Vista std usr can remove opt install feature for managed install

[HookEm]

I have a managed installation that requires admin rights to install. The
installation has a bootstrapper EXE (standard InstallShield 12 bootstrapper
properly manifested with the "requireAdministrator" setting for the security
attribute as well as being digitally signed), an MSI package external to the
bootstrapper (with properly authored records in the MsiDigitalCertificate,
MsiDigitalSignature, and MsiPatchCertificate tables as well as being
digitally signed itself), and several external CAB files (all of which are
also digitally signed). Also note that I have not set values for any of the
ARP MSI properties (ARPNOMODIFY, ARPNOREPAIR, or ARPNOREMOVE).

On BOTH Windows 2000 SP4 and Windows XP SP2, limited users can only repair
this managed installation when it is installed by an admin user (via the
"Support Information"-->Repair option in Add/Remove Programs). On both these
systems, in Add/Remove Programs the "Change" and "Remove" buttons are either
visible but disabled (Win2K SP4) or they are not visible at all (WinXP SP2).
On these systems, only a user who is a member of the Administrators user
group has the "Change" and "Remove" buttons both visible AND enabled.

However, on Windows Vista (GA) and Windows Server 2008 (RC1) systems, the
same buttons are displayed in Software Explorer for all users (Uninstall,
Change, Repair). If a limited user (standard user) clicks the Uninstall or
Repair buttons, the msiexec process runs the installation and they are
(eventually) prompted to elevate to Admin to continue. The SAME is the case
if they click the Change button AND they attempt to ADD an optional feature
(they are eventually prompted to elevate). However, if the limited/standard
user clicks the Change button and they REMOVE an optional feature then they
are never prompted to elevate.

I found the following thread on the Application Compatibility for Windows
Vista forum where the forum moderator suggested this is the correct behavior
and that it hasn't changed since Win2K (which isn't the case as I noted
above):
http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1116084&SiteID=1

Why can a limited user remove optional features for a managed application
installed by an admin on Vista/WS2K8 systems but they are not allowed to do
so on Win2K/WinXP systems? If this is intended behavior, what are my options
if my managed application has such an optional feature that non-admin users
should not be allowed to uninstall?

 

[AlexB]

Somehow your accounts are improperly set up. Your ordinary users appear to
be members of the Administrators Group (check in Local Users and Groups:
lusrmgr.msc form command prompt)

You can define their rights in such limited ways that they never be able to
run any app as administrator.

Perhaps they are not actually members of the Administrators and when push
comes to shove they will NOT be able to click "Run as Administrator" or give
proper PW? In this case let them see the buttons, who cares.

 

[NoStop]

Somehow your accounts are improperly set up. Your ordinary users appear to
be members of the Administrators Group (check in Local Users and Groups:
lusrmgr.msc form command prompt)

--

Q: What OS is built for lusers?
A: Which one requires running lusermgr.msc to create them?

Contact AlexB to find out how to "delouse" your Vista system.

 

[AlexB]

It seems you, an idiot, have a kick out of my cliché: "delouse your system."
I am wondering what kind of low life your must be. Sort of little enjoyment,
abused childhood? Orphanage? Adapted? Have you been in trouble with alcohol?
Do you have a sponsor? How often do you go to AA meetings?

You really come across as a flat, one-dimensional person who got this
"great" idea for mankind: "Ubuntu." Is it not the time to quit? Spare your
nerves. You may end up in big trouble.

We will delouse all Vistas, don't you worry.

 

[NoStop]

It seems you, an idiot, have a kick out of my cliché: "delouse your
system."

Just quoting some of your past expert advice there AlexB. Don't like it?
Then stop giving out such shit advice.

Cheers.

--
The three Rs of Microsoft support: Retry, Reboot, Reinstall.

Proprietary Software: a 20th Century software business model.

Q: What OS is built for lusers?
A: Which one requires running lusermgr.msc to create them?

Contact AlexB to find out how to "delouse" your Vista system.

 

[HookEm]

Alex,
Thank you for your response. However, I have already verified that the
limited user is ONLY a member of the Users user group (is NOT a member of the
Administrators user group). On a Windows Vista system, this user is allowed
to click the 'Change' button to launch the msiexec.exe installation process
(no problem), which runs the installation UI wizard (no problem), then they
can click the 'Modify' option to bring up the Custom Install dialog with the
optional features listed in an MSI SelectionTree control (no problem), they
can then disable an optional feature listed on the control (no problem), and
click the 'Next' button (no problem) to initiate the top level MSI action
Install (no problem). The msiexec process then runs to completion without
prompting the user to elevate to Administrator (BIG PROBLEM).

As noted previously, this is different behavior from that seen on pre-Vista
systems, where a limited user (member of the Users user group ONLY) is not
allowed to modify a managed installation installed by an Administrator.

For my application, it is absolutely imperative that limited users NOT be
allowed to remove optional features installed by a privileged user (member of
the Administrators group).

So I'm assuming this is a UAC bug on Vista systems (happens on both Vista
Ultimate RTM and Windows Server 2008 RC1) unless someone can verify that is
the intended behavior and explain to me how to lock down the features of a
managed installation so that limited users cannot change the features
installed by an administrator (either by adding new features not installed by
the admin or by removing features installed by the admin).

I was hoping to get feedback from someone at Microsoft regarding this issue.
I may just have to open a support ticket directly.