Using GPO to assign software rights or include rights in MSI package

[oscarmok]

I wonder which method is better? We have 1200 PCS/laptops and
about 50 use VPN to connect and never goes to office. We have 10
regional sites, with 50% are in 10Mb hub and other 50% in 100Mb
switch.

What's the benefit if the security (\program files\myapps;
HKLM\Software\MyApps) are set during the MSI package creation (we use
WISE packaging tool) instead of using GPO?

And what's the disadvantage if done in MSI?

Thanks

 

[Carolyn Napier [MSFT]]

I'm not sure that I completely understand your question, so I'll assume you'll
let me know if I don't. What I think you are asking is should you use Group
Policy to deploy ACLs for certain registry keys or files/folders or should you
use an MSI package to adjust those ACLs?

The answer depends somewhat on the rights of your users. If you package the
security settings in an MSI package, your users will either have to be
administrators or will have had to have had the package "pre-blessed" by an
admin in order for the installation to be elevated. The install will have to be
elevated for it to actually successfully write to ProgramFiles and HKLM since
normal users do not have the privileges to do so. An installation package by
itself cannot self elevate. It must be approved by an administrator. One method
for "pre-blessing" a package so that it can be executed elevated by a
non-privileged user is through Group Policy - Software Deployment. This is the
process of assigning or publishing applications.

So unless all of your users are admins, you would still have to deploy group
policy to the machine for the ACLs to be adjusted.

Hope this helps,
- Carolyn Napier
Microsoft Windows Installer Team

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email directly to this alias. This alias is for newsgroup
purposes only.

MSI FAQ:
<http://www.microsoft.com/windows2000/community/centers/management/msi_faq.mspx>