Environment
Situation
Resolution
Configuration: User Associated apps
| Local machine access | NW server access | Windows server access | |
| Distribution Options | |||
| Application Files (also including Icons/Shortcuts, Registry, INI Settings, Text Files) | SYSTEM | eDir user | Domain user |
| Distribution Scripts | SYSTEM | eDir workstation | Domain workstation |
| Pre-Distribution Process Termination | SYSTEM | n/a | n/a |
| Run Options | |||
| Application | Local user | eDir user | Domain user |
| Application (with Environment set to Secure or Unsecure System) | SYSTEM | eDir workstation | Domain workstation |
| Launch Scripts | Local user | eDir user | Domain user |
| Common | |||
| Reporting | Local user | eDir user | Domain user |
| Uninstall | SYSTEM | n/a | n/a |
| Uninstall Scripts | Local user | eDir user | Domain user |
Configuration: Workstation Associated apps
| Local machine access | NW server access | Windows server access | |
| Distribution Options | |||
| Application Files (also including Icons/Shortcuts, Registry, INI Settings, Text Files) | SYSTEM | eDir workstation | Domain workstation |
| Distribution Scripts | SYSTEM | eDir workstation | Domain workstation |
| Pre-Distribution Process Termination | SYSTEM | n/a | n/a |
| Run Options | |||
| Application | Local user | eDir user | Domain user |
| Application (with Environment set to Secure or Unsecure System | SYSTEM | eDir workstation | Domain workstation |
| Launch Scripts | Local user | eDir user | Domain user |
| Common | |||
| Reporting (Cache, Distribution) | SYSTEM | eDir workstation | Domain workstation |
| Reporting (Launch, Uninstall) | Local user | eDir user | Domain user |
| Uninstall | SYSTEM | n/a | n/a |
| Uninstall scripts | Local user | eDir user | Domain user |
Configuration: Workstation Associated, Force Run apps
| Local machine access | NW server access | Windows server access | |
| Distribution Options | |||
| Application Files (also including Icons/Shortcuts, Registry, INI Settings, Text Files) | SYSTEM | eDir workstation | Domain workstation |
| Distribution Scripts | SYSTEM | eDir workstation | Domain workstation |
| Pre-Distribution Process Termination | SYSTEM | n/a | n/a |
| Run Options | |||
| Application | SYSTEM | eDir workstation | Domain workstation |
| Application (with Environment set to Secure or Unsecure System) | SYSTEM | eDir workstation | Domain workstation |
| Launch Scripts | SYSTEM | eDir workstation | Domain workstation |
| Common | |||
| Reporting | SYSTEM | eDir workstation | Domain workstation |
| Uninstall | SYSTEM | n/a | n/a |
| Uninstall Scripts | Local user | eDir workstation | Domain workstation |
Configuration: Workstation Associated, Force Run, Force Run as User if Workstation Associated apps
| Local machine access | NW server access | Windows server access | |
| Distribution Options | |||
| Application Files (also including Icons/Shortcuts, Registry, INI Settings, Text Files) | SYSTEM | eDir user | Domain user |
| Distribution Scripts | SYSTEM | eDir workstation | Domain workstation |
| Pre-Distribution Process Termination | SYSTEM | n/a | n/a |
| Run Options | |||
| Application | Local user | eDir user | Domain user |
| Application (with Environment set to Secure or Unsecure System) | SYSTEM | eDir workstation | Domain workstation |
| Launch Scripts | Local user | eDir user | Domain user |
| Common | |||
| Reporting | Local user | eDir user | Domain user |
| Uninstall | SYSTEM | n/a | n/a |
| Uninstall Scripts | Local user | eDir user | Domain user |
MSI Applications have two points of security elevation that can be managed by NAL:
1. AlwaysInstallElevated
2. Distribute in Workstation Security Space if Workstation Associated
1. AlwaysInstallElevated
The AlwaysInstallElevated is a DWORD value that exists under HKLM and HKCU (specifically, in Software\Policies\Microsoft\Windows\Installer). When set to 1, the security of the Windows Installer service is used to perform installs of MSI applications. If set to 0 (or non-existent), then the logged-in user's security is used to perform the install. NAL automatically sets these two keys (among others) to 1 before calling the MSI APIs to perform the install. Specifically, NAL backs up the current values, sets them to 1, then calls the MSI install, then sets the values back to their original value.
However, using the Windows Installer service to elevate the distribution of an MSI does not necessarily take care of all the security permissions necessary to complete an MSI install while logged in as a non-Administrative user to the local machine. MSIs are made up of Standard Actions and Custom Actions (so are MSPs). Most MSIs are only using Standard Actions, and these are performed using the Windows Installer service when AlwaysInstallElevated is set to 1. However, there are some MSIs that will utilize Custom Actions. Custom Actions are additional actions defined within an MSI that allow the MSI developer to call additional setup routines during the course of the MSI install. Usually these custom actions are calling EXEs or DLL entry points to complete some nested install. Windows Installer runs these Custom Actions (by default) in the context of the user, so as to limit access to the system by Custom Actions. However, the Windows Installer will run these as the service if two conditions are met: AlwaysInstallElevated is set to 1; and the Custom Action must be defined to run in the security context of the service. So, when distributing MSI NAL apps, the AlwaysInstallElevated condition is always met. The only condition left to meet is that the Custom Action be defined to run in the security context of the service.
To do this, you can either ask the MSI author to change the Custom Action attribute that defines elevation, or you could do it yourself with InstallShield's Editor feature, usually found in AdminStudio Standard or Professional Edition (which is different than the AdminStudio version that ships with ZENworks). If for some reason you cannot meet this last requirement of getting the Custom Action to be defined to run in the security context of the service, then your Custom Actions will be run in the security context of the calling user. Normally, when distributing MSI NAL apps, the calling user is the currently logged in Windows user. If this is a non-Administrative account, then the Custom Action could fail, resulting in the failure of the MSI install altogether (usually results in a 1603 fatal error). This is why you may need to take advantage of the second point of security elevation that NAL MSI apps offer:
2. Distribute in Workstation Security Space if Workstation Associated(available in ZENworks 6.5 and higher) is a feature found in the Distribution Options of a NAL MSI app. Currently available for workstation associated applications, this feature changes the calling user from the currently logged in Windows user to the SYSTEM user. Which means that the SYSTEM users security is used when performing the Custom Actions.
NOTE: Not all MSIs will install when called from the System scope. For example, the ZPM agent (prior to 6.3.2.858) has a custom action that registers with the PatchLink server. This action must be performed as an administrative user because it is attempting to make an HTTP connection. In these cases, using a Run As command line could be an alternative install method.
.Additional Information
For more information on Custom Actions, visitMicrosoft documentation
For more information on DevStudio available from InstallShield, visitInstallShield's site
For more information on NAL file system access in 7, visitZENworks Documentation
For more information on NAL file system access in 6.5, visitZENworks documentation
For more information on NAL file system access in 4.0.1, visitTID 10081393
Formerly known as TID# 10095935
