Hi,
I have an installer on Windows 2008 R2 that causes issues for some users.
If I run the installer set to the following
Per machine only (fails if the user is not an administrator)
Run only if the user has administrator priviledge
However if the user is not an administrator annoyingly it still runs and prompts the user for credentials during the installation process (which I guess would be fine) however then my custom actions (an .exe file and some .NET custom actions) fail with insufficient permissions.
I assume this is some kind of impersonation problem - how do I get my custom actions to run with the credentials entered during the installation (or better still) just stop the user from installing if they are not an administrator (what I thought the checkbox would do!?)
Thanks,
Dave
Suggested Articles
-
davidhomer
- Posts: 38
- Joined: Fri Oct 23, 2009 2:39 pm
-
davidhomer
- Posts: 38
- Joined: Fri Oct 23, 2009 2:39 pm
Re: Administrator rights on Windows 2008 R2
OK I realise that I can change the Custom Action to "Deferred No Impersonation" the only problem is that I NEED impersonation for the SQL connection....
So I guess there are 3 accounts in play at the moment
1) The account the user is logged on as (non-administrator)
2) The account that has been escalted to (administrator)
3) The service account (used when "Deferred no impersonation" is selected)
I guess I want the SQL scripts and the custom actions to always run as 2) how do you do this?
So I guess there are 3 accounts in play at the moment
1) The account the user is logged on as (non-administrator)
2) The account that has been escalted to (administrator)
3) The service account (used when "Deferred no impersonation" is selected)
I guess I want the SQL scripts and the custom actions to always run as 2) how do you do this?
-
mihai.petcu
- Posts: 3860
- Joined: Thu Aug 05, 2010 8:01 am
Re: Administrator rights on Windows 2008 R2
Hello,
All the best,
Mihai
As mentioned in our user guide, this is the default behavior on Vista or above when selecting a Per-machine installation type from the Install Parameters page.However if the user is not an administrator annoyingly it still runs and prompts the user for credentials during the installation process
To elevate a custom action, this is the setting you will need to use.OK I realise that I can change the Custom Action to "Deferred No Impersonation"
The SQL connection should work fine. Can you please specify what error you are getting?the only problem is that I NEED impersonation for the SQL connection
All the best,
Mihai
-
davidhomer
- Posts: 38
- Joined: Fri Oct 23, 2009 2:39 pm
Re: Administrator rights on Windows 2008 R2
Hi thanks for the quick reply!
I'm finding it hard to understand what is happening here - I see that if a user runs as the local or domain "Administrator" account specifically that UAC seems to be ignored hence why this passed testing.
OK so this is the scenario that I see when installing as an MSI
UAC is set to maximum level
Logon as dhomer (an administrator)
Run the .msi file (my UI check fails for administrator rights - I understand because priviledge escalation hasn't happened yet)
The install starts and UAC prompts to confirm I want to run this as an administrator
The custom actions now run fine (no impersonation so they now run as SYSTEM)
ERRROR: The SQL installation script fails "CREATE database permission denied in database 'master'" (running with impersonation) as the user dhomer (without administrator rights) does not have permissions to write to the database
Rolling back actions
But.... the same scenario using the BOOTSTRAPPER .exe method
UAC is set to maximum level
Logon as dhomer (an administrator)
Run the .exe file (my UI check passes for administrator rights - I understand this as the UI is running with Administrator rights now)
The install starts and UAC prompts to confirm I want to run this as an administrator
The custom actions now run fine (no impersonation so they now run as SYSTEM)
The SQL installation script succeeds!
So a couple of questions.....
1) Why does the SQL script now work with the bootstrapper? It's obviously impersonating the dhomer user with administrator rights (which is great)
2) Can I run the MSI in elevated rights as the bootstrapper does without using the bootstrapper .exe? Is there a command line? msiexec /runasadministrator or similar? (I'm not sure I want to distribute an .exe file instead of the MSI)
Dave
I'm finding it hard to understand what is happening here - I see that if a user runs as the local or domain "Administrator" account specifically that UAC seems to be ignored hence why this passed testing.
OK so this is the scenario that I see when installing as an MSI
UAC is set to maximum level
Logon as dhomer (an administrator)
Run the .msi file (my UI check fails for administrator rights - I understand because priviledge escalation hasn't happened yet)
The install starts and UAC prompts to confirm I want to run this as an administrator
The custom actions now run fine (no impersonation so they now run as SYSTEM)
ERRROR: The SQL installation script fails "CREATE database permission denied in database 'master'" (running with impersonation) as the user dhomer (without administrator rights) does not have permissions to write to the database
Rolling back actions
But.... the same scenario using the BOOTSTRAPPER .exe method
UAC is set to maximum level
Logon as dhomer (an administrator)
Run the .exe file (my UI check passes for administrator rights - I understand this as the UI is running with Administrator rights now)
The install starts and UAC prompts to confirm I want to run this as an administrator
The custom actions now run fine (no impersonation so they now run as SYSTEM)
The SQL installation script succeeds!
So a couple of questions.....
1) Why does the SQL script now work with the bootstrapper? It's obviously impersonating the dhomer user with administrator rights (which is great)
2) Can I run the MSI in elevated rights as the bootstrapper does without using the bootstrapper .exe? Is there a command line? msiexec /runasadministrator or similar? (I'm not sure I want to distribute an .exe file instead of the MSI)
Dave
-
mihai.petcu
- Posts: 3860
- Joined: Thu Aug 05, 2010 8:01 am
Re: Administrator rights on Windows 2008 R2
Hi Dave,
Can you please send us the .AIP (project) and a verbose log of the installation to support at advancedinstaller dot com so we can investigate them?
All the best,
Mihai
Can you please send us the .AIP (project) and a verbose log of the installation to support at advancedinstaller dot com so we can investigate them?
All the best,
Mihai
-
davidhomer
- Posts: 38
- Joined: Fri Oct 23, 2009 2:39 pm
Re: Administrator rights on Windows 2008 R2
Hi I have just run the installer again (msi only) with full logging on and emailed that to you.
Thanks,
Dave
Thanks,
Dave
-
mihai.petcu
- Posts: 3860
- Joined: Thu Aug 05, 2010 8:01 am
Re: Administrator rights on Windows 2008 R2
Hi Dave,
To impersonate the installing user when using the predefined functionality from the SQL Scripts page, you need to enable the "Impersonate installing user" option from the Database Server context menu like you did.
I didn't realize what connection you were referring to -> predefined or custom.
The error you are getting without the bootstrapper occurs most probably because your custom connection needs impersonation like you mentioned yourself. In this case, you should try to set with just "Deffered" and see the result. When using "Deferred, with no impersonation" the custom action runs under the SYSTEM account.
All the best,
Mihai
To impersonate the installing user when using the predefined functionality from the SQL Scripts page, you need to enable the "Impersonate installing user" option from the Database Server context menu like you did.
I didn't realize what connection you were referring to -> predefined or custom.
The error you are getting without the bootstrapper occurs most probably because your custom connection needs impersonation like you mentioned yourself. In this case, you should try to set with just "Deffered" and see the result. When using "Deferred, with no impersonation" the custom action runs under the SYSTEM account.
All the best,
Mihai