> > readying pre-Vista install packages for Vista.
>
> > I guess the other concept would be to develop a purely Standard User
> > or user install. ??
>
> > Any more information with regard to impact on our installs caused by
> > Vista would be, as always, GREATLY appreciated!
>
> > Thanks for the info so far!!!
>
> Hello,
>
> I am not very familiar with Windows Installer on a technical level, so
> this may be a better question for the more programmer-oriented msdn forums.
>
> However, I think I can kind of explain at a high-level what you will be
> working towards..
>
> - you will need to keep your installation program from requiring the
> user to be an administrator when the setup first starts (which will lock
> out power users). This can be tricky, since windows by default assumes
> setup programs require an admin to run them, but if you are using
> Windows Installer you should be able to get around this easily.
>
> - Thing is, if the user really IS an administrator, and your setup
> program does NOT ask for admin power, then you will end up locking out
> administrators!
>
> - And if you get your setup program to NOT prompt for admin power, I'm
> not sure if it will run as highestAvailable (where it would be able to
> use the extra power user privileges and it would work), or whether it
> would just ignore the extra privileges and still locking out power users!
>
> What you really need is for your installer to run under the setting I
> mentioned in my previous post ("highestAvailable"), where if it's an
> administrator then prompt for admin power, if not, just run with the
> highest privilege we can get.
>
> But I really don't know how you would accomplish that using Windows
> Installer.
>
> The solution might be to have some sort of bootstrapper program that
> determines the type of user and then launches the appropriate setup
> program based on that.
>
> --
> -JB
> Microsoft MVP - Windows Shell/User
> Windows Vista Support FAQ -http://www.jimmah.com/vista/- Hide quoted text -
>
> - Show quoted text -

--"To use the Power Users group on Windows
Vista, a new security template must be applied to change the default
permissions on system folders and the registry to grant PU group
permissions equivalent to Windows XP."

Would anyone know how to go about applying this 'new security
template' so that the Power Users group will mimic security behavior
as in XP?

Any pointers on doing this would be greatly appreciated and would
prove beneficial in my testing. Currently, my application
installation will run with UAC enabled after credentials are provided,
but when I attempt to install as a Power User (VISTA out of the box
with no changes to policies/security) with UAC disabled, the
installation fails because I do not have permission to access the
Program Files folder (at least that's what I recall the message
indicating).

APPRECIATED!!

On Jun 22, 5:11 pm, Superfreak3 <Matt.Wal...@synergis.com> wrote:
> On Jun 19, 8:50 am, Jimmy Brush <j...@mvps.org> wrote:
>
>
>
>
>
> > > Oh, big time confused! I guess we'll just have to waddle our way
> > > through.
>
> > > My immediate concern if for installation of our software at the moment
> > > as that is basically what I do.
>
> > > Our previous installation was allowed or designed, I should say for
> > > Admins and Power Users, so I was just wondering what the impact would
> > > be to our installations where end users may have utilized Power Users
> > > to install.
>
> > > Painting with a broad stroke, it looks as though installation Custom
> > > Actions and ensuring their execution is one of the big 'battles' with
> > > readying pre-Vista install packages for Vista.
>
> > > I guess the other concept would be to develop a purely Standard User
> > > or user install. ??
>
> > > Any more information with regard to impact on our installs caused by
> > > Vista would be, as always, GREATLY appreciated!
>
> > > Thanks for the info so far!!!
>
> > Hello,
>
> > I am not very familiar with Windows Installer on a technical level, so
> > this may be a better question for the more programmer-oriented msdn forums.
>
> > However, I think I can kind of explain at a high-level what you will be
> > working towards..
>
> > - you will need to keep your installation program from requiring the
> > user to be an administrator when the setup first starts (which will lock
> > out power users). This can be tricky, since windows by default assumes
> > setup programs require an admin to run them, but if you are using
> > Windows Installer you should be able to get around this easily.
>
> > - Thing is, if the user really IS an administrator, and your setup
> > program does NOT ask for admin power, then you will end up locking out
> > administrators!
>
> > - And if you get your setup program to NOT prompt for admin power, I'm
> > not sure if it will run as highestAvailable (where it would be able to
> > use the extra power user privileges and it would work), or whether it
> > would just ignore the extra privileges and still locking out power users!
>
> > What you really need is for your installer to run under the setting I
> > mentioned in my previous post ("highestAvailable"), where if it's an
> > administrator then prompt for admin power, if not, just run with the
> > highest privilege we can get.
>
> > But I really don't know how you would accomplish that using Windows
> > Installer.
>
> > The solution might be to have some sort of bootstrapper program that
> > determines the type of user and then launches the appropriate setup
> > program based on that.
>
> > --
> > -JB
> > Microsoft MVP - Windows Shell/User
> > Windows Vista Support FAQ -http://www.jimmah.com/vista/-Hide quoted text -
>
> > - Show quoted text -
>
> --"To use the Power Users group on Windows
> Vista, a new security template must be applied to change the default
> permissions on system folders and the registry to grant PU group
> permissions equivalent to Windows XP."
>
> Would anyone know how to go about applying this 'new security
> template' so that the Power Users group will mimic security behavior
> as in XP?
>
> Any pointers on doing this would be greatly appreciated and would
> prove beneficial in my testing. Currently, my application
> installation will run with UAC enabled after credentials are provided,
> but when I attempt to install as a Power User (VISTA out of the box
> with no changes to policies/security) with UAC disabled, the
> installation fails because I do not have permission to access the
> Program Files folder (at least that's what I recall the message
> indicating).
>
> APPRECIATED!!- Hide quoted text -
>
> - Show quoted text -

More information requests for help....

(From a different/previous post reply...) You say...

"Signing will not negatively affect your MSI file use downlevel from
Vista.
However it won't suddenly allow you to by-pass UAC prompts. Your
application will have to be elevated in order to silently run the
installation without prompts -- either that or have a service perform
the
installation for you. "

What do you mean by 'your application will have to be elevated in
order to silently run the installation without prompts'? Do you mean
there is a way to elevate the .msi so it can be run silently?

Also, you follow that up with 'either that or have a service perform
the installation for you'. How can this be accomplished, with a
service? Is there any documentation out there to explain this?

The reason I ask these questions it because we currently have an
install that is basically writing 'stuff' all over the place with
regards to the registry. It also defaults to an installation location
under Program Files, which most end users leave unchanged, but is now
considered sacred in VISTA so if they are not an Admin (this occurs
with UAC disabled in my testing as well) they receive a message
indicating the install cannot continue.

Our mechanism of updating our client piece is that our application
looks to an .ini for various information. If the information
indicates an update is available, our .msi is installed silently.
This probably will not work any longer in VISTA so I will have to
search for an alternative here as well.

I've inherited these various installs since starting my new job last
December. They basically have to be reworked. Its difficult because
there is some third party stuff in there that writes to HKLM, etc.,
which is tough to deal with in locked down environments where
installing users are not Admin's. The workaround in earlier OSs to
VISTA was to indicate that Power Users would be an acceptable means of
installation. In Vista, this concept seems to no longer apply really.

If anyone out there knows of where I can turn for possible consulting
services with regard to installation and security, please let me
know. It seems as though you really need someone close to or part of
Microsoft to guide you through.

THANKS IN ADVANCE FOR ANY HELP, INFORMATION, LINKS PROVIDED!!

>
> More information requests for help....
>
> (From a different/previous post reply...) You say...
>
> "Signing will not negatively affect your MSI file use downlevel from
> Vista.
> However it won't suddenly allow you to by-pass UAC prompts. Your
> application will have to be elevated in order to silently run the
> installation without prompts -- either that or have a service perform
> the
> installation for you. "
>
> What do you mean by 'your application will have to be elevated in
> order to silently run the installation without prompts'? Do you mean
> there is a way to elevate the .msi so it can be run silently?

Elevated means that the program is running with admin power - which
means it was either started by an administrator interactively, or it was
started by the system outside of any user account(invisible), for
example, from a service or a scheduled task.

The important point here is that non-admins cannot install random
machine-wide programs.

An actual administrator will have to in some fashion choose to install
your program, since it needs to do muck about with system files and
settings. Standard users just can't do it.

Now, there are many ways an admin can install your program. This doesn't
necessarily mean that an admin will have to physically go to each
computer to perform the installation.

They can use group policy if in a domain environment to push the program
down to people.

http://www.windowsnetworking.com/art...eployment.html
http://technet2.microsoft.com/window....mspx?mfr=true

Or, they can use alternative deployment methods to get the app there.
(It can be as simple as making a program or script that connects to all
the computers, creates a scheduled task that runs as system and launches
an msi file in silent mode located on a network share somewhere).

> Also, you follow that up with 'either that or have a service perform
> the installation for you'. How can this be accomplished, with a
> service? Is there any documentation out there to explain this?

Basically, you create a service program that starts msiexec against your
msi, with the correct flags to run in quiet mode (since a service runs
outside of any user account, no UI is visible to any users).

> The reason I ask these questions it because we currently have an
> install that is basically writing 'stuff' all over the place with
> regards to the registry. It also defaults to an installation location
> under Program Files, which most end users leave unchanged, but is now
> considered sacred in VISTA so if they are not an Admin (this occurs
> with UAC disabled in my testing as well) they receive a message
> indicating the install cannot continue.

Which is how it was in every previous version of Windows NT.

It worked for you before because you made your users administrators (aka
power users).

>
> Our mechanism of updating our client piece is that our application
> looks to an .ini for various information. If the information
> indicates an update is available, our .msi is installed silently.
> This probably will not work any longer in VISTA so I will have to
> search for an alternative here as well.

You need to separate out your update logic into its own program that
will run privileged outside of any specific user account, and so will be
invisible - it cannot show UI.

You could either rewrite your update program as a service, or you could
just use it as-is and register it as a scheduled task that runs under a
system account.

Your initial setup program would register the update service or
scheduled task programmatically.

Alternatively, you might look into turning your updates into MSP's
(windows installer patches). If you follow the correct procedures, MSP's
can be launched and installed inside of a standard user account.

http://msdn2.microsoft.com/en-us/library/Aa372388.aspx

> I've inherited these various installs since starting my new job last
> December. They basically have to be reworked. Its difficult because
> there is some third party stuff in there that writes to HKLM, etc.,
> which is tough to deal with in locked down environments where
> installing users are not Admin's. The workaround in earlier OSs to
> VISTA was to indicate that Power Users would be an acceptable means of
> installation. In Vista, this concept seems to no longer apply really.

You're right, power users aren't supported anymore because there really
is no such thing as a power user from a security perspective. Power
users = administrators.

> If anyone out there knows of where I can turn for possible consulting
> services with regard to installation and security, please let me
> know. It seems as though you really need someone close to or part of
> Microsoft to guide you through.
>
> THANKS IN ADVANCE FOR ANY HELP, INFORMATION, LINKS PROVIDED!!
>

Hope this information helps.

--
-JB
Microsoft MVP - Windows Shell/User
Windows Vista Support FAQ - http://www.jimmah.com/vista/

On Jul 2, 11:47 am, Jimmy Brush <j...@mvps.org> wrote:
> > More information requests for help....
>
> > (From a different/previous post reply...) You say...
>
> > "Signing will not negatively affect your MSI file use downlevel from
> > Vista.
> > However it won't suddenly allow you to by-pass UAC prompts. Your
> > application will have to be elevated in order to silently run the
> > installation without prompts -- either that or have a service perform
> > the
> > installation for you. "
>
> > What do you mean by 'your application will have to be elevated in
> > order to silently run the installation without prompts'? Do you mean
> > there is a way to elevate the .msi so it can be run silently?
>
> Elevated means that the program is running with adminpower- which
> means it was either started by an administrator interactively, or it was
> started by the system outside of anyuseraccount(invisible), for
> example, from a service or a scheduled task.
>
> The important point here is that non-admins cannot install random
> machine-wide programs.
>
> An actual administrator will have to in some fashion choose to install
> your program, since it needs to do muck about with system files and
> settings. Standard users just can't do it.
>
> Now, there are many ways an admin can install your program. This doesn't
> necessarily mean that an admin will have to physically go to each
> computer to perform the installation.
>
> They can use group policy if in a domain environment to push the program
> down to people.
>
> http://www.windowsnetworking.com/art...45a873dd-660d-...
>
> Or, they can use alternative deployment methods to get the app there.
> (It can be as simple as making a program or script that connects to all
> the computers, creates a scheduled task that runs as system and launches
> an msi file in silent mode located on a network share somewhere).
>
> > Also, you follow that up with 'either that or have a service perform
> > the installation for you'. How can this be accomplished, with a
> > service? Is there any documentation out there to explain this?
>
> Basically, you create a service program that starts msiexec against your
> msi, with the correct flags to run in quiet mode (since a service runs
> outside of anyuseraccount, no UI is visible to any users).
>
> > The reason I ask these questions it because we currently have an
> > install that is basically writing 'stuff' all over the place with
> > regards to the registry. It also defaults to an installation location
> > under Program Files, which most end users leave unchanged, but is now
> > considered sacred in VISTA so if they are not an Admin (this occurs
> > with UAC disabled in my testing as well) they receive a message
> > indicating the install cannot continue.
>
> Which is how it was in every previous version of Windows NT.
>
> It worked for you before because you made your users administrators (akapowerusers).
>
>
>
> > Our mechanism of updating our client piece is that our application
> > looks to an .ini for various information. If the information
> > indicates an update is available, our .msi is installed silently.
> > This probably will not work any longer in VISTA so I will have to
> > search for an alternative here as well.
>
> You need to separate out your update logic into its own program that
> will run privileged outside of any specificuseraccount, and so will be
> invisible - it cannot show UI.
>
> You could either rewrite your update program as a service, or you could
> just use it as-is and register it as a scheduled task that runs under a
> system account.
>
> Your initial setup program would register the update service or
> scheduled task programmatically.
>
> Alternatively, you might look into turning your updates into MSP's
> (windows installer patches). If you follow the correct procedures, MSP's
> can be launched and installed inside of a standarduseraccount.
>
> http://msdn2.microsoft.com/en-us/library/Aa372388.aspx
>
> > I've inherited these various installs since starting my new job last
> > December. They basically have to be reworked. Its difficult because
> > there is some third party stuff in there that writes to HKLM, etc.,
> > which is tough to deal with in locked down environments where
> > installing users are not Admin's. The workaround in earlier OSs to
> > VISTA was to indicate thatPowerUsers would be an acceptable means of
> > installation. In Vista, this concept seems to no longer apply really.
>
> You're right,powerusers aren't supported anymore because there really
> is no such thing as apoweruserfrom a security perspective.Power
> users = administrators.
>
> > If anyone out there knows of where I can turn for possible consulting
> > services with regard to installation and security, please let me
> > know. It seems as though you really need someone close to or part of
> > Microsoft to guide you through.
>
> > THANKS IN ADVANCE FOR ANY HELP, INFORMATION, LINKS PROVIDED!!
>
> Hope this information helps.
>
> --
> -JB
> Microsoft MVP - Windows Shell/User
> Windows Vista Support FAQ -http://www.jimmah.com/vista/- Hide quoted text -
>
> - Show quoted text -

Earlier in our thread, you mentioned:

"However, the Power Users group still exists in Vista, but like the
document says, they are not ACL'ed access to system resources, so you
have to run the special file first to grant them extra access."

What 'special file' do you mean? I guess I need to know what exactly
do I have to do to mimic the Power Users group of XP.
I don't know if I mentioned this before, but I'm getting the no access
to Program Files messages with UAC Disabled. If I install with my
Power User with UAC enabled, I simply have to apply credentials
currently.

Any more info in setting up Power Users as in XP on VISTA would be
GREATLY APPRECIATED!

Thanks for the help/great information so far!!

On Jul 5, 10:39 am, Superfreak3 <Matt.Wal...@synergis.com> wrote:
> On Jul 2, 11:47 am, Jimmy Brush <j...@mvps.org> wrote:
>
>
>
>
>
> > > More information requests for help....
>
> > > (From a different/previous post reply...) You say...
>
> > > "Signing will not negatively affect your MSI file use downlevel from
> > > Vista.
> > > However it won't suddenly allow you to by-pass UAC prompts. Your
> > > application will have to be elevated in order to silently run the
> > > installation without prompts -- either that or have a service perform
> > > the
> > > installation for you. "
>
> > > What do you mean by 'your application will have to be elevated in
> > > order to silently run the installation without prompts'? Do you mean
> > > there is a way to elevate the .msi so it can be run silently?
>
> > Elevated means that the program is running with adminpower- which
> > means it was either started by an administrator interactively, or it was
> > started by the system outside of anyuseraccount(invisible), for
> > example, from a service or a scheduled task.
>
> > The important point here is that non-admins cannot install random
> > machine-wide programs.
>
> > An actual administrator will have to in some fashion choose to install
> > your program, since it needs to do muck about with system files and
> > settings. Standard users just can't do it.
>
> > Now, there are many ways an admin can install your program. This doesn't
> > necessarily mean that an admin will have to physically go to each
> > computer to perform the installation.
>
> > They can use group policy if in a domain environment to push the program
> > down to people.
>
> >http://www.windowsnetworking.com/art...t-Practices-Gr......
>
> > Or, they can use alternative deployment methods to get the app there.
> > (It can be as simple as making a program or script that connects to all
> > the computers, creates a scheduled task that runs as system and launches
> > an msi file in silent mode located on a network share somewhere).
>
> > > Also, you follow that up with 'either that or have a service perform
> > > the installation for you'. How can this be accomplished, with a
> > > service? Is there any documentation out there to explain this?
>
> > Basically, you create a service program that starts msiexec against your
> > msi, with the correct flags to run in quiet mode (since a service runs
> > outside of anyuseraccount, no UI is visible to any users).
>
> > > The reason I ask these questions it because we currently have an
> > > install that is basically writing 'stuff' all over the place with
> > > regards to the registry. It also defaults to an installation location
> > > under Program Files, which most end users leave unchanged, but is now
> > > considered sacred in VISTA so if they are not an Admin (this occurs
> > > with UAC disabled in my testing as well) they receive a message
> > > indicating the install cannot continue.
>
> > Which is how it was in every previous version of Windows NT.
>
> > It worked for you before because you made your users administrators (akapowerusers).
>
> > > Our mechanism of updating our client piece is that our application
> > > looks to an .ini for various information. If the information
> > > indicates an update is available, our .msi is installed silently.
> > > This probably will not work any longer in VISTA so I will have to
> > > search for an alternative here as well.
>
> > You need to separate out your update logic into its own program that
> > will run privileged outside of any specificuseraccount, and so will be
> > invisible - it cannot show UI.
>
> > You could either rewrite your update program as a service, or you could
> > just use it as-is and register it as a scheduled task that runs under a
> > system account.
>
> > Your initial setup program would register the update service or
> > scheduled task programmatically.
>
> > Alternatively, you might look into turning your updates into MSP's
> > (windows installer patches). If you follow the correct procedures, MSP's
> > can be launched and installed inside of a standarduseraccount.
>
> >http://msdn2.microsoft.com/en-us/library/Aa372388.aspx
>
> > > I've inherited these various installs since starting my new job last
> > > December. They basically have to be reworked. Its difficult because
> > > there is some third party stuff in there that writes to HKLM, etc.,
> > > which is tough to deal with in locked down environments where
> > > installing users are not Admin's. The workaround in earlier OSs to
> > > VISTA was to indicate thatPowerUsers would be an acceptable means of
> > > installation. In Vista, this concept seems to no longer apply really.
>
> > You're right,powerusers aren't supported anymore because there really
> > is no such thing as apoweruserfrom a security perspective.Power
> > users = administrators.
>
> > > If anyone out there knows of where I can turn for possible consulting
> > > services with regard to installation and security, please let me
> > > know. It seems as though you really need someone close to or part of
> > > Microsoft to guide you through.
>
> > > THANKS IN ADVANCE FOR ANY HELP, INFORMATION, LINKS PROVIDED!!
>
> > Hope this information helps.
>
> > --
> > -JB
> > Microsoft MVP - Windows Shell/User
> > Windows Vista Support FAQ -http://www.jimmah.com/vista/-Hide quoted text -
>
> > - Show quoted text -
>
> Earlier in our thread, you mentioned:
>
> "However, the Power Users group still exists in Vista, but like the
> document says, they are not ACL'ed access to system resources, so you
> have to run the special file first to grant them extra access."
>
> What 'special file' do you mean? I guess I need to know what exactly
> do I have to do to mimic the Power Users group of XP.
> I don't know if I mentioned this before, but I'm getting the no access
> to Program Files messages with UAC Disabled. If I install with my
> Power User with UAC enabled, I simply have to apply credentials
> currently.
>
> Any more info in setting up Power Users as in XP on VISTA would be
> GREATLY APPRECIATED!
>
> Thanks for the help/great information so far!!- Hide quoted text -
>
> - Show quoted text -

Also, if I write a service to launch our silent updates, what would I
have to set ALLUSERS to, I wonder?

Superfreak3 wrote:
> On Jul 5, 10:39 am, Superfreak3 <Matt.Wal...@synergis.com> wrote:
>> Earlier in our thread, you mentioned:
>>
>> "However, the Power Users group still exists in Vista, but like the
>> document says, they are not ACL'ed access to system resources, so you
>> have to run the special file first to grant them extra access."
>>
>> What 'special file' do you mean? I guess I need to know what exactly
>> do I have to do to mimic the Power Users group of XP.
>> I don't know if I mentioned this before, but I'm getting the no access
>> to Program Files messages with UAC Disabled. If I install with my
>> Power User with UAC enabled, I simply have to apply credentials
>> currently.
>>
>> Any more info in setting up Power Users as in XP on VISTA would be
>> GREATLY APPRECIATED!
>>
>> Thanks for the help/great information so far!!- Hide quoted text -
>>
>> - Show quoted text -
>
> Also, if I write a service to launch our silent updates, what would I
> have to set ALLUSERS to, I wonder?
>

I would like to strongly discourage you from putting your users into the
legacy role of power users to solve this problem.

It is simply not necessary for this.

If you have the kind of control over your users' computers to make them
power users (admin privileges), then it would be much easier for you
just to authorize your MSI to be installed.

That being said, I had assumed from the technet document you referenced
that there was a security template available somewhere that would set up
power user permissions on Vista. However, I couldn't find it. This means
you would have to roll your own security template to change the
permissions that you need (i.e., allow power users access to the
appropriate registry keys, files, and privileges).

I found some more good sites that deal with MSI's and UAC that you might
find useful:

http://msdn2.microsoft.com/en-us/library/aa372468.aspx
http://blogs.msdn.com/rflaming/archi...log-posts.aspx

As for allusers, launching the MSI from a service account has
administrator privileges, so I believe it should work out as long as it
isn't null.



--
-JB
Microsoft MVP - Windows Shell/User
Windows Vista Support FAQ - http://www.jimmah.com/vista/