How to allow users who are not administrators to install MSI packages

Article ID: 259459
This article was previously published under Q259459
Expand all | Collapse all

Summary

This article describes three methods by which an administrator can enable a nonadministrator user to install managed Windows Installer applications.
Back to the top | Give Feedback

More information

An application is called a "managed application" if elevated (system) privileges are used to install the application. A situation in which you might need to install a managed application is if you are installing an application on Windows NT or Windows 2000 and do not have administrative privileges on that computer. By using the following methods, an administrator can enable a nonadministrator user to install managed applications.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756
(http://support.microsoft.com/kb/322756/ )
How to back up and restore the registry in Windows
  • On a computer running Windows NT 4.0 or Windows 2000, an administrator can set the AlwaysInstallElevated registry keys for both per-user and per-machine installations on the computer. If you want to make sure that all Windows Installer packages are installed with elevated (system) privileges, you must set the AlwaysInstallElevated value to "1" under the following registry keys:
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
    WARNING: This particular method can open the computer to a security risk because once an administrator with elevated privileges has set these registry keys, nonadministrator users can run installations with elevated privileges and access secure locations on the computer, such as the System folder or HKLM registry key.

  • On Windows NT 4.0 or Windows 2000, an administrator can install or advertise the package on the computer for a per-machine installation (per-machine means that it will be available for all users of that computer). The Windows Installer always has elevated privileges while performing per-machine installations. The administrator uses elevated privileges to advertise the package. If a nonadministrator user then installs the application, the installation can run with elevated privileges. Nonadministrator users still cannot install unadvertised packages that require elevated system privileges. The following is an example of a command line used by an administrator doing a per-machine installation:
    msiexec -i c:\pathtofile\mypackage.msi ALLUSERS=1
    Here is an example of how the administrator would advertise the package on the computer per-machine:
    msiexec -jm c:\pathtofile\mypackage.msi
    For more information, see the Help topic "Advertisement" in the Windows Installer Platform SDK:
    http://msdn.microsoft.com/en-us/library/aa367548(VS.85).aspx
    (http://msdn.microsoft.com/en-us/library/aa367548(VS.85).aspx)
  • On Windows 2000, an administrator can advertise an application on a user's computer by assigning or publishing the Windows Installer package using application deployment and Group Policy. The administrator uses elevated privileges to advertise the package per machine. If a nonadministrator user then installs the application, the installation can run with elevated privileges. Nonadministrator users still cannot install unadvertised packages that require elevated system privileges.

    For more information on Group Policy, see the "Introduction to Windows 2000 Group Policy" white paper:
    http://download.microsoft.com/download/5/2/f/52f3dbd6-2864-4d97-8792-276544ad6426/grouppolwp.doc
    (http://download.microsoft.com/download/5/2/f/52f3dbd6-2864-4d97-8792-276544ad6426/grouppolwp.doc)
Back to the top | Give Feedback

References

For more information, visit the following Microsoft Developer Network (MSDN) Web sites:
Teach your apps to play nicely with Windows Vista User Account Control
http://msdn.microsoft.com/msdnmag/issues/07/01/UAC/default.aspx
(http://msdn.microsoft.com/msdnmag/issues/07/01/UAC/default.aspx)


Installing a package with elevated privileges for a non-admin
http://msdn2.microsoft.com/en-us/library/aa369519.aspx
(http://msdn2.microsoft.com/en-us/library/aa369519.aspx)
Back to the top | Give Feedback

Properties

Article ID: 259459 - Last Review: August 23, 2012 - Revision: 8.0
Keywords: 
kbhowto kbmsifaq KB259459
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top