0

Guys, girls, I'm a developer so forgive my naivete on system fronts, I've come for the guru's who know better than I on these issues.

I am trying to be a corporate citizen and not run my services on Win2k3 server as adminstrator. Unfortunately there is a "configuration manager" which will need to from time to time upgrade the entire application via an MSI.

I've been desperately trying to find information on MSDN but they all end up hyperlinking away to something which isn't an answer, so I have read that you can "bless" an MSI to run as administrator. This scenario is OK, if the application needs a blessing from the IT dept, but the application must be able to call the MSI (i.e to rollback a failed upgrade) automatically.

I'm trying desperately to avoid lowering the security of the environment and to run with the least priveleges possible. AFAIK there is no SMS available, but I do have a full domain setup which can have settings changed etc.

UPDATE: The installation has to install a windows service, so it must run with administrative privilege.

Spence
  • 670
  • 3
  • 9
  • 19

2 Answers2

1

I'd try to publish the MSI in AD, that way you can also upgrade the app by using patchfiles (MSP) if that's appropriate. You can have the app install on restart (in startup) where it will run as the system account. Is this a route that works for you?

tplive
  • 444
  • 2
  • 9
  • Only problem is that these servers don't reboot. Once set up this should take them down for no longer than a minute or so... – Spence Sep 30 '09 at 21:33
  • I'm sure that you're not setting up a critical system in where a server reboot is unacceptable?? – tplive Oct 06 '09 at 07:46
0

Have you tried simply changing the security settings on the installation folder and appropriate registry keys? Often when something won't run as administrator its because it is trying to do stuff in file locations that are read only to non-admins (aka Program Files and anything in the HKEY_LOCAL_MACHINE registry hive) once you change those permissions it should be able to run and execute in there fine. Just do some digging to find out what user account the application actually runs as and give that account what it needs.

Shial
  • 1,017
  • 1
  • 9
  • 14
  • See my update. I'm aware of least privilege on the application, it's the MSI I'm trying to get installed automatically. – Spence Sep 29 '09 at 21:00
  • Because its an update the MSI is a different MSI each time, so even if you "bless" it the next new version will not be blessed. I don't believe you have any choice but to work with access permissions. – Shial Sep 30 '09 at 03:32