RE: [ActiveDir] Using GPO to install an MSI package

[Dan DeStefano]

Are they willing to let you know what user rights are required? I have found that applications that "require" admin or pu privileges can usually be run if appropriate permissions are given to select registry entries, directories, system files, etc and user rights. I have even run across a program that claimed to need admin privileges, but all it needed was modify permissions to the %systemroot%\temp directory. Maybe you can speak to a high-level tech and ask exactly why these privileges are required and from there you can extrapolate what rights and permissions are required. Then there are some apps that simply won't work. This is one of my biggest pet peeves - lazy coding that does not properly adhere to the Windows security model. I can think of no reason why an Accounting application needs PU privileges and usually you cannot get any good reason from the company itself.   Anyway, good luck, and if you can figure it out, please post it or e-mail me directly at [EMAIL PROTECTED], as I also have a couple of users using Quickbooks and would like them not to have PU or admin privileges.     Dan     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason B Sent: Tuesday, February 15, 2005 10:44 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Using GPO to install an MSI package Okay, our environment is that all our clients are running Windows XP SP2, and our servers are Windows 2003.  The situation is that our Accounting department uses Quickbooks, and about 70 of our employees need to use an application that comes with Quickbooks called "QB Timer".  It's free for use for our employees and it integrates with Quickbooks without requiring a Quickbooks install on each machine.  Now, the quandry:  according to Intuit/Quickbooks, the program requires at least Power User permissions to install and run.  Neither I, nor our CIO are willing to give local Power User permissions for these users, as that opens things up to too many potential problems, but our CFO and COO are REQUIRING the use of this application, or a similar one that integrates with Quickbooks.  Now, the QBTimer is free, which is good, so that's the *preferred* app to use.  It comes as an exe with a few other files, so I used WinInstall LE 2003 on a clean XP SP2 machine to package it into an MSI file.  That worked well, and I can install it/assign it through GPO - even if the user doesn't have local Power User privs.  However, true to form with Intuit products, it won't run if the logged on user doesn't have local admin or PU privs.  If I grant PU privs to the user, it runs fine.  I feel like I am --> <-- this close to getting this done, but I ran out of ideas to get this to work.  I tried looking at the reg file that was made when I ran WinInstall and gave the users full rights to the specific areas in the registry to see if that did anything; which it didn't.   Does anyone else have any siggestions, or am I stuck with Intuit's "users must have >= Power User privs" to run that app?   ANY help or suggestions are GREATLY appreciated!   --Jason