Having problems creating a installer for my app due to permissions?

[Pep]

Firstly, I'm not sure if this is the right group for this query, so
please forgive me if I am wrong.

My problem is that most users I distribute my software to cannot
install it on their systems due to not having the correct
administrator rights. I'm perplexed over this as I cannot reasonably
ask corporations to allow the local secretary to have admin or power
user rights just to install my software.

My software is intended for user land. It is associated with a
particular file type that is downloaded from our web site and outputs
the received data to a OEM device over the serial and/or usb ports.
This has been working for years, simply because we have been asking
the user to download the program as an exe file to their desktop and
then they simply use the IE file association facility when they first
download a data file.

However, we are now trying to clean up our windows code and would like
to start using the MSI mechanism, which is where the problems have
started. I thought that a user could install software in to their own
portion of the registry, i.e. current_user, without the need for admin
rights. Am I wrong in this belief?

If I am not wrong, can anyone point me to a simple howto for doing
this?

TIA,
Pep

 

[Nicholas Paldino [.NET/C# MVP]]

Pep,

Unfortunately, there is no good answer here. In order to install an MSI
on the system, you have to have administrator rights, period (AFAIK). I
could be wrong, but I can't remember ever not needing admin rights when
installing an MSI on a machine.

 

[Pep]

Pep,

Unfortunately, there is no good answer here. In order to install an MSI
on the system, you have to have administrator rights, period (AFAIK). I
could be wrong, but I can't remember ever not needing admin rights when
installing an MSI on a machine.

<snip>

Hey thanks for your answer Nicholas, though it's not the answer I was
looking for

This is one of those areas where as a nix developer I find windows
slightly lacking, unless somebody comes up with an answer that shows
how this can be done. We obviously have very stringent security in the
nix world but all users can install user space software in to their
own directories without affecting the global system.

I was rather hoping that a similar mechanism was in place on windows.

 

[Andrew Meador]

Firstly, I'm not sure if this is the right group for this query, so
please forgive me if I am wrong.

My problem is that most users I distribute my software to cannot
install it on their systems due to not having the correct
administrator rights. I'm perplexed over this as I cannot reasonably
ask corporations to allow the local secretary to have admin or power
user rights just to install my software.

My software is intended for user land. It is associated with a
particular file type that is downloaded from our web site and outputs
the received data to a OEM device over the serial and/or usb ports.
This has been working for years, simply because we have been asking
the user to download the program as an exe file to their desktop and
then they simply use the IE file association facility when they first
download a data file.

However, we are now trying to clean up our windows code and would like
to start using the MSI mechanism, which is where the problems have
started. I thought that a user could install software in to their own
portion of the registry, i.e. current_user, without the need for admin
rights. Am I wrong in this belief?

If I am not wrong, can anyone point me to a simple howto for doing
this?

TIA,
Pep

I'm not sure about the specifics of whether admin rights are
required for installing MSI packages (I don't doubt it as I've always
had to install stuff using admin privelges), but that, in my mind, is
the way it should be. Users are not generally supposed to install
software on their own machines (in business networks that is). It is
an IT nightmare to allows users to put all kinds of crap on their
machines (including viruses, spyware, inappropriate apps, etc...).
Many business networks give users local admin rights to their own
machine, then user can install software, but for companies that are a
bit more tight on security, they usually only give their users User
level access, and thus they can't install software.

If you app is going to be put into larger companies, their IT staff
can push you MSI out via group policy, which would install the
software on the users machines, without the admins even having to go
the the users computer. This can be done for specific groups, all
users, etc... It can be limited to those who should be getting it is
my point.

If they don't utilize group policies to push software out to users
(or other remote install utilities), then their IT person would need
to be involved in the install - again, the way it typically should be.
It is good for IT staff to know what is going on users computers,
where it came from, that is has been scanned for malicious content,
etc... (a lot of which general users ofter don't check for).

What gets me peeved is when a company creates an install that
requires admin rights, and after the install, the regular user cannot
run the app because the application requires admin rights to run it.
This is typically due to not following through on allowing the Users
group proper access to the files, folders, and/or registry entires
created during the install. I often have to make file system and
registry permission changes to apps like this so the users can ever
run them. I think you would be good to focus on that aspect. Make sure
your MSI sets up proper permissions on the files, folder, registry
entries, etc... so that the user can run the application after it has
been installed by an admin (physically or remotely). Also, make sure
the Start Menu folder that is created (if you have one) is setup for
all users, or icons setup for the specified users, or something. Just
make sure the group is not installed under the admin account only.
This also goes for desktop icons or quick start links.

I hope this gives you some ideas and helps out. I don't think you
clients would be upset that you are taking their security into account
so long as everything works good once they get it installed. 8)

Andrew Meador

 

[Pep]

I'm not sure about the specifics of whether admin rights are
required for installing MSI packages (I don't doubt it as I've always
had to install stuff using admin privelges), but that, in my mind, is
the way it should be. Users are not generally supposed to install
software on their own machines (in business networks that is). It is
an IT nightmare to allows users to put all kinds of crap on their
machines (including viruses, spyware, inappropriate apps, etc...).
Many business networks give users local admin rights to their own
machine, then user can install software, but for companies that are a
bit more tight on security, they usually only give their users User
level access, and thus they can't install software.

Which is how my clients have their systems setup but unfortunately
this does not prevent spyware and viruses installing to their w/
stations, only genuine business software

If you app is going to be put into larger companies, their IT staff
can push you MSI out via group policy, which would install the
software on the users machines, without the admins even having to go
the the users computer. This can be done for specific groups, all
users, etc... It can be limited to those who should be getting it is
my point.

If they don't utilize group policies to push software out to users
(or other remote install utilities), then their IT person would need
to be involved in the install - again, the way it typically should be.
It is good for IT staff to know what is going on users computers,
where it came from, that is has been scanned for malicious content,
etc... (a lot of which general users ofter don't check for).

Unfortunately the majority of our clients have hundreds of remote
national satellite offices all connected by the internet and no means
of doing remote administration. It's not my companies policy to get
involved in their administration plans, so we can do nothing about it.

What gets me peeved is when a company creates an install that
requires admin rights, and after the install, the regular user cannot
run the app because the application requires admin rights to run it.
This is typically due to not following through on allowing the Users
group proper access to the files, folders, and/or registry entires
created during the install. I often have to make file system and

Yep, seen this quite often

registry permission changes to apps like this so the users can ever
run them. I think you would be good to focus on that aspect. Make sure
your MSI sets up proper permissions on the files, folder, registry
entries, etc... so that the user can run the application after it has
been installed by an admin (physically or remotely). Also, make sure
the Start Menu folder that is created (if you have one) is setup for
all users, or icons setup for the specified users, or something. Just
make sure the group is not installed under the admin account only.
This also goes for desktop icons or quick start links.

Everything else is working fine, except we cannot install our own
software to their machines. So sadly it looks like we are going to
have to go back to the old method of allowing them to download a exe
file to their desktop and manually associate the application to the
file type when IE gets it's knickers in a twist

I hope this gives you some ideas and helps out. I don't think you
clients would be upset that you are taking their security into account
so long as everything works good once they get it installed. 8)

Andrew Meador

Personally I think windows is lacking in this area. Users should be
able to install their own local software without affecting the global
o/s. Isn't this is what the separate user hives are about?

Perhaps I should write our software installer like a virus or spyware
and then the users will have no problems, LOL

 

[Peter Duniho]

[...]
Personally I think windows is lacking in this area. Users should be
able to install their own local software without affecting the global
o/s. Isn't this is what the separate user hives are about?

Personally, it seems to me that your Unix prejudice is fogging your view.

First of all, Windows does generally allow users to install their own
local software. IMHO, it's not a very good idea for users to do so,
but there aren't any access controls that prohibit users from
installing and running executables as long as they only have to access
their own data to do so.

So if you're running into trouble, there's something more
"administrative-like" about your program that is specifically causing a
problem. You would have similar issues trying to allow a non-admin
user to do admin-like things on a Unix system.

Secondly, viewing this as a Unix-versus-Windows issue is pointless
anyway. Windows != Unix. There are bound to be some differences, and
just as there are a number of things you can do in Windows that you
can't do in exactly the same way in Unix, so too are there things you
can do in Unix that you can't do in exactly the same way in Windows.

It's not about a question of one being "lacking" with respect to the
other. It's just a different way of operating.

The sooner you get past this mentality, the sooner you can get on with
actually solving your problems rather than daydreaming about how much
greener the grass is on the other side of the fence.

Pete

 

[Andrew Meador]

Which is how my clients have their systems setup but unfortunately
this does not prevent spyware and viruses installing to their w/
stations, only genuine business software

Well, true, some things can still get in and cause trouble, but it
does limit them and in some cases can outright stop them (depending on
what they are trying to do), like if the try to delete system files
that are accessable to an admin, but not to a user - the virus,
spyware, etc... would also run under the more restircted access of the
user. And yep, sometimes it does interfere with business software,
but, if the business software is written by authors taking these kinds
of issue into account, then everything should be good, or at least
better

Unfortunately the majority of our clients have hundreds of remote
national satellite offices all connected by the internet and no means
of doing remote administration. It's not my companies policy to get
involved in their administration plans, so we can do nothing about it.

Typically such large organizations, especially with so many remote
satellite offices are the ones that REALLY want to use remote admin
utilites. You might check further with their top IT people and see how
they currently handle such issues. They may give you some good ideas,
especially with respect to how they do it. It would seem odd to me
that they have their network restricted down, but have no way of
pushing software out by remote means. The idea of their IT people
running the country/world just to install software for users at
satellite offices would be crazy. Also, if they don't have a good
centralized administration or they don't push their software from the
central office (considering bandwidth issues - I wouldn't be
suprised), they may push this work down to IT people at the satellite
offices.

Yep, seen this quite often


Everything else is working fine, except we cannot install our own
software to their machines. So sadly it looks like we are going to
have to go back to the old method of allowing them to download a exe
file to their desktop and manually associate the application to the
file type when IE gets it's knickers in a twist

If there is no way around their installation issues, maybe create a
script that they could also download to automatically add the file
extensions. That would at least make it easier than talking them
through it all the time (at least in such detail).

Personally I think windows is lacking in this area. Users should be
able to install their own local software without affecting the global
o/s. Isn't this is what the separate user hives are about?

I still disagree here - I have had too many users download and
install software that I don't want in my network (bandwidth suckers,
illegal licensing, etc...) Yep, I'm a control freak, and I can't be if
they can install whatever they want. Plus, for issues like this, I
have scanners that watch their file systems for rogue files and remove
them as well - if I didn't want their downloaded exe to run I'd add it
to the list to be killed.

 

[Pep]

[...]
Personally I think windows is lacking in this area. Users should be
able to install their own local software without affecting the global
o/s. Isn't this is what the separate user hives are about?

Personally, it seems to me that your Unix prejudice is fogging your view.

Perhaps you are the sort of person that loves to embroil themselves in
usesless arguments over which o/s is better and why, I don't know but
you seem to have turned my statement in to something it was not. I did
not voice any "Unix prejudice", I stated my view on a particular area
of administration that directly related the problem I have been
discussing with other people.

Personally I do not care which o/s people perceive to be the better
and/or why. I use both for different reasons and IMHO they both do
things better than the other and both are found to be lacking in
various areas compared to the other.

First of all, Windows does generally allow users to install their own
local software. IMHO, it's not a very good idea for users to do so,
but there aren't any access controls that prohibit users from
installing and running executables as long as they only have to access
their own data to do so.

So if you're running into trouble, there's something more
"administrative-like" about your program that is specifically causing a
problem. You would have similar issues trying to allow a non-admin
user to do admin-like things on a Unix system.

Erm, not quite true there. On a nix system I would be able to run an
installation script that installs software in to my local environment
and add associations to my browser without the need for admin rights.

Secondly, viewing this as a Unix-versus-Windows issue is pointless
anyway. Windows != Unix. There are bound to be some differences, and
just as there are a number of things you can do in Windows that you
can't do in exactly the same way in Unix, so too are there things you
can do in Unix that you can't do in exactly the same way in Windows.

You are the only person viewing this issue this way. I asked how can I
do something on windows in a similar manner to how I would do it on a
nix system.

It's not about a question of one being "lacking" with respect to the
other. It's just a different way of operating.

Wordology, stop being pedantic.

The sooner you get past this mentality, the sooner you can get on with
actually solving your problems rather than daydreaming about how much
greener the grass is on the other side of the fence.

Pete

As I read further through your response I am becoming more convinced
that you are probably a junior troll let out to play by your mummy.
Thanks for adding nothing to this conversation.

 

[Pep]

Well, true, some things can still get in and cause trouble, but it
does limit them and in some cases can outright stop them (depending on
what they are trying to do), like if the try to delete system files
that are accessable to an admin, but not to a user - the virus,
spyware, etc... would also run under the more restircted access of the
user. And yep, sometimes it does interfere with business software,
but, if the business software is written by authors taking these kinds
of issue into account, then everything should be good, or at least
better

Wouldn't life be boring if everything worked the way it was supposed
to and nobody ever tried to rip the envelope apart

Typically such large organizations, especially with so many remote
satellite offices are the ones that REALLY want to use remote admin
utilites. You might check further with their top IT people and see how
they currently handle such issues. They may give you some good ideas,
especially with respect to how they do it. It would seem odd to me
that they have their network restricted down, but have no way of
pushing software out by remote means. The idea of their IT people
running the country/world just to install software for users at
satellite offices would be crazy. Also, if they don't have a good
centralized administration or they don't push their software from the
central office (considering bandwidth issues - I wouldn't be
suprised), they may push this work down to IT people at the satellite
offices.

Unfortunately this is a set of large companies that have satellite
offices which all have their own separate broadband connections. There
is no company intranet.

If there is no way around their installation issues, maybe create a
script that they could also download to automatically add the file
extensions. That would at least make it easier than talking them
through it all the time (at least in such detail).

Okay that sounds like a plan. I have not done a lot of work using the
microsoft installer so am still hopelessly in the middle of my
learning curve, so guess I'll have to do more investigation

Is it possible using this approach to get the installer to execute a
script to set the file associations in explorer as part of the
installation process?

I still disagree here - I have had too many users download and
install software that I don't want in my network (bandwidth suckers,
illegal licensing, etc...) Yep, I'm a control freak, and I can't be if
they can install whatever they want. Plus, for issues like this, I
have scanners that watch their file systems for rogue files and remove
them as well - if I didn't want their downloaded exe to run I'd add it
to the list to be killed.

Sounds like you have things under your complete control

Fortunately for me, most of the people working on my network at work
are nix developers and administrators so we tend not to download too
much eye candy and bandwidth hoggers. Now at home it's a completely
different ball game, there anything seems to go and the only control
freaks are my girls and missus

Have you ever tried denying your missus the complete admin rights to
both her computer and yours?

 

[Peter Duniho]

Perhaps you are the sort of person that loves to embroil themselves in
usesless arguments over which o/s is better and why

Says the person who insists that "Windows is lacking in this area"?

Right.

 

[Andrew Meador]

Okay that sounds like a plan. I have not done a lot of work using the
microsoft installer so am still hopelessly in the middle of my
learning curve, so guess I'll have to do more investigation

Is it possible using this approach to get the installer to execute a
script to set the file associations in explorer as part of the
installation process?

Sorry, I didn't notice these last few messages to this posting...
I have done a bit of testing and looking around and don't see a
solution for you. Users running under User permissions cannot change
or create file extension mappings. So, even if you can create create a
script to create the mappings (which I did find at
http://www.microsoft.com/technet/scriptcenter/resources/guiguy/fldopts2.mspx),
a User level user still cannot configured them. So, my original idea
seems dead. I think it is going to have to come down to doing an
install the requires admin priveleges or do it the way you have been.
You could still do a script to help them setup the folder and copy the
app to it and such, but I don't see a way to fix your file extension
mapping problem.

Sounds like you have things under your complete control

As much as possible anyway. Well I wouldn't say that, I could lock
things down even more, but I find this is a good compromise.

Fortunately for me, most of the people working on my network at work
are nix developers and administrators so we tend not to download too
much eye candy and bandwidth hoggers. Now at home it's a completely
different ball game, there anything seems to go and the only control
freaks are my girls and missus

Hehe, the users in my case are all just that - regular office users...
they are not techie by any means... if they were, I would probably
open things up a bit. It's the ones that don't know what they're doing
that tend to cause the most damage. At least with techies, they can
fix it themselves!

Have you ever tried denying your missus the complete admin rights to
both her computer and yours?

Hehe, I actually do. My wife has user permissions and I run a server
at home where I use group policies to restrict my kids computers down
even further. If that doesn't work well eneough, I ban their systems
(the kids anyway) from the internet. I have them setup with wireless
NICs in their desktops and cut access from the wireless router. I'm so
mean!

Well, Good Luck!

Andrew