This article was previously published under Q259459
This article describes three methods by which an administrator can enable a nonadministrator user to install managed Windows Installer applications.
An application is called a "managed application" if elevated (system) privileges are used to install the application. A situation in which you might need to install a managed application is if you are installing an application on Windows NT or Windows 2000 and do not have administrative privileges on that computer. By using the following methods, an administrator can enable a nonadministrator user to install managed applications.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
On a computer running Windows NT 4.0 or Windows 2000, an administrator can set the AlwaysInstallElevated registry keys for both per-user and per-machine installations on the computer. If you want to make sure that all Windows Installer packages are installed with elevated (system) privileges, you must set the AlwaysInstallElevated value to "1" under the following registry keys:
WARNING: This particular method can open the computer to a security risk because once an administrator with elevated privileges has set these registry keys, nonadministrator users can run installations with elevated privileges and access secure locations on the computer, such as the System folder or HKLM registry key.
On Windows NT 4.0 or Windows 2000, an administrator can install or advertise the package on the computer for a per-machine installation (per-machine means that it will be available for all users of that computer). The Windows Installer always has elevated privileges while performing per-machine installations. The administrator uses elevated privileges to advertise the package. If a nonadministrator user then installs the application, the installation can run with elevated privileges. Nonadministrator users still cannot install unadvertised packages that require elevated system privileges. The following is an example of a command line used by an administrator doing a per-machine installation:
msiexec -i c:\pathtofile\mypackage.msi ALLUSERS=1
Here is an example of how the administrator would advertise the package on the computer per-machine:
msiexec -jm c:\pathtofile\mypackage.msi
For more information, see the Help topic "Advertisement" in the Windows Installer Platform SDK:
On Windows 2000, an administrator can advertise an application on a user's computer by assigning or publishing the Windows Installer package using application deployment and Group Policy. The administrator uses elevated privileges to advertise the package per machine. If a nonadministrator user then installs the application, the installation can run with elevated privileges. Nonadministrator users still cannot install unadvertised packages that require elevated system privileges.
For more information on Group Policy, see the "Introduction to Windows 2000 Group Policy" white paper: