FAQ

Archiv

In some cases, it is not possible to implement the Safend Protector Client's installation process through a regular GPO package. In such cases, the installation must be implemented by a GPO with a start up script, and the administrator must enable elevated privileges for the end-users.

Lösung

1. Installing the Safend Protector Client with a startup script:

Open NotePad and enter the following text: msiexec.exe /i "\ServernamePathSafendProtectorClient.msi" /qn

Where instead of ServernamePath you enter the machine name and path to the SafendProtectorClient.msi file used for the installation. Make sure the folder containing the msi is shared. Save this file as a .bat file.

In Active Directory, go to the relevant OU, click properties and create and link a new GPO which will contain the installation script. Once the GPO is created within the OU, right click it and select edit. In the Group Policy Management menu, go to "Computer configuration->Windows Settings->Scripts" Double click the startup script and select Add and Browse. This should open the policy's Startup folder from within the domain controller. Copy the script file to this location and click OK.

Once this is done, restart the relevant machines in order for the startup script to run and install the Safend Client on them.

2. Granting elevated privilages to non-administrator users:

following is an article by Microsoft, pertaining to this issue:

Important
This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs.

SUMMARY This article describes three methods by which an administrator can enable a non-administrator user to install managed Windows Installer applications. An application is called a "managed application" if elevated (system) privileges are used to install the application. A situation in which you might need to install a managed application is if you are installing an application on Windows NT or Windows 2000 and do not have administrative privileges on that computer. By using the following methods, an administrator can enable a non-administrator user to install managed applications.

A) On a computer running Windows NT 4.0, Windows 2000, or Windows XP an administrator can set the AlwaysInstallElevated registry keys for both per-user and per-machine installations on the computer. If you want to make sure that all Windows Installer packages are installed with elevated (system) privileges, you must set the AlwaysInstallElevated value to "1" under the following registry keys:

HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsInstaller

HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsInstaller

WARNING
This particular method can open the computer to a security risk because once an administrator with elevated privileges has set these registry keys, non-administrator users can run installations with elevated privileges and access secure locations on the computer, such as the System folder or HKLM registry key.

B) On Windows NT 4.0 or Windows 2000, an administrator can install or advertise the package on the computer for a per-machine installation (per-machine means that it will be available for all users of that computer). The Windows Installer always has elevated privileges while performing per-machine installations. The administrator uses elevated privileges to advertise the package. If a non-administrator user then installs the application, the installation can run with elevated privileges. Non-administrator users still cannot install unadvertised packages that require elevated system privileges. The following is an example of a command line used by an administrator doing a per-machine installation:

msiexec -i c:pathtofilemypackage.msi ALLUSERS=1

Here is an example of how the administrator would advertise the package on the computer per-machine:

msiexec -jm c:pathtofilemypackage.msi

For more information, see the Help topic "Advertisement" in the Windows Installer Platform SDK: http://msdn.microsoft.com/library/en-us/msi/setup/advertisement.asp

C) On Windows 2000, an administrator can advertise an application on a user's computer by assigning or publishing the Windows Installer package using application deployment and Group Policy. The administrator uses elevated privileges to advertise the package per machine. If a non-administrator user then installs the application, the installation can run with elevated privileges. Non-administrator users still cannot install unadvertised packages that require elevated system privileges.

These settings can also be set via GPO and not by directly opening the registry - the settings must be applied both for Machines and Users:

- Computer Configuration>Administrative Templates>Windows Components> Windows Installer:
Always install with elevated privileges (enabled/disabled; this policy must be set for the machine and the user to be enforced).

- User Configuration>Administrative Templates>Windows Components> Windows Installer:
Always install with elevated privileges (enabled/disabled; this policy must be set for the machine and the user to be enforced)

Link to Microsoft documentation: http://support.microsoft.com/default.aspx?scid=kb;en-us;q259459

Link to additional documentations for GPO configuration: lspservices.iupui.edu/docs/win2k/gpo_configurations.asp

Quelle: Safend FAQ KB00000066 - Installing the Safend Protector Client with by a startup script with elevated privileges