PDA

View Full Version : Elevated Privileges Question



cindyj
06-29-2005, 10:56 AM
I have a Basic MSI that I would like to use the elevated privileges functionality with. It has a need for a few merge modules, one of them being MDAC 2.8. When I log in as an admin and advertise my product ( setup /jm ) and then log in as a user and launch the product icon it appears to be extracting MDAC 2.8 but it never installs it. My other msm get install just fine. If I am logged in as an admin MDAC 2.8 installs just fine.

From what I understand the MDAC 2.8 merge module is calling Mdac_typ.exe, so does elevated privileges not extend to an install called by the MSI? I am not sure why it wouldn’t. Can someone enlighten me?

braggc
06-30-2005, 07:42 AM
Are you using the standard installshield merge module. Sounds like you have a bug in the version you are using in that it doesn't run at all in elevated privilages. It probably detects you are not an admin and stops where as it should recognise the admin privilages in your elevated right. It is running elevated because anything kicked off as a custom action via your msi has the same elevated rights. The mdac merge module you are using just doesn't know it.

If it is any help I have had no problems installing the mdac merge module inside a package running elevated privilages over SMS. But i use the standard module downloaded by installshield.

Just try changing the merge module you use.

cindyj
06-30-2005, 11:04 AM
Thanks for your response. I am happy you said "anything kicked off as a custom action via your msi has the same elevated rights", because that was my understanding as well. :)

I am using the standard merge module downloaded by IS. I am glad to hear you have no problems with the MDAC msm and SMS. I have not yet tested SMS or Group Policy and AD but have been meaning too. When using SMS do you advertise the product or do you just install it outright?

My problem is we have customers who don't want to use any push technology, but want to go around to all their users' machines as administrator and advertise the product and also not have to set the AlwaysInstallElevated policy.

I am wondering if because I am advertising I am running into the issue you mention above about the install detecting that I am not an admin.

braggc
06-30-2005, 06:45 PM
very strange. Im not the SMS guy for our company once it has gone from me i never see it again unless there is problems but i think they are installing assigned and not advertised. If you've not tested as a push and you have changed the always installed elevated privilages manually then i might guess at your problem. Have you set the policy for both user AND machine because this is a wierd policy option because unlike other policy options Microsoft state that it does not work fuly unless set to enabled in BOTH places. You might find your installation is knackered in general its just that you see it in MDAC because that is one of the first things to install and you might be barking up the wrong tree. I have had similar problems when testing elevated rights in attempts to replicate the SMS push as close as i can before rollout to QA.

cindyj
07-01-2005, 10:41 AM
It is very strange. When I take out the MDAC msm from my installer it works with admin advertising and non-admin installing. I have other merge modules in my installer that do get installed and I am installing files to the Program Files directory so I know it is using elevated privileges to do that, because my non-admin user does not have rights there.

For this specific use case I don't want to set any system or group policies. And I believe you can do this from reading the first bullet in the following link:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/msi/setup/installing_a_package_with_elevated_privileges_for_a_non-admin.asp

And since my installer works correctly this way except for MDAC, I have to think MDAC is throwing a special check in there somewhere or maybe because Mdac_typ.exe is calling dasetup.exe which might be calling something else.

I ran FileMon when launching my advertised shortcut and I get:
dasetup.exe:1068 IRP_MJ_CREATE C:\WINNT\dasetup.log ACCESS DENIED

This is exactly the same error I get when I just run Mdac_typ.exe outright as a user so I am pretty sure that for some reason elevated privileges is not getting extended from msiexec.exe to dasetup.exe when using just advertisement and install-on-demand.

cindyj
07-05-2005, 11:04 AM
So I needed to read http://community.installshield.com/archive/index.php?t-137419.html and add 3072 to the custom action type for InstallMDAC28. Then it works when advertising. :)