EXPERT needed for MSI-GPO-AD problem!!!
Posted 17 November 2004 - 11:57
We are experiencing the following interesting problem regarding MSI’s and Active Directory deployment. We want to deploy applications using active directory. It is a Windows 2000 Server AD environment with Windows XP clients. A group is created for every application and users that need the application are added to this group. A GPO is created for every application and rights are set for the application group. Applications are assigned in the user configuration of the GPO, if necessary applications can be installed at logon (XP clients!) e.g. if they have no shortcuts. So far so good!
Now we have two vendor based (InstallShield) applications (SUN Java RunTime 1.4.2_05 and VMware Workstation 4.5.2) that we want to deploy to the users. Doing this using the install at logon feature fails.
What appears to be the problem is that the vendor placed custom actions after InstallFinalize. These custom actions need elevated rights. During login the part run after InstallInitialize and before InstallFinalize is executed with the AD elevated rights. The rest is executed with the rights of the user that’s logging in. If this user has administrative privileges all goes fine. But (almost) all users are restricted users, so this is a problem.
I have tried to move the custom actions to run deferred in system context or to change the position of InstallFinalize but this only leads to a corrupt installation. Using a GPO that gives users elevated rights for executing MSI files does not help either (of course) because this still does not execute the custom actions after InstallFinalize with elevated rights. Searching on the web does not give an answer either.
We do not apply GPO's to machines (hey I didn't create the AD environment!). So I have come to the point that the only solution is to repackage the vendor MSI. This is something I dislike because of the other problems that can occur and the lack of support of the vendor!
Can anyone help me on this interesting problem!
Best Regards Mu.
Posted 18 November 2004 - 09:42
Posted 18 November 2004 - 11:04
Of course thats the right thing to do!
Besides asking the vendor I hoped a technical solution from the forum could help me further on this problem. Am I the first experiencing this problem...?
Posted 18 November 2004 - 18:52
I think someone already gave you a pretty plausable answer on the Altiris support forum (relating to the isscript driver and dcom)?
Posted 18 November 2004 - 21:26
Posted 19 November 2004 - 10:14
I'm not saying that this is definately the answer - I just think it sounds plausable enough to be worth investigating a little further?
I must admit that I'm not familiar with this particular issue, so I could be talking nonsense. But, it would make sense to me that if the task were executed using the credentials of the authenticated user (rather than the launching user), this may describe your symptoms exactly (works for admin, but not for user)?
In any case, I'd love to know the answer for future reference. So please come back and let us know!