By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,679 Members | 2,763 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,679 IT Pros & Developers. It's quick & easy.

Having problems creating a installer for my app due to permissions?

P: n/a
Pep
Firstly, I'm not sure if this is the right group for this query, so
please forgive me if I am wrong.

My problem is that most users I distribute my software to cannot
install it on their systems due to not having the correct
administrator rights. I'm perplexed over this as I cannot reasonably
ask corporations to allow the local secretary to have admin or power
user rights just to install my software.

My software is intended for user land. It is associated with a
particular file type that is downloaded from our web site and outputs
the received data to a OEM device over the serial and/or usb ports.
This has been working for years, simply because we have been asking
the user to download the program as an exe file to their desktop and
then they simply use the IE file association facility when they first
download a data file.

However, we are now trying to clean up our windows code and would like
to start using the MSI mechanism, which is where the problems have
started. I thought that a user could install software in to their own
portion of the registry, i.e. current_user, without the need for admin
rights. Am I wrong in this belief?

If I am not wrong, can anyone point me to a simple howto for doing
this?

TIA,
Pep

Oct 31 '07 #1
Share this Question
Share on Google+
6 Replies


P: n/a
On Oct 31, 12:02 pm, Pep <pepaltavi...@yahoo.co.ukwrote:
Firstly, I'm not sure if this is the right group for this query, so
please forgive me if I am wrong.

My problem is that most users I distribute my software to cannot
install it on their systems due to not having the correct
administrator rights. I'm perplexed over this as I cannot reasonably
ask corporations to allow the local secretary to have admin or power
user rights just to install my software.

My software is intended for user land. It is associated with a
particular file type that is downloaded from our web site and outputs
the received data to a OEM device over the serial and/or usb ports.
This has been working for years, simply because we have been asking
the user to download the program as an exe file to their desktop and
then they simply use the IE file association facility when they first
download a data file.

However, we are now trying to clean up our windows code and would like
to start using the MSI mechanism, which is where the problems have
started. I thought that a user could install software in to their own
portion of the registry, i.e. current_user, without the need for admin
rights. Am I wrong in this belief?

If I am not wrong, can anyone point me to a simple howto for doing
this?

TIA,
Pep
I'm not sure about the specifics of whether admin rights are
required for installing MSI packages (I don't doubt it as I've always
had to install stuff using admin privelges), but that, in my mind, is
the way it should be. Users are not generally supposed to install
software on their own machines (in business networks that is). It is
an IT nightmare to allows users to put all kinds of crap on their
machines (including viruses, spyware, inappropriate apps, etc...).
Many business networks give users local admin rights to their own
machine, then user can install software, but for companies that are a
bit more tight on security, they usually only give their users User
level access, and thus they can't install software.

If you app is going to be put into larger companies, their IT staff
can push you MSI out via group policy, which would install the
software on the users machines, without the admins even having to go
the the users computer. This can be done for specific groups, all
users, etc... It can be limited to those who should be getting it is
my point.

If they don't utilize group policies to push software out to users
(or other remote install utilities), then their IT person would need
to be involved in the install - again, the way it typically should be.
It is good for IT staff to know what is going on users computers,
where it came from, that is has been scanned for malicious content,
etc... (a lot of which general users ofter don't check for).

What gets me peeved is when a company creates an install that
requires admin rights, and after the install, the regular user cannot
run the app because the application requires admin rights to run it.
This is typically due to not following through on allowing the Users
group proper access to the files, folders, and/or registry entires
created during the install. I often have to make file system and
registry permission changes to apps like this so the users can ever
run them. I think you would be good to focus on that aspect. Make sure
your MSI sets up proper permissions on the files, folder, registry
entries, etc... so that the user can run the application after it has
been installed by an admin (physically or remotely). Also, make sure
the Start Menu folder that is created (if you have one) is setup for
all users, or icons setup for the specified users, or something. Just
make sure the group is not installed under the admin account only.
This also goes for desktop icons or quick start links.

I hope this gives you some ideas and helps out. I don't think you
clients would be upset that you are taking their security into account
so long as everything works good once they get it installed. 8)

Andrew Meador
Oct 31 '07 #2

P: n/a
Pep

Andrew Meador wrote:
On Oct 31, 12:02 pm, Pep <pepaltavi...@yahoo.co.ukwrote:
Firstly, I'm not sure if this is the right group for this query, so
please forgive me if I am wrong.

My problem is that most users I distribute my software to cannot
install it on their systems due to not having the correct
administrator rights. I'm perplexed over this as I cannot reasonably
ask corporations to allow the local secretary to have admin or power
user rights just to install my software.

My software is intended for user land. It is associated with a
particular file type that is downloaded from our web site and outputs
the received data to a OEM device over the serial and/or usb ports.
This has been working for years, simply because we have been asking
the user to download the program as an exe file to their desktop and
then they simply use the IE file association facility when they first
download a data file.

However, we are now trying to clean up our windows code and would like
to start using the MSI mechanism, which is where the problems have
started. I thought that a user could install software in to their own
portion of the registry, i.e. current_user, without the need for admin
rights. Am I wrong in this belief?

If I am not wrong, can anyone point me to a simple howto for doing
this?

TIA,
Pep

I'm not sure about the specifics of whether admin rights are
required for installing MSI packages (I don't doubt it as I've always
had to install stuff using admin privelges), but that, in my mind, is
the way it should be. Users are not generally supposed to install
software on their own machines (in business networks that is). It is
an IT nightmare to allows users to put all kinds of crap on their
machines (including viruses, spyware, inappropriate apps, etc...).
Many business networks give users local admin rights to their own
machine, then user can install software, but for companies that are a
bit more tight on security, they usually only give their users User
level access, and thus they can't install software.
Which is how my clients have their systems setup but unfortunately
this does not prevent spyware and viruses installing to their w/
stations, only genuine business software :(
>
If you app is going to be put into larger companies, their IT staff
can push you MSI out via group policy, which would install the
software on the users machines, without the admins even having to go
the the users computer. This can be done for specific groups, all
users, etc... It can be limited to those who should be getting it is
my point.

If they don't utilize group policies to push software out to users
(or other remote install utilities), then their IT person would need
to be involved in the install - again, the way it typically should be.
It is good for IT staff to know what is going on users computers,
where it came from, that is has been scanned for malicious content,
etc... (a lot of which general users ofter don't check for).
Unfortunately the majority of our clients have hundreds of remote
national satellite offices all connected by the internet and no means
of doing remote administration. It's not my companies policy to get
involved in their administration plans, so we can do nothing about it.
What gets me peeved is when a company creates an install that
requires admin rights, and after the install, the regular user cannot
run the app because the application requires admin rights to run it.
This is typically due to not following through on allowing the Users
group proper access to the files, folders, and/or registry entires
created during the install. I often have to make file system and
Yep, seen this quite often :(
registry permission changes to apps like this so the users can ever
run them. I think you would be good to focus on that aspect. Make sure
your MSI sets up proper permissions on the files, folder, registry
entries, etc... so that the user can run the application after it has
been installed by an admin (physically or remotely). Also, make sure
the Start Menu folder that is created (if you have one) is setup for
all users, or icons setup for the specified users, or something. Just
make sure the group is not installed under the admin account only.
This also goes for desktop icons or quick start links.
Everything else is working fine, except we cannot install our own
software to their machines. So sadly it looks like we are going to
have to go back to the old method of allowing them to download a exe
file to their desktop and manually associate the application to the
file type when IE gets it's knickers in a twist :(
I hope this gives you some ideas and helps out. I don't think you
clients would be upset that you are taking their security into account
so long as everything works good once they get it installed. 8)

Andrew Meador
Personally I think windows is lacking in this area. Users should be
able to install their own local software without affecting the global
o/s. Isn't this is what the separate user hives are about?

Perhaps I should write our software installer like a virus or spyware
and then the users will have no problems, LOL

Oct 31 '07 #3

P: n/a
On 2007-10-31 10:27:50 -0700, Pep <pe**********@yahoo.co.uksaid:
[...]
Personally I think windows is lacking in this area. Users should be
able to install their own local software without affecting the global
o/s. Isn't this is what the separate user hives are about?
Personally, it seems to me that your Unix prejudice is fogging your view.

First of all, Windows does generally allow users to install their own
local software. IMHO, it's not a very good idea for users to do so,
but there aren't any access controls that prohibit users from
installing and running executables as long as they only have to access
their own data to do so.

So if you're running into trouble, there's something more
"administrative-like" about your program that is specifically causing a
problem. You would have similar issues trying to allow a non-admin
user to do admin-like things on a Unix system.

Secondly, viewing this as a Unix-versus-Windows issue is pointless
anyway. Windows != Unix. There are bound to be some differences, and
just as there are a number of things you can do in Windows that you
can't do in exactly the same way in Unix, so too are there things you
can do in Unix that you can't do in exactly the same way in Windows.

It's not about a question of one being "lacking" with respect to the
other. It's just a different way of operating.

The sooner you get past this mentality, the sooner you can get on with
actually solving your problems rather than daydreaming about how much
greener the grass is on the other side of the fence.

Pete

Oct 31 '07 #4

P: n/a
>
I'm not sure about the specifics of whether admin rights are
required for installing MSI packages (I don't doubt it as I've always
had to install stuff using admin privelges), but that, in my mind, is
the way it should be. Users are not generally supposed to install
software on their own machines (in business networks that is). It is
an IT nightmare to allows users to put all kinds of crap on their
machines (including viruses, spyware, inappropriate apps, etc...).
Many business networks give users local admin rights to their own
machine, then user can install software, but for companies that are a
bit more tight on security, they usually only give their users User
level access, and thus they can't install software.

Which is how my clients have their systems setup but unfortunately
this does not prevent spyware and viruses installing to their w/
stations, only genuine business software :(
Well, true, some things can still get in and cause trouble, but it
does limit them and in some cases can outright stop them (depending on
what they are trying to do), like if the try to delete system files
that are accessable to an admin, but not to a user - the virus,
spyware, etc... would also run under the more restircted access of the
user. And yep, sometimes it does interfere with business software,
but, if the business software is written by authors taking these kinds
of issue into account, then everything should be good, or at least
better ;)
>
If you app is going to be put into larger companies, their IT staff
can push you MSI out via group policy, which would install the
software on the users machines, without the admins even having to go
the the users computer. This can be done for specific groups, all
users, etc... It can be limited to those who should be getting it is
my point.
If they don't utilize group policies to push software out to users
(or other remote install utilities), then their IT person would need
to be involved in the install - again, the way it typically should be.
It is good for IT staff to know what is going on users computers,
where it came from, that is has been scanned for malicious content,
etc... (a lot of which general users ofter don't check for).

Unfortunately the majority of our clients have hundreds of remote
national satellite offices all connected by the internet and no means
of doing remote administration. It's not my companies policy to get
involved in their administration plans, so we can do nothing about it.
Typically such large organizations, especially with so many remote
satellite offices are the ones that REALLY want to use remote admin
utilites. You might check further with their top IT people and see how
they currently handle such issues. They may give you some good ideas,
especially with respect to how they do it. It would seem odd to me
that they have their network restricted down, but have no way of
pushing software out by remote means. The idea of their IT people
running the country/world just to install software for users at
satellite offices would be crazy. Also, if they don't have a good
centralized administration or they don't push their software from the
central office (considering bandwidth issues - I wouldn't be
suprised), they may push this work down to IT people at the satellite
offices.
What gets me peeved is when a company creates an install that
requires admin rights, and after the install, the regular user cannot
run the app because the application requires admin rights to run it.
This is typically due to not following through on allowing the Users
group proper access to the files, folders, and/or registry entires
created during the install. I often have to make file system and

Yep, seen this quite often :(
registry permission changes to apps like this so the users can ever
run them. I think you would be good to focus on that aspect. Make sure
your MSI sets up proper permissions on the files, folder, registry
entries, etc... so that the user can run the application after it has
been installed by an admin (physically or remotely). Also, make sure
the Start Menu folder that is created (if you have one) is setup for
all users, or icons setup for the specified users, or something. Just
make sure the group is not installed under the admin account only.
This also goes for desktop icons or quick start links.

Everything else is working fine, except we cannot install our own
software to their machines. So sadly it looks like we are going to
have to go back to the old method of allowing them to download a exe
file to their desktop and manually associate the application to the
file type when IE gets it's knickers in a twist :(
If there is no way around their installation issues, maybe create a
script that they could also download to automatically add the file
extensions. That would at least make it easier than talking them
through it all the time (at least in such detail).
>
I hope this gives you some ideas and helps out. I don't think you
clients would be upset that you are taking their security into account
so long as everything works good once they get it installed. 8)
Andrew Meador

Personally I think windows is lacking in this area. Users should be
able to install their own local software without affecting the global
o/s. Isn't this is what the separate user hives are about?
I still disagree here - I have had too many users download and
install software that I don't want in my network (bandwidth suckers,
illegal licensing, etc...) Yep, I'm a control freak, and I can't be if
they can install whatever they want. Plus, for issues like this, I
have scanners that watch their file systems for rogue files and remove
them as well - if I didn't want their downloaded exe to run I'd add it
to the list to be killed.
Perhaps I should write our software installer like a virus or spyware
and then the users will have no problems, LOL- Hide quoted text -

- Show quoted text -

Oct 31 '07 #5

P: n/a
Pep

Peter Duniho wrote:
On 2007-10-31 10:27:50 -0700, Pep <pe**********@yahoo.co.uksaid:
[...]
Personally I think windows is lacking in this area. Users should be
able to install their own local software without affecting the global
o/s. Isn't this is what the separate user hives are about?

Personally, it seems to me that your Unix prejudice is fogging your view.
Perhaps you are the sort of person that loves to embroil themselves in
usesless arguments over which o/s is better and why, I don't know but
you seem to have turned my statement in to something it was not. I did
not voice any "Unix prejudice", I stated my view on a particular area
of administration that directly related the problem I have been
discussing with other people.

Personally I do not care which o/s people perceive to be the better
and/or why. I use both for different reasons and IMHO they both do
things better than the other and both are found to be lacking in
various areas compared to the other.
First of all, Windows does generally allow users to install their own
local software. IMHO, it's not a very good idea for users to do so,
but there aren't any access controls that prohibit users from
installing and running executables as long as they only have to access
their own data to do so.

So if you're running into trouble, there's something more
"administrative-like" about your program that is specifically causing a
problem. You would have similar issues trying to allow a non-admin
user to do admin-like things on a Unix system.
Erm, not quite true there. On a nix system I would be able to run an
installation script that installs software in to my local environment
and add associations to my browser without the need for admin rights.
Secondly, viewing this as a Unix-versus-Windows issue is pointless
anyway. Windows != Unix. There are bound to be some differences, and
just as there are a number of things you can do in Windows that you
can't do in exactly the same way in Unix, so too are there things you
can do in Unix that you can't do in exactly the same way in Windows.
You are the only person viewing this issue this way. I asked how can I
do something on windows in a similar manner to how I would do it on a
nix system.
It's not about a question of one being "lacking" with respect to the
other. It's just a different way of operating.
Wordology, stop being pedantic.
The sooner you get past this mentality, the sooner you can get on with
actually solving your problems rather than daydreaming about how much
greener the grass is on the other side of the fence.

Pete
As I read further through your response I am becoming more convinced
that you are probably a junior troll let out to play by your mummy.
Thanks for adding nothing to this conversation.

Nov 6 '07 #6

P: n/a
On 2007-11-06 02:55:23 -0800, Pep <pe**********@yahoo.co.uksaid:
Perhaps you are the sort of person that loves to embroil themselves in
usesless arguments over which o/s is better and why
Says the person who insists that "Windows is lacking in this area"?

Right.

Nov 6 '07 #7

This discussion thread is closed

Replies have been disabled for this discussion.