Need a user to install an MSI app, but he doesn’t have the rights to do so? See how in a minute you can specify the applications he should be able to install, and just like that, a Standard User can install an MSI without UAC prompts.
PolicyPak Least Privilege Manager: Install MSI Applications as Standard Users
Hi. This is Jeremy Moskowitz, and in this video I’m going to show you how you can install MSI apps as a standard user using PolicyPak Least Privilege Manager.
Here is an example. This is a garden-variety MSI. Actually, Skype comes as a .exe and as a .msi if you want. In this example here, you can see as a standard user if you try to “Install” this MSI, you are not allowed to do that. What we’re going to do is use PolicyPak Least Privilege Manager and specify a specific location that this is going to be sanctioned in.
Let’s go ahead and check this out. For all of our “Sales” team, let’s go ahead and do “PPLMP MSI install for Skype.” We’ll go ahead and right click and “Edit” this guy, and we’ll dive down. You could do this on the computer or the user side. I’m going to do it on the user side.
Under “Least Privilege Manager” here, I’m going to select “Add/New Executable Policy.” In order to do what we’re doing here, we need to “Use combo rule.” The combo rule is two pieces. One is the “Path.” We’re going to elevate Msiexec. The “Command-line argument” is going to specify which file we want to elevate, which is going to be the Skype install. We’ll go ahead and click “Next.”
The first condition is “Path Condition.” We’ll go ahead and “Add file.” This is the Msiexec piece, so you “Browse” for “c:\windows\system32\msiexec.exe.” It will populate automatically “%SYSTEMROOT%\System32\msiexec.exe.” That’s the first piece. That’s what we’re going to elevate.
Then “Command-line Argument,” we’re going to use what’s called “Strict equality,” which says it has to be this exact command line or it’s not going to work. That’s going to be “/i” which is for the install. Then we’re going to put in quotes the actual name of the application and where we want to do it.
On the Desktop will work, but you have to put the full path of the Desktop. What I’m going to do is I’m going to copy to C:\TEMP just so we have a guaranteed location we know this thing is going to run from. I’ll go ahead and “Copy here” to C:\TEMP, and it’s called “SkypeSetup”.msi. That’s “/i ‘c:\temp\skypesetup.msi.’”
Notice what I’ve done here. We did Msiexec as the “Path Condition,” and the “Command-line Arguments” are “/i,” space, quote, the exact location and name of the MSI. We’re using “Strict equality,” which means that it has to be in this exact order.
We’ll go ahead and click “Next.” We’ll go ahead and run just this with elevated privileges (“Run with elevated privileges”). We’re going to say “Let Skype run in C:\temp only for install.” We’ll go ahead and click “Finish” here, and we should be locked and loaded.
Just to show you what’s going on here, let me go ahead and run GP Update first. Let Group Policy finish its thing. Once it is finished, I’m going to run the Skype install twice. I’m going to start it first from the Desktop, which is not a sanctioned location. Then I’m going to specify try running in the TEMP directory, which is a sanctioned location.
Let’s do the not sanctioned location first. Here’s “SkypeSetup.” We’ll go ahead and click “Next.” We’ll go ahead and say “Next/Next.” You can see right there, there’s the “Install” with the UAC prompt. That will not let us go. That’s not the sanctioned location.
But now we have a rule in place that says it is okay in C:\TEMP. Here’s “SkypeSetup”.msi that we have in C:\TEMP. Least Privilege Manager is now saying that it is sanctioned. We’ll go ahead and click “Next” here. You can see the UAC prompt is not there on “Install” anymore, and it does its thing.
That is how you can install MSI applications using PolicyPak Least Privilege Manager today. Hope this helps you out and you’re ready to get started with a trial. We’re here to help you out.
Thanks so much.