As a domain administrator, you may want to restrict the permissions that domain users have on their local machines. In these cases, it can be difficult to manage installation and updates for software that you want to allow users to run. When Dezrez deploy an update, end users may not be able to fully install them due to these account restrictions.
There are two steps that domain administrators can perform in order to grant users the ability to install dezrez updates, whilst still restricting write access to key windows folders, like the system32 folder. The below solution allows MSI packages to be run with elevated privileges, whilst restricting what MSIs are allowed to be run to just MSIs from dezrez. Your domain users do not need to have elevated privileges, and the rest of your security policy is unaffected.
IMPORTANT: This guide covers making changes to a Group Policy Object (GPO) - If you use the domain default GPO, all machines and users in the domain will be affected.
The first step is to use the Software Restriction Policy in your domain to allow MSIs to run, provided they are signed with the dezrez software publishing certificate. Secondly, change a Windows Installer setting to allows approved MSIs to be run in elevated mode.
1. Software Restriction Policy - http://technet.microsoft.com/en-us/library/bb457006.aspx
Path Rule: Disallow *.MSI
Certificate Rule: Dezrez Services Ltd. certificate - Unrestricted.
NOTE: If you do not want this setting to apply to local administrators, select "Software Restriction Policy" in the tree view, and select the "Enforcement" option. Change the setting "Apply software restriction policies to the following users" to "All users except local administrators".
NOTE: This GPO change must be applied to both User and Computer objects in order to be effective - You may have to link the GPO to multiple Organisational Units (OUs) in order to achieve this
Firstly, open the Group Policy Editor, and edit the Group Policy you wish to change. Please note, this setting needs to be changed in two places in order to take effect for users - One setting in "Computer Configuration" and another in "User Configuration".
Expand "Computer Configuration" > "Administrative Templates" > "Windows Components" and select "Windows Installer". Locate the setting called "Always install with elevated privileges" and choose Enable.
Expand "User Configuration" > "Administrative Templates" > "Windows Components" and select "Windows Installer". Locate the setting called "Always install with elevated privileges" and choose Enable.
With the above two changes, dezrez installation and updates will be allowed even though the domain user may not have write access to system folders.
However, dezrez still requires write access to certain registry keys and folders, detailed below
Folder Access (Full Control required)
- %HOMEDRIVE%\Program Files\DezRez OffLine Editor
- The "Dezrez" subfolder of the My Documents location
Folder Access (Read + Execute required)
Registry Access (Read + Write required)
- HKEY_CURRENT_USER\Software\VB and VBA Program Settings (including subkeys)
(Users should have read/write access to this key by default)
User Account Control
All client PC's must have User Account Control disabled for the dezrez software to function. Please note that this setting must remain disabled and not re-enabled after installation.
DISCLAIMER: The information in this article is provided without any warranty of any kind whatsoever. By accessing this service, you agree that Dezrez Services Ltd. will not be liable for any expenses, losses or costs that may be incurred by the interpretation and use of the information in this article, nor as a result of the information in this article being inaccurate or incomplete in any way.