HELP: GPO Software Deployment asks for Local Admin Rights??

[Mike Radu]

Hi everyone,

The scenario is as following: I have a Windows 2003 Server network with a
few Windows XP workstations. I went ahead and set up AD, DNS and DHCP,
created OUs, Groups and Users for the AD, and defined a few GPOs to regulate
some look-and-feel (IE title bar, homepage, background, etc), and activated
Folder Redirection. None of the users in the groups to which I've applied
these GPOs are power users. I was able to log on to the workstations and
see that the policies applied successfully.

I then went on to see whether software deployment works just as easy, and
assigned the AdminPack to a group of test users, also not local or domain
power users/admins. I wanted to assign the software to be installed at
logon. When logging on, I do see information that the package is installing
("Installing Windows 2003 Administration Pack"), but when the logon
completes, the package is no where to be found installed. I tried going
into Control Panel - Add/Remove Programs and adding it from there (where it
is listed), but then I get the error that I do not have administrator rights
and therefore cannot install this package. "Log on as administrator and
then try again."

I read and re-read every article and every chapter of books about GPO
deployment for Win2k and Win2k3 and no where is there a specification that
users have to have administrator rights on the workstations to be able to
have software deployed via GPOs. Furthermore, that's what I thought was the
great thing about GPO software deployment - that you don't have to be an
administrator locally, and thus your users (a) won't have the right to
install and mess up the systems with other software and (b) all the ads and
stuff that otherwise installs automatically when people surf with local
admin rights will now no longer stand a chance. Anyway, I have spent the
last 2 weeks trying to find an answer and couldn't find one, and I would be
GRATEFUL if you could send me some feedback/advise.

Thank you so much - ANY suggestions are more than welcome, as this has
started to drive me nuts!

Mike

 

[Chriss3]

The Package bust be assigned to be installed on logon.

Always install with elevated privileges
Computer Configuration\Administrative Templates\Windows Components\Windows
Installer

Description
Directs Windows Installer to use system permissions when it installs any
program on the system.

This policy extends elevated privileges to all programs. These privileges
are usually reserved for programs that have been assigned to the user
(offered on the desktop), assigned to the computer (installed
automatically), or made available in Add/Remove Programs in Control Panel.
This policy lets users install programs which require access to directories
that the user might not have permission to view or change, including
directories on highly restricted computers.

If you disable this policy or do not configure it, the system applies the
current user's permissions when it installs programs that a system
administrator does not distribute or offer.

Caution

Skilled users can take advantage of the permissions this policy grants to
change their privileges and gain permanent access to restricted files and
folders. Note that the User Configuration version of this policy is not
guaranteed to be secure.

Important

This policy appears both in the Computer Configuration and User
Configuration folders. To make this policy effective, you must enable the
policy in both folders.


--
Regards,

Christoffer Andersson
No email replies please - reply in the newsgroup
If the information was help full, you can let me know at:
http://www.itsystem.se/employers.asp?ID=1

 

[Curtis Sawin]

The Adminpak.msi has a Launch Condition that prevents the
installation from happening unless the local user is an
administrator. Even if the MSI is assigned, the local
user must be an admin.

In order to change this, one will need to change the
launch condition (you'll need an MSI editor) and change
the text "AdminUser" to "Priviliged"

The "Priviliged" property is true if the user is an Admin,
or if the application is being assigned with elevated
rights...as in a Group Policy assignment.

Hope this helps!

Curtis Sawin