Jump to content


This is a ready-only archive of the InstallSite Forum. You cannot post any new content here. / Dies ist ein Archiv des InstallSite Forums. Hier können keine neuen Beiträge veröffentlicht werden.
Photo

Restricting Some Installers from Running


5 replies to this topic

jhillInstallSite

jhillInstallSite
  • Members
  • 4 posts

Posted 22 July 2002 - 20:01

We have a large user-base, and (unfortunately) no central development team (everyone want to have they're own). The result is deployment dilemma.

We in IT Engineering would like to be able to restrict the MSI's able to execute on our user's Win2K systems to those released only by our team (i.e., approved packages).

Our systems are locked down with the AllwaysInstallElevated IVP set in the registries.

I will be grateful for any ideas (any at all). ???

hambone

hambone
  • Members
  • 206 posts

Posted 23 July 2002 - 12:10

yes we can disable the msi.  one method available is to use the Windows Installer Local Policies:
under the registry key for the installer ( HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer ) the following registry key does this:

Value Name: DisableMSI
Value Data Types: REG_DWORD
Description: If this value exists and is set to "2", the Installer is always
disabled for all applications. If this value is set to "1", the Installer is
disabled for non-managed applications but is still enabled for managed
applications. If this value is set to "0', any other number, or is absent, the
Installer is always enabled.

( as taken from: How to Manage Windows Installer Local Policies [Q227181] )

jhillInstallSite

jhillInstallSite
  • Members
  • 4 posts

Posted 23 July 2002 - 20:04

Thanks Hambone; I recall seeing this out there, but didn't fully understand the use.

Perhaps you, or anyone, would educate me as to what exactly a managed application is as related to the Windows installer?

Thanks again, and in advance,

Jeffrey

hambone

hambone
  • Members
  • 206 posts

Posted 24 July 2002 - 13:02

The terms ‘managed' and ‘non-managed' applications refer to whether an application has been installed using elevated system privileges.   Windows Installer always has elevated privileges when performing ‘per-machine' installations.

jhillInstallSite

jhillInstallSite
  • Members
  • 4 posts

Posted 24 July 2002 - 23:00

So let me see if I'm getting this straight.

Consider that I setup the MSI so that it installs on a per-machine basis (ALLUSERS = 2), and the system-wide policy AllwaysInstallElevated IVP is set to one.

Now, wouldn't every MSI be considered a managed install? After all they're installing at an elevated level of privilege.

I'm getting this? At all?


TIA,
JH

hambone

hambone
  • Members
  • 206 posts

Posted 30 July 2002 - 12:53

hey...

my experience is to set the elevated privs. for both the user and machine in the policy area and then install using the ALLUSERS=1 option.  the reason i opt for ALLUSER=1 and not ALLUSERS=2 is that with an ALLUSERS=1 it will perform the installation ONLY IF THE USER HAS ADMIN PRIV. on the system.

using gpo it is possible to 'toggle' the desired policy settings as you go...