Re: [ActiveDir] Using GPO to install an MSI package

[Jason B]

I really appreciate everyone's input on my situation.   I did get it to work, in short, because of everyone's help here.  Thanks!    Here's what I did:   I contacted Intuit (maker of Quickbooks) and wasted 55 minutes on hold and another 10 minutes on hold after a rep answered the call only to find out absolutely nothing other than what a waste it is to have a "support" contract with Intuit.  Apparently the employees in product development are too busy improperly coding new programs to talk to those who actually [try to] use their stuff.   I determined that I needed to find out if the program explicitly looks for the user to be a local PU or Admin, since, if it did, as someone pointed out, we'd be SOL.  I created a test OU, created a test GPO and applied it to that OU.  I created a test group and a test user and put him in the group, and added the user (and test machine) to that OU.  I then gave the test group full permissions to the C:\ drive (FS) and \\classes_root \\machine \\user (registry) and logged in as the test user on the test box to see if it could run under the non-PU and non-Admin context.  It worked.  Now that that was known, it was time to filter down.  I removed the permissions for C:\ (FS), \\machine and \\user and tried again - it still worked, so now I have to figure out which keys were being written to in classes_root, so I ran regmon and after an hour of trying to decipher what it used and what it didn't, and making a long list in the test GPO permissions, I got it to work.  I think it took longer to enter the registry keys in the GPO than it did to find out what was needed as far as permissions go (sigh).  Did I mention how much I hate Intuit products?   ----- Original Message ----- From: Jason B To: ActiveDir@mail.activedir.org Sent: Tuesday, February 15, 2005 8:44 AM Subject: [ActiveDir] Using GPO to install an MSI package Okay, our environment is that all our clients are running Windows XP SP2, and our servers are Windows 2003.  The situation is that our Accounting department uses Quickbooks, and about 70 of our employees need to use an application that comes with Quickbooks called "QB Timer".  It's free for use for our employees and it integrates with Quickbooks without requiring a Quickbooks install on each machine.  Now, the quandry:  according to Intuit/Quickbooks, the program requires at least Power User permissions to install and run.  Neither I, nor our CIO are willing to give local Power User permissions for these users, as that opens things up to too many potential problems, but our CFO and COO are REQUIRING the use of this application, or a similar one that integrates with Quickbooks.  Now, the QBTimer is free, which is good, so that's the *preferred* app to use.  It comes as an exe with a few other files, so I used WinInstall LE 2003 on a clean XP SP2 machine to package it into an MSI file.  That worked well, and I can install it/assign it through GPO - even if the user doesn't have local Power User privs.  However, true to form with Intuit products, it won't run if the logged on user doesn't have local admin or PU privs.  If I grant PU privs to the user, it runs fine.  I feel like I am --> <-- this close to getting this done, but I ran out of ideas to get this to work.  I tried looking at the reg file that was made when I ran WinInstall and gave the users full rights to the specific areas in the registry to see if that did anything; which it didn't.   Does anyone else have any siggestions, or am I stuck with Intuit's "users must have >= Power User privs" to run that app?   ANY help or suggestions are GREATLY appreciated!   --Jason