[Micronet] Software Installation Problem

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

[Micronet] Software Installation Problem

Jon Johnsen

We have just migrated a faculty member from Windows 2000 to Windows 7.

On the Windows 2000 box, he had a local user account and an account in
the local admin group. We had the default admin account. (This is the
only user we support who uses this unusual setup; the computer itself is
on our OU, but he ran it with local accounts only.)

Over the years, he was able to install consumer and limited-audience
special interest software needed for his work.

On his new Windows 7 box, even with his account in the local admin
group, we find that some of the special software will not install unless
the credentials used are those of the local admin account.

Spending some quality time with Google has led me to believe that some
software will install only by using the local admin account, or,
sometimes, an OU or domain admin account. This is consistent with my
observations. Such software plain cannot be installed using an account
in the local admin group.

Is this conclusion correct? If so, aside from “giving” this faculty
member the local admin account, can someone suggest a solution? (He is
an active user, whose office is not close to our office, so making
frequent, semi-urgent trips to his office isn’t a practical solution,
especially in the rainy season.)

--
Jon Johnsen
Information Systems Office
433 University Hall
School of Public Health, UC Berkeley
510 643-4357


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Software Installation Problem

Lucy Greco


Hello:
for the longest time we admin have been asking for restrictions such as
these. Although I do think having a user in the admin group should work. Can
you not remote desktop into his machine and login as the local admin
wouldn't that allow you to do what needs to be done. Otherwise I would if it
was me say he has the admin rights give it to them completely and wash your
hands. Lucy Greco
Assistive Technology Specialist
Disabled Student's Program UC Berkeley
(510) 643-7591
http://attlc.berkeley.edu 
http://webaccess.berkeley.edu

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Jon Johnsen
Sent: Friday, July 30, 2010 3:54 PM
To: [hidden email]
Subject: [Micronet] Software Installation Problem


We have just migrated a faculty member from Windows 2000 to Windows 7.

On the Windows 2000 box, he had a local user account and an account in
the local admin group. We had the default admin account. (This is the
only user we support who uses this unusual setup; the computer itself is
on our OU, but he ran it with local accounts only.)

Over the years, he was able to install consumer and limited-audience
special interest software needed for his work.

On his new Windows 7 box, even with his account in the local admin
group, we find that some of the special software will not install unless
the credentials used are those of the local admin account.

Spending some quality time with Google has led me to believe that some
software will install only by using the local admin account, or,
sometimes, an OU or domain admin account. This is consistent with my
observations. Such software plain cannot be installed using an account
in the local admin group.

Is this conclusion correct? If so, aside from "giving" this faculty
member the local admin account, can someone suggest a solution? (He is
an active user, whose office is not close to our office, so making
frequent, semi-urgent trips to his office isn't a practical solution,
especially in the rainy season.)

--
Jon Johnsen
Information Systems Office
433 University Hall
School of Public Health, UC Berkeley
510 643-4357


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe
from its mailing list and how to find out about upcoming meetings, please
visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and
the list's archives can be browsed and searched on the Internet.  This means
these messages can be viewed by (among others) your bosses, prospective
employers, and people who have known you in the past.


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Software Installation Problem

Jon Johnsen
  Lucia,

It's a bit hard to say that to a senior professor who is also an
assistant Dean!

Jon Johnsen
Information Systems Office
433 University Hall
School of Public Health, UC Berkeley
510 643-4357


On 7/30/2010 4:17 PM, lucia greco wrote:

>
> Hello:
> for the longest time we admin have been asking for restrictions such as
> these. Although I do think having a user in the admin group should work. Can
> you not remote desktop into his machine and login as the local admin
> wouldn't that allow you to do what needs to be done. Otherwise I would if it
> was me say he has the admin rights give it to them completely and wash your
> hands. Lucy Greco
> Assistive Technology Specialist
> Disabled Student's Program UC Berkeley
> (510) 643-7591
> http://attlc.berkeley.edu
> http://webaccess.berkeley.edu
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Jon Johnsen
> Sent: Friday, July 30, 2010 3:54 PM
> To: [hidden email]
> Subject: [Micronet] Software Installation Problem
>
>
> We have just migrated a faculty member from Windows 2000 to Windows 7.
>
> On the Windows 2000 box, he had a local user account and an account in
> the local admin group. We had the default admin account. (This is the
> only user we support who uses this unusual setup; the computer itself is
> on our OU, but he ran it with local accounts only.)
>
> Over the years, he was able to install consumer and limited-audience
> special interest software needed for his work.
>
> On his new Windows 7 box, even with his account in the local admin
> group, we find that some of the special software will not install unless
> the credentials used are those of the local admin account.
>
> Spending some quality time with Google has led me to believe that some
> software will install only by using the local admin account, or,
> sometimes, an OU or domain admin account. This is consistent with my
> observations. Such software plain cannot be installed using an account
> in the local admin group.
>
> Is this conclusion correct? If so, aside from "giving" this faculty
> member the local admin account, can someone suggest a solution? (He is
> an active user, whose office is not close to our office, so making
> frequent, semi-urgent trips to his office isn't a practical solution,
> especially in the rainy season.)
>

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Software Installation Problem

Karl R. Grose
In reply to this post by Jon Johnsen
On 07/30/2010 15:53, Jon Johnsen wrote:

> software will install only by using the local admin account, or,
> sometimes, an OU or domain admin account. This is consistent with my
> observations. Such software plain cannot be installed using an account
> in the local admin group.

Or is it that some software does not understand UAC and will not prompt
correctly for the escalation of privileges needed to perform the
installation? In those cases, does running the installation deliberately
with escalated privilege (run as administrator) help?

--Karl

=======
> Is this conclusion correct? If so, aside from “giving” this faculty
> member the local admin account, can someone suggest a solution? (He is
> an active user, whose office is not close to our office, so making
> frequent, semi-urgent trips to his office isn’t a practical solution,
> especially in the rainy season.)


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Software Installation Problem

Richard DeShong-2
You could create an additional admin account for the user, something like
"username-setup", or "username-install", that the user would use when they
want to install new programs.

--
Richard DeShong.

-----Original Message-----
From: Karl R. Grose

On 07/30/2010 15:53, Jon Johnsen wrote:

> software will install only by using the local admin account, or,
> sometimes, an OU or domain admin account. This is consistent with my
> observations. Such software plain cannot be installed using an account
> in the local admin group.

Or is it that some software does not understand UAC and will not prompt
correctly for the escalation of privileges needed to perform the
installation? In those cases, does running the installation deliberately
with escalated privilege (run as administrator) help?

--Karl

=======
> Is this conclusion correct? If so, aside from "giving" this faculty
> member the local admin account, can someone suggest a solution? (He is
> an active user, whose office is not close to our office, so making
> frequent, semi-urgent trips to his office isn't a practical solution,
> especially in the rainy season.)


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe
from its mailing list and how to find out about upcoming meetings, please
visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and
the list's archives can be browsed and searched on the Internet.  This means
these messages can be viewed by (among others) your bosses, prospective
employers, and people who have known you in the past.


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Software Installation Problem

Jon Johnsen
  Richard,

The problem is that some of his software will not install unless it's
installed using the default, real administrator account or a real OU
administrator account; it will not install using an account placed  in
the local administrator group.

We have settled on a work-around which is acceptable to the professor
and us.

Jon Johnsen
Information Systems Office
433 University Hall
School of Public Health, UC Berkeley
510 643-4357


On 8/2/2010 2:39 PM, Richard DeShong wrote:

> You could create an additional admin account for the user, something like
> "username-setup", or "username-install", that the user would use when they
> want to install new programs.
>
> --
> Richard DeShong.
>
> -----Original Message-----
> From: Karl R. Grose
>
> On 07/30/2010 15:53, Jon Johnsen wrote:
>
>> software will install only by using the local admin account, or,
>> sometimes, an OU or domain admin account. This is consistent with my
>> observations. Such software plain cannot be installed using an account
>> in the local admin group.
> Or is it that some software does not understand UAC and will not prompt
> correctly for the escalation of privileges needed to perform the
> installation? In those cases, does running the installation deliberately
> with escalated privilege (run as administrator) help?
>
> --Karl
>
> =======
>> Is this conclusion correct? If so, aside from "giving" this faculty
>> member the local admin account, can someone suggest a solution? (He is
>> an active user, whose office is not close to our office, so making
>> frequent, semi-urgent trips to his office isn't a practical solution,
>> especially in the rainy season.)
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe
> from its mailing list and how to find out about upcoming meetings, please
> visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and
> the list's archives can be browsed and searched on the Internet.  This means
> these messages can be viewed by (among others) your bosses, prospective
> employers, and people who have known you in the past.
>
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Software Installation Problem

Richard DeShong-2
The Piedmont PD has a piece of software that has a local sql db that
mirrores from the server - sortof like an imap email client, that would not
install correctly using a domain admin account, but had to be installed
using a local admin account.  But I've never ran across one that
distinguished between the "default, real admin" and any other local admin.

I would be interested to know what they are, just in case I run across them

-----Original Message-----
From: Jon Johnsen [mailto:[hidden email]]
Sent: Monday, August 02, 2010 2:47 PM
To: Richard DeShong
Cc: [hidden email]
Subject: Re: [Micronet] Software Installation Problem

  Richard,

The problem is that some of his software will not install unless it's
installed using the default, real administrator account or a real OU
administrator account; it will not install using an account placed  in
the local administrator group.

We have settled on a work-around which is acceptable to the professor
and us.

Jon Johnsen
Information Systems Office
433 University Hall
School of Public Health, UC Berkeley
510 643-4357


On 8/2/2010 2:39 PM, Richard DeShong wrote:

> You could create an additional admin account for the user, something like
> "username-setup", or "username-install", that the user would use when they
> want to install new programs.
>
> --
> Richard DeShong.
>
> -----Original Message-----
> From: Karl R. Grose
>
> On 07/30/2010 15:53, Jon Johnsen wrote:
>
>> software will install only by using the local admin account, or,
>> sometimes, an OU or domain admin account. This is consistent with my
>> observations. Such software plain cannot be installed using an account
>> in the local admin group.
> Or is it that some software does not understand UAC and will not prompt
> correctly for the escalation of privileges needed to perform the
> installation? In those cases, does running the installation deliberately
> with escalated privilege (run as administrator) help?
>
> --Karl
>
> =======
>> Is this conclusion correct? If so, aside from "giving" this faculty
>> member the local admin account, can someone suggest a solution? (He is
>> an active user, whose office is not close to our office, so making
>> frequent, semi-urgent trips to his office isn't a practical solution,
>> especially in the rainy season.)
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe
> from its mailing list and how to find out about upcoming meetings, please
> visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and
> the list's archives can be browsed and searched on the Internet.  This
means
> these messages can be viewed by (among others) your bosses, prospective
> employers, and people who have known you in the past.
>
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe
from its mailing list and how to find out about upcoming meetings, please
visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and
the list's archives can be browsed and searched on the Internet.  This means
these messages can be viewed by (among others) your bosses, prospective
employers, and people who have known you in the past.


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Software Installation Problem

Michael C. Nicol
In reply to this post by Jon Johnsen
John,

You might be tempted to disable the UAC , but there is a work around in
Windows 7 for these types of issues.

You will need to edit the application's manifest allowing the executable to
run AsInvoker.

You can either update the .xml file manually, or Haven Tools has a program
called Resource Tuner that wets admins modify application manifest embedded
in a precompiled executable.  

 Visual Studio has mt.exe that can be used, and it's also part of the
Windows SDK...

Modifying the .xml is pretty easy.  All you need to do is find the .xml file
in the  manifest folder and change the requestedExecutionLevel value from
requireAdministrator to asInvoker.

If modifying the application manifest isn’t possible, you can load the
Application Compatibility Toolkit (ACT) 5.5, a free download from Microsoft,
and use Compatibility Administrator to create a compatibility fix using the
RunAsInvoker shim and deploy the resulting database to your workstations:

1. Log in to Windows 7 as an administrator and install ACT.

2. Open Compatibility Administrator in the Application Compatibility Toolkit
5.5 folder on the Start menu, and below Custom Databases in the left pane
select New Database and press Ctrl+R.

3. Give the new database a name and press Enter.

4. Press Ctrl+P to create a new application fix. In the Create new
Application Fix dialog, type the name of the program to be fixed.

5. Click Browse and find the executable you want to apply the fix to and
click Open. Click Next to continue.

6. On the Compatibility Modes screen, select None under Operating Systems
and click Next. On the Compatibility Fixes screen scroll down the menu and
select the RunAsInvoker fix, which Figure 1 shows.

7. At this point you can click Test Run to see if the fix has the desired
effect on the application. Click Next to continue.

8. On the Matching Information screen, you can fine-tune how the
compatibility engine identifies the executable. Let’s leave the default
settings and click Finish.

9. Click the Save icon at the top of the Compatibility Administrator window
(see Figure 2), and save the database to the C drive on the local computer.

10. Select Install from the File menu and click OK to confirm the
installation of the database. You should now be able to run the targeted
application without the need to elevate privileges.

After the compatibility fix has been thoroughly tested, it can be
distributed. To do so, use Group Policy and a batch file that calls the
sdbinst.exe command line.


  Michael C. Nicol
Systems Administrator III, MCSE
(510)585-1575
 



-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Jon Johnsen
Sent: Monday, August 02, 2010 2:47 PM
To: Richard DeShong
Cc: [hidden email]
Subject: Re: [Micronet] Software Installation Problem

  Richard,

The problem is that some of his software will not install unless it's
installed using the default, real administrator account or a real OU
administrator account; it will not install using an account placed  in the
local administrator group.

We have settled on a work-around which is acceptable to the professor and
us.

Jon Johnsen
Information Systems Office
433 University Hall
School of Public Health, UC Berkeley
510 643-4357


On 8/2/2010 2:39 PM, Richard DeShong wrote:

> You could create an additional admin account for the user, something
> like "username-setup", or "username-install", that the user would use
> when they want to install new programs.
>
> --
> Richard DeShong.
>
> -----Original Message-----
> From: Karl R. Grose
>
> On 07/30/2010 15:53, Jon Johnsen wrote:
>
>> software will install only by using the local admin account, or,
>> sometimes, an OU or domain admin account. This is consistent with my
>> observations. Such software plain cannot be installed using an
>> account in the local admin group.
> Or is it that some software does not understand UAC and will not
> prompt correctly for the escalation of privileges needed to perform
> the installation? In those cases, does running the installation
> deliberately with escalated privilege (run as administrator) help?
>
> --Karl
>
> =======
>> Is this conclusion correct? If so, aside from "giving" this faculty
>> member the local admin account, can someone suggest a solution? (He
>> is an active user, whose office is not close to our office, so making
>> frequent, semi-urgent trips to his office isn't a practical solution,
>> especially in the rainy season.)
>
>
> ----------------------------------------------------------------------
> --- The following was automatically added to this message by the list
> server:
>
> To learn more about Micronet, including how to subscribe to or
> unsubscribe from its mailing list and how to find out about upcoming
> meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable,
> and the list's archives can be browsed and searched on the Internet.  
> This means these messages can be viewed by (among others) your bosses,
> prospective employers, and people who have known you in the past.
>
>
>
> ----------------------------------------------------------------------
> --- The following was automatically added to this message by the list
> server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe
from its mailing list and how to find out about upcoming meetings, please
visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and
the list's archives can be browsed and searched on the Internet.  This means
these messages can be viewed by (among others) your bosses, prospective
employers, and people who have known you in the past.

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe
from its mailing list and how to find out about upcoming meetings, please
visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and
the list's archives can be browsed and searched on the Internet.  This means
these messages can be viewed by (among others) your bosses, prospective
employers, and people who have known you in the past.


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Software Installation Problem

Michael C. Nicol
lets not wets...


  Michael C. Nicol
Systems Administrator III, MCSE
(510)585-1575
 



-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Michael C.
Nicol
Sent: Monday, August 02, 2010 3:25 PM
To: 'Jon Johnsen'; 'Richard DeShong'
Cc: [hidden email]
Subject: Re: [Micronet] Software Installation Problem

John,

You might be tempted to disable the UAC , but there is a work around in
Windows 7 for these types of issues.

You will need to edit the application's manifest allowing the executable to
run AsInvoker.

You can either update the .xml file manually, or Haven Tools has a program
called Resource Tuner that wets admins modify application manifest embedded
in a precompiled executable.  

 Visual Studio has mt.exe that can be used, and it's also part of the
Windows SDK...

Modifying the .xml is pretty easy.  All you need to do is find the .xml file
in the  manifest folder and change the requestedExecutionLevel value from
requireAdministrator to asInvoker.

If modifying the application manifest isn’t possible, you can load the
Application Compatibility Toolkit (ACT) 5.5, a free download from Microsoft,
and use Compatibility Administrator to create a compatibility fix using the
RunAsInvoker shim and deploy the resulting database to your workstations:

1. Log in to Windows 7 as an administrator and install ACT.

2. Open Compatibility Administrator in the Application Compatibility Toolkit
5.5 folder on the Start menu, and below Custom Databases in the left pane
select New Database and press Ctrl+R.

3. Give the new database a name and press Enter.

4. Press Ctrl+P to create a new application fix. In the Create new
Application Fix dialog, type the name of the program to be fixed.

5. Click Browse and find the executable you want to apply the fix to and
click Open. Click Next to continue.

6. On the Compatibility Modes screen, select None under Operating Systems
and click Next. On the Compatibility Fixes screen scroll down the menu and
select the RunAsInvoker fix, which Figure 1 shows.

7. At this point you can click Test Run to see if the fix has the desired
effect on the application. Click Next to continue.

8. On the Matching Information screen, you can fine-tune how the
compatibility engine identifies the executable. Let’s leave the default
settings and click Finish.

9. Click the Save icon at the top of the Compatibility Administrator window
(see Figure 2), and save the database to the C drive on the local computer.

10. Select Install from the File menu and click OK to confirm the
installation of the database. You should now be able to run the targeted
application without the need to elevate privileges.

After the compatibility fix has been thoroughly tested, it can be
distributed. To do so, use Group Policy and a batch file that calls the
sdbinst.exe command line.


  Michael C. Nicol
Systems Administrator III, MCSE
(510)585-1575
 



-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Jon Johnsen
Sent: Monday, August 02, 2010 2:47 PM
To: Richard DeShong
Cc: [hidden email]
Subject: Re: [Micronet] Software Installation Problem

  Richard,

The problem is that some of his software will not install unless it's
installed using the default, real administrator account or a real OU
administrator account; it will not install using an account placed  in the
local administrator group.

We have settled on a work-around which is acceptable to the professor and
us.

Jon Johnsen
Information Systems Office
433 University Hall
School of Public Health, UC Berkeley
510 643-4357


On 8/2/2010 2:39 PM, Richard DeShong wrote:

> You could create an additional admin account for the user, something
> like "username-setup", or "username-install", that the user would use
> when they want to install new programs.
>
> --
> Richard DeShong.
>
> -----Original Message-----
> From: Karl R. Grose
>
> On 07/30/2010 15:53, Jon Johnsen wrote:
>
>> software will install only by using the local admin account, or,
>> sometimes, an OU or domain admin account. This is consistent with my
>> observations. Such software plain cannot be installed using an
>> account in the local admin group.
> Or is it that some software does not understand UAC and will not
> prompt correctly for the escalation of privileges needed to perform
> the installation? In those cases, does running the installation
> deliberately with escalated privilege (run as administrator) help?
>
> --Karl
>
> =======
>> Is this conclusion correct? If so, aside from "giving" this faculty
>> member the local admin account, can someone suggest a solution? (He
>> is an active user, whose office is not close to our office, so making
>> frequent, semi-urgent trips to his office isn't a practical solution,
>> especially in the rainy season.)
>
>
> ----------------------------------------------------------------------
> --- The following was automatically added to this message by the list
> server:
>
> To learn more about Micronet, including how to subscribe to or
> unsubscribe from its mailing list and how to find out about upcoming
> meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable,
> and the list's archives can be browsed and searched on the Internet.
> This means these messages can be viewed by (among others) your bosses,
> prospective employers, and people who have known you in the past.
>
>
>
> ----------------------------------------------------------------------
> --- The following was automatically added to this message by the list
> server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe
from its mailing list and how to find out about upcoming meetings, please
visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and
the list's archives can be browsed and searched on the Internet.  This means
these messages can be viewed by (among others) your bosses, prospective
employers, and people who have known you in the past.

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe
from its mailing list and how to find out about upcoming meetings, please
visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and
the list's archives can be browsed and searched on the Internet.  This means
these messages can be viewed by (among others) your bosses, prospective
employers, and people who have known you in the past.


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe
from its mailing list and how to find out about upcoming meetings, please
visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and
the list's archives can be browsed and searched on the Internet.  This means
these messages can be viewed by (among others) your bosses, prospective
employers, and people who have known you in the past.


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Software Installation Problem

Michael C. Nicol
In reply to this post by Michael C. Nicol

Sorry, forgot pictures..

 

Figure 1

 

 

Figure 2

 

 

 

  Michael C. Nicol

Systems Administrator III, MCSE

(510)585-1575

 

 

 

 

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Michael C. Nicol
Sent: Monday, August 02, 2010 3:25 PM
To: 'Jon Johnsen'; 'Richard DeShong'
Cc: [hidden email]
Subject: Re: [Micronet] Software Installation Problem

 

John,

 

You might be tempted to disable the UAC , but there is a work around in Windows 7 for these types of issues.

 

You will need to edit the application's manifest allowing the executable to run AsInvoker.

 

You can either update the .xml file manually, or Haven Tools has a program called Resource Tuner that wets admins modify application manifest embedded in a precompiled executable. 

 

Visual Studio has mt.exe that can be used, and it's also part of the Windows SDK...

 

Modifying the .xml is pretty easy.  All you need to do is find the .xml file in the  manifest folder and change the requestedExecutionLevel value from requireAdministrator to asInvoker.

 

If modifying the application manifest isn’t possible, you can load the Application Compatibility Toolkit (ACT) 5.5, a free download from Microsoft, and use Compatibility Administrator to create a compatibility fix using the RunAsInvoker shim and deploy the resulting database to your workstations:

 

1. Log in to Windows 7 as an administrator and install ACT.

 

2. Open Compatibility Administrator in the Application Compatibility Toolkit

5.5 folder on the Start menu, and below Custom Databases in the left pane select New Database and press Ctrl+R.

 

3. Give the new database a name and press Enter.

 

4. Press Ctrl+P to create a new application fix. In the Create new Application Fix dialog, type the name of the program to be fixed.

 

5. Click Browse and find the executable you want to apply the fix to and click Open. Click Next to continue.

 

6. On the Compatibility Modes screen, select None under Operating Systems and click Next. On the Compatibility Fixes screen scroll down the menu and select the RunAsInvoker fix, which Figure 1 shows.

 

7. At this point you can click Test Run to see if the fix has the desired effect on the application. Click Next to continue.

 

8. On the Matching Information screen, you can fine-tune how the compatibility engine identifies the executable. Let’s leave the default settings and click Finish.

 

9. Click the Save icon at the top of the Compatibility Administrator window (see Figure 2), and save the database to the C drive on the local computer.

 

10. Select Install from the File menu and click OK to confirm the installation of the database. You should now be able to run the targeted application without the need to elevate privileges.

 

After the compatibility fix has been thoroughly tested, it can be distributed. To do so, use Group Policy and a batch file that calls the sdbinst.exe command line.

 

 

  Michael C. Nicol

Systems Administrator III, MCSE

(510)585-1575

 

 

 

 

-----Original Message-----

From: [hidden email]

[mailto:[hidden email]] On Behalf Of Jon Johnsen

Sent: Monday, August 02, 2010 2:47 PM

To: Richard DeShong

Cc: [hidden email]

Subject: Re: [Micronet] Software Installation Problem

 

  Richard,

 

The problem is that some of his software will not install unless it's installed using the default, real administrator account or a real OU administrator account; it will not install using an account placed  in the local administrator group.

 

We have settled on a work-around which is acceptable to the professor and us.

 

Jon Johnsen

Information Systems Office

433 University Hall

School of Public Health, UC Berkeley

510 643-4357

 

 

On 8/2/2010 2:39 PM, Richard DeShong wrote:

> You could create an additional admin account for the user, something

> like "username-setup", or "username-install", that the user would use

> when they want to install new programs.

> 

> --

> Richard DeShong.

> 

> -----Original Message-----

> From: Karl R. Grose

> 

> On 07/30/2010 15:53, Jon Johnsen wrote:

> 

>> software will install only by using the local admin account, or,

>> sometimes, an OU or domain admin account. This is consistent with my

>> observations. Such software plain cannot be installed using an

>> account in the local admin group.

> Or is it that some software does not understand UAC and will not

> prompt correctly for the escalation of privileges needed to perform

> the installation? In those cases, does running the installation

> deliberately with escalated privilege (run as administrator) help?

> 

> --Karl

> 

> =======

>> Is this conclusion correct? If so, aside from "giving" this faculty

>> member the local admin account, can someone suggest a solution? (He

>> is an active user, whose office is not close to our office, so making

>> frequent, semi-urgent trips to his office isn't a practical solution,

>> especially in the rainy season.)

> 

> 

> ----------------------------------------------------------------------

> --- The following was automatically added to this message by the list

> server:

> 

> To learn more about Micronet, including how to subscribe to or

> unsubscribe from its mailing list and how to find out about upcoming

> meetings, please visit the Micronet Web site:

> 

> http://micronet.berkeley.edu

> 

> Messages you send to this mailing list are public and world-viewable,

> and the list's archives can be browsed and searched on the Internet.

> This means these messages can be viewed by (among others) your bosses,

> prospective employers, and people who have known you in the past.

> 

> 

> 

> ----------------------------------------------------------------------

> --- The following was automatically added to this message by the list

> server:

> 

> To learn more about Micronet, including how to subscribe to or unsubscribe

from its mailing list and how to find out about upcoming meetings, please

visit the Micronet Web site:

> 

> http://micronet.berkeley.edu

> 

> Messages you send to this mailing list are public and world-viewable, and

the list's archives can be browsed and searched on the Internet.  This means

these messages can be viewed by (among others) your bosses, prospective

employers, and people who have known you in the past.

 

-------------------------------------------------------------------------

The following was automatically added to this message by the list server:

 

To learn more about Micronet, including how to subscribe to or unsubscribe

from its mailing list and how to find out about upcoming meetings, please

visit the Micronet Web site:

 

http://micronet.berkeley.edu

 

Messages you send to this mailing list are public and world-viewable, and

the list's archives can be browsed and searched on the Internet.  This means

these messages can be viewed by (among others) your bosses, prospective

employers, and people who have known you in the past.

 

 

-------------------------------------------------------------------------

The following was automatically added to this message by the list server:

 

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

 

http://micronet.berkeley.edu

 

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Software Installation Problem

Lucy Greco-2

Pretty pictures smile

 

Lucy Greco

Assistive Technology Specialist

Disabled Student's Program UC Berkeley

(510) 643-7591

http://attlc.berkeley.edu

http://webaccess.berkeley.edu

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Michael C. Nicol
Sent: Monday, August 02, 2010 3:31 PM
To: 'Jon Johnsen'; 'Richard DeShong'
Cc: [hidden email]
Subject: Re: [Micronet] Software Installation Problem

 

Sorry, forgot pictures..

 

Figure 1

 

 

Figure 2

 

 

 

  Michael C. Nicol

Systems Administrator III, MCSE

(510)585-1575

 

 

 

 

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Michael C. Nicol
Sent: Monday, August 02, 2010 3:25 PM
To: 'Jon Johnsen'; 'Richard DeShong'
Cc: [hidden email]
Subject: Re: [Micronet] Software Installation Problem

 

John,

 

You might be tempted to disable the UAC , but there is a work around in Windows 7 for these types of issues.

 

You will need to edit the application's manifest allowing the executable to run AsInvoker.

 

You can either update the .xml file manually, or Haven Tools has a program called Resource Tuner that wets admins modify application manifest embedded in a precompiled executable. 

 

Visual Studio has mt.exe that can be used, and it's also part of the Windows SDK...

 

Modifying the .xml is pretty easy.  All you need to do is find the .xml file in the  manifest folder and change the requestedExecutionLevel value from requireAdministrator to asInvoker.

 

If modifying the application manifest isn’t possible, you can load the Application Compatibility Toolkit (ACT) 5.5, a free download from Microsoft, and use Compatibility Administrator to create a compatibility fix using the RunAsInvoker shim and deploy the resulting database to your workstations:

 

1. Log in to Windows 7 as an administrator and install ACT.

 

2. Open Compatibility Administrator in the Application Compatibility Toolkit

5.5 folder on the Start menu, and below Custom Databases in the left pane select New Database and press Ctrl+R.

 

3. Give the new database a name and press Enter.

 

4. Press Ctrl+P to create a new application fix. In the Create new Application Fix dialog, type the name of the program to be fixed.

 

5. Click Browse and find the executable you want to apply the fix to and click Open. Click Next to continue.

 

6. On the Compatibility Modes screen, select None under Operating Systems and click Next. On the Compatibility Fixes screen scroll down the menu and select the RunAsInvoker fix, which Figure 1 shows.

 

7. At this point you can click Test Run to see if the fix has the desired effect on the application. Click Next to continue.

 

8. On the Matching Information screen, you can fine-tune how the compatibility engine identifies the executable. Let’s leave the default settings and click Finish.

 

9. Click the Save icon at the top of the Compatibility Administrator window (see Figure 2), and save the database to the C drive on the local computer.

 

10. Select Install from the File menu and click OK to confirm the installation of the database. You should now be able to run the targeted application without the need to elevate privileges.

 

After the compatibility fix has been thoroughly tested, it can be distributed. To do so, use Group Policy and a batch file that calls the sdbinst.exe command line.

 

 

  Michael C. Nicol

Systems Administrator III, MCSE

(510)585-1575

 

 

 

 

-----Original Message-----

From: [hidden email]

[mailto:[hidden email]] On Behalf Of Jon Johnsen

Sent: Monday, August 02, 2010 2:47 PM

To: Richard DeShong

Cc: [hidden email]

Subject: Re: [Micronet] Software Installation Problem

 

  Richard,

 

The problem is that some of his software will not install unless it's installed using the default, real administrator account or a real OU administrator account; it will not install using an account placed  in the local administrator group.

 

We have settled on a work-around which is acceptable to the professor and us.

 

Jon Johnsen

Information Systems Office

433 University Hall

School of Public Health, UC Berkeley

510 643-4357

 

 

On 8/2/2010 2:39 PM, Richard DeShong wrote:

> You could create an additional admin account for the user, something

> like "username-setup", or "username-install", that the user would use

> when they want to install new programs.

> 

> --

> Richard DeShong.

> 

> -----Original Message-----

> From: Karl R. Grose

> 

> On 07/30/2010 15:53, Jon Johnsen wrote:

> 

>> software will install only by using the local admin account, or,

>> sometimes, an OU or domain admin account. This is consistent with my

>> observations. Such software plain cannot be installed using an

>> account in the local admin group.

> Or is it that some software does not understand UAC and will not

> prompt correctly for the escalation of privileges needed to perform

> the installation? In those cases, does running the installation

> deliberately with escalated privilege (run as administrator) help?

> 

> --Karl

> 

> =======

>> Is this conclusion correct? If so, aside from "giving" this faculty

>> member the local admin account, can someone suggest a solution? (He

>> is an active user, whose office is not close to our office, so making

>> frequent, semi-urgent trips to his office isn't a practical solution,

>> especially in the rainy season.)

> 

> 

> ----------------------------------------------------------------------

> --- The following was automatically added to this message by the list

> server:

> 

> To learn more about Micronet, including how to subscribe to or

> unsubscribe from its mailing list and how to find out about upcoming

> meetings, please visit the Micronet Web site:

> 

> http://micronet.berkeley.edu

> 

> Messages you send to this mailing list are public and world-viewable,

> and the list's archives can be browsed and searched on the Internet.

> This means these messages can be viewed by (among others) your bosses,

> prospective employers, and people who have known you in the past.

> 

> 

> 

> ----------------------------------------------------------------------

> --- The following was automatically added to this message by the list

> server:

> 

> To learn more about Micronet, including how to subscribe to or unsubscribe

from its mailing list and how to find out about upcoming meetings, please

visit the Micronet Web site:

> 

> http://micronet.berkeley.edu

> 

> Messages you send to this mailing list are public and world-viewable, and

the list's archives can be browsed and searched on the Internet.  This means

these messages can be viewed by (among others) your bosses, prospective

employers, and people who have known you in the past.

 

 

-------------------------------------------------------------------------

The following was automatically added to this message by the list server:

 

To learn more about Micronet, including how to subscribe to or unsubscribe

from its mailing list and how to find out about upcoming meetings, please

visit the Micronet Web site:

 

http://micronet.berkeley.edu

 

Messages you send to this mailing list are public and world-viewable, and

the list's archives can be browsed and searched on the Internet.  This means

these messages can be viewed by (among others) your bosses, prospective

employers, and people who have known you in the past.

 

 

 

-------------------------------------------------------------------------

The following was automatically added to this message by the list server:

 

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

 

http://micronet.berkeley.edu

 

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Software Installation Problem

Bill Clark
In reply to this post by Michael C. Nicol
Would another viable solution to be to use a local VM over which the user
could be given full administrative control?  If the VM could only access
network resources made available through the host OS (with the user's
normal credentials) then that would seem to eliminate any security
concerns.

-Bill Clark

> John,
>
> You might be tempted to disable the UAC , but there is a work around in
> Windows 7 for these types of issues.
>
> You will need to edit the application's manifest allowing the executable
> to
> run AsInvoker.
>
> You can either update the .xml file manually, or Haven Tools has a program
> called Resource Tuner that wets admins modify application manifest
> embedded
> in a precompiled executable.
>
>  Visual Studio has mt.exe that can be used, and it's also part of the
> Windows SDK...
>
> Modifying the .xml is pretty easy.  All you need to do is find the .xml
> file
> in the  manifest folder and change the requestedExecutionLevel value from
> requireAdministrator to asInvoker.
>
> If modifying the application manifest isn’t possible, you can load the
> Application Compatibility Toolkit (ACT) 5.5, a free download from
> Microsoft,
> and use Compatibility Administrator to create a compatibility fix using
> the
> RunAsInvoker shim and deploy the resulting database to your workstations:
>
> 1. Log in to Windows 7 as an administrator and install ACT.
>
> 2. Open Compatibility Administrator in the Application Compatibility
> Toolkit
> 5.5 folder on the Start menu, and below Custom Databases in the left pane
> select New Database and press Ctrl+R.
>
> 3. Give the new database a name and press Enter.
>
> 4. Press Ctrl+P to create a new application fix. In the Create new
> Application Fix dialog, type the name of the program to be fixed.
>
> 5. Click Browse and find the executable you want to apply the fix to and
> click Open. Click Next to continue.
>
> 6. On the Compatibility Modes screen, select None under Operating Systems
> and click Next. On the Compatibility Fixes screen scroll down the menu and
> select the RunAsInvoker fix, which Figure 1 shows.
>
> 7. At this point you can click Test Run to see if the fix has the desired
> effect on the application. Click Next to continue.
>
> 8. On the Matching Information screen, you can fine-tune how the
> compatibility engine identifies the executable. Let’s leave the default
> settings and click Finish.
>
> 9. Click the Save icon at the top of the Compatibility Administrator
> window
> (see Figure 2), and save the database to the C drive on the local
> computer.
>
> 10. Select Install from the File menu and click OK to confirm the
> installation of the database. You should now be able to run the targeted
> application without the need to elevate privileges.
>
> After the compatibility fix has been thoroughly tested, it can be
> distributed. To do so, use Group Policy and a batch file that calls the
> sdbinst.exe command line.
>
>
>   Michael C. Nicol
> Systems Administrator III, MCSE
> (510)585-1575
>  
>
>
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Jon Johnsen
> Sent: Monday, August 02, 2010 2:47 PM
> To: Richard DeShong
> Cc: [hidden email]
> Subject: Re: [Micronet] Software Installation Problem
>
>   Richard,
>
> The problem is that some of his software will not install unless it's
> installed using the default, real administrator account or a real OU
> administrator account; it will not install using an account placed  in the
> local administrator group.
>
> We have settled on a work-around which is acceptable to the professor and
> us.
>
> Jon Johnsen
> Information Systems Office
> 433 University Hall
> School of Public Health, UC Berkeley
> 510 643-4357
>
>
> On 8/2/2010 2:39 PM, Richard DeShong wrote:
>> You could create an additional admin account for the user, something
>> like "username-setup", or "username-install", that the user would use
>> when they want to install new programs.
>>
>> --
>> Richard DeShong.
>>
>> -----Original Message-----
>> From: Karl R. Grose
>>
>> On 07/30/2010 15:53, Jon Johnsen wrote:
>>
>>> software will install only by using the local admin account, or,
>>> sometimes, an OU or domain admin account. This is consistent with my
>>> observations. Such software plain cannot be installed using an
>>> account in the local admin group.
>> Or is it that some software does not understand UAC and will not
>> prompt correctly for the escalation of privileges needed to perform
>> the installation? In those cases, does running the installation
>> deliberately with escalated privilege (run as administrator) help?
>>
>> --Karl
>>
>> =======
>>> Is this conclusion correct? If so, aside from "giving" this faculty
>>> member the local admin account, can someone suggest a solution? (He
>>> is an active user, whose office is not close to our office, so making
>>> frequent, semi-urgent trips to his office isn't a practical solution,
>>> especially in the rainy season.)
>>
>>
>> ----------------------------------------------------------------------
>> --- The following was automatically added to this message by the list
>> server:
>>
>> To learn more about Micronet, including how to subscribe to or
>> unsubscribe from its mailing list and how to find out about upcoming
>> meetings, please visit the Micronet Web site:
>>
>> http://micronet.berkeley.edu
>>
>> Messages you send to this mailing list are public and world-viewable,
>> and the list's archives can be browsed and searched on the Internet.
>> This means these messages can be viewed by (among others) your bosses,
>> prospective employers, and people who have known you in the past.
>>
>>
>>
>> ----------------------------------------------------------------------
>> --- The following was automatically added to this message by the list
>> server:
>>
>> To learn more about Micronet, including how to subscribe to or
>> unsubscribe
> from its mailing list and how to find out about upcoming meetings, please
> visit the Micronet Web site:
>>
>> http://micronet.berkeley.edu
>>
>> Messages you send to this mailing list are public and world-viewable,
>> and
> the list's archives can be browsed and searched on the Internet.  This
> means
> these messages can be viewed by (among others) your bosses, prospective
> employers, and people who have known you in the past.
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe
> from its mailing list and how to find out about upcoming meetings, please
> visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and
> the list's archives can be browsed and searched on the Internet.  This
> means
> these messages can be viewed by (among others) your bosses, prospective
> employers, and people who have known you in the past.
>
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe
> from its mailing list and how to find out about upcoming meetings, please
> visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and
> the list's archives can be browsed and searched on the Internet.  This
> means these messages can be viewed by (among others) your bosses,
> prospective employers, and people who have known you in the past.
>



 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Software Installation Problem

Jon Johnsen
In reply to this post by Michael C. Nicol
Michael,

We'll try this very soon.

Thanks.
Jon Johnsen
Information Systems Office
433 University Hall
School of Public Health, UC Berkeley
510 643-4357

On 8/2/2010 3:30 PM, Michael C. Nicol wrote:

Sorry, forgot pictures..

 

Figure 1

 

<img moz-do-not-send="true" id="Picture_x0020_1" src="imap://jonj@calmail.berkeley.edu:993/fetch%3EUID%3E/Micronet%3E9165?header=quotebody/;section=2?part=1.2&amp;filename=image005.jpg" width="565" height="494">

 

Figure 2

 

<img moz-do-not-send="true" id="Picture_x0020_2" src="imap://jonj@calmail.berkeley.edu:993/fetch%3EUID%3E/Micronet%3E9165?header=quotebody/;section=3?part=1.3&amp;filename=image006.jpg" width="676" height="402">

 

 

  Michael C. Nicol

Systems Administrator III, MCSE

(510)585-1575

 

 

 

 

-----Original Message-----
From: [hidden email] [[hidden email]] On Behalf Of Michael C. Nicol
Sent: Monday, August 02, 2010 3:25 PM
To: 'Jon Johnsen'; 'Richard DeShong'
Cc: [hidden email]
Subject: Re: [Micronet] Software Installation Problem

 

John,

 

You might be tempted to disable the UAC , but there is a work around in Windows 7 for these types of issues.

 

You will need to edit the application's manifest allowing the executable to run AsInvoker.

 

You can either update the .xml file manually, or Haven Tools has a program called Resource Tuner that wets admins modify application manifest embedded in a precompiled executable. 

 

Visual Studio has mt.exe that can be used, and it's also part of the Windows SDK...

 

Modifying the .xml is pretty easy.  All you need to do is find the .xml file in the  manifest folder and change the requestedExecutionLevel value from requireAdministrator to asInvoker.

 

If modifying the application manifest isn’t possible, you can load the Application Compatibility Toolkit (ACT) 5.5, a free download from Microsoft, and use Compatibility Administrator to create a compatibility fix using the RunAsInvoker shim and deploy the resulting database to your workstations:

 

1. Log in to Windows 7 as an administrator and install ACT.

 

2. Open Compatibility Administrator in the Application Compatibility Toolkit

5.5 folder on the Start menu, and below Custom Databases in the left pane select New Database and press Ctrl+R.

 

3. Give the new database a name and press Enter.

 

4. Press Ctrl+P to create a new application fix. In the Create new Application Fix dialog, type the name of the program to be fixed.

 

5. Click Browse and find the executable you want to apply the fix to and click Open. Click Next to continue.

 

6. On the Compatibility Modes screen, select None under Operating Systems and click Next. On the Compatibility Fixes screen scroll down the menu and select the RunAsInvoker fix, which Figure 1 shows.

 

7. At this point you can click Test Run to see if the fix has the desired effect on the application. Click Next to continue.

 

8. On the Matching Information screen, you can fine-tune how the compatibility engine identifies the executable. Let’s leave the default settings and click Finish.

 

9. Click the Save icon at the top of the Compatibility Administrator window (see Figure 2), and save the database to the C drive on the local computer.

 

10. Select Install from the File menu and click OK to confirm the installation of the database. You should now be able to run the targeted application without the need to elevate privileges.

 

After the compatibility fix has been thoroughly tested, it can be distributed. To do so, use Group Policy and a batch file that calls the sdbinst.exe command line.

 

 

  Michael C. Nicol

Systems Administrator III, MCSE

(510)585-1575

 

 

 

 

-----Original Message-----

From: [hidden email]

[[hidden email]] On Behalf Of Jon Johnsen

Sent: Monday, August 02, 2010 2:47 PM

To: Richard DeShong

Cc: [hidden email]

Subject: Re: [Micronet] Software Installation Problem

 

  Richard,

 

The problem is that some of his software will not install unless it's installed using the default, real administrator account or a real OU administrator account; it will not install using an account placed  in the local administrator group.

 

We have settled on a work-around which is acceptable to the professor and us.

 

Jon Johnsen

Information Systems Office

433 University Hall

School of Public Health, UC Berkeley

510 643-4357

 

 

On 8/2/2010 2:39 PM, Richard DeShong wrote:

> You could create an additional admin account for the user, something

> like "username-setup", or "username-install", that the user would use

> when they want to install new programs.

> 

> --

> Richard DeShong.

> 

> -----Original Message-----

> From: Karl R. Grose

> 

> On 07/30/2010 15:53, Jon Johnsen wrote:

> 

>> software will install only by using the local admin account, or,

>> sometimes, an OU or domain admin account. This is consistent with my

>> observations. Such software plain cannot be installed using an

>> account in the local admin group.

> Or is it that some software does not understand UAC and will not

> prompt correctly for the escalation of privileges needed to perform

> the installation? In those cases, does running the installation

> deliberately with escalated privilege (run as administrator) help?

> 

> --Karl

> 

> =======

>> Is this conclusion correct? If so, aside from "giving" this faculty

>> member the local admin account, can someone suggest a solution? (He

>> is an active user, whose office is not close to our office, so making

>> frequent, semi-urgent trips to his office isn't a practical solution,

>> especially in the rainy season.)

> 

> 

> ----------------------------------------------------------------------

> --- The following was automatically added to this message by the list

> server:

> 

> To learn more about Micronet, including how to subscribe to or

> unsubscribe from its mailing list and how to find out about upcoming

> meetings, please visit the Micronet Web site:

> 

> http://micronet.berkeley.edu

> 

> Messages you send to this mailing list are public and world-viewable,

> and the list's archives can be browsed and searched on the Internet.

> This means these messages can be viewed by (among others) your bosses,

> prospective employers, and people who have known you in the past.

> 

> 

> 

> ----------------------------------------------------------------------

> --- The following was automatically added to this message by the list

> server:

> 

> To learn more about Micronet, including how to subscribe to or unsubscribe

from its mailing list and how to find out about upcoming meetings, please

visit the Micronet Web site:

> 

> http://micronet.berkeley.edu

> 

> Messages you send to this mailing list are public and world-viewable, and

the list's archives can be browsed and searched on the Internet.  This means

these messages can be viewed by (among others) your bosses, prospective

employers, and people who have known you in the past.

 

-------------------------------------------------------------------------

The following was automatically added to this message by the list server:

 

To learn more about Micronet, including how to subscribe to or unsubscribe

from its mailing list and how to find out about upcoming meetings, please

visit the Micronet Web site:

 

http://micronet.berkeley.edu

 

Messages you send to this mailing list are public and world-viewable, and

the list's archives can be browsed and searched on the Internet.  This means

these messages can be viewed by (among others) your bosses, prospective

employers, and people who have known you in the past.

 

 

-------------------------------------------------------------------------

The following was automatically added to this message by the list server:

 

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

 

http://micronet.berkeley.edu

 

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Software Installation Problem

Michael C. Nicol
In reply to this post by Bill Clark
Bill,

 I agree that this is viable, but would caution against it's wide-scale or even departmental level implementation as a solution because it compounds the administrative surface and leaves us with two operating systems to support.

 
  Michael C. Nicol
Systems Administrator III, MCSE
(510)585-1575
 



-----Original Message-----
From: Bill Clark [mailto:[hidden email]]
Sent: Monday, August 02, 2010 3:43 PM
To: Michael C. Nicol
Cc: 'Jon Johnsen'; 'Richard DeShong'; [hidden email]
Subject: Re: [Micronet] Software Installation Problem

Would another viable solution to be to use a local VM over which the user could be given full administrative control?  If the VM could only access network resources made available through the host OS (with the user's normal credentials) then that would seem to eliminate any security concerns.

-Bill Clark

> John,
>
> You might be tempted to disable the UAC , but there is a work around
> in Windows 7 for these types of issues.
>
> You will need to edit the application's manifest allowing the
> executable to run AsInvoker.
>
> You can either update the .xml file manually, or Haven Tools has a
> program called Resource Tuner that wets admins modify application
> manifest embedded in a precompiled executable.
>
>  Visual Studio has mt.exe that can be used, and it's also part of the
> Windows SDK...
>
> Modifying the .xml is pretty easy.  All you need to do is find the
> .xml file in the  manifest folder and change the
> requestedExecutionLevel value from requireAdministrator to asInvoker.
>
> If modifying the application manifest isn’t possible, you can load the
> Application Compatibility Toolkit (ACT) 5.5, a free download from
> Microsoft, and use Compatibility Administrator to create a
> compatibility fix using the RunAsInvoker shim and deploy the resulting
> database to your workstations:
>
> 1. Log in to Windows 7 as an administrator and install ACT.
>
> 2. Open Compatibility Administrator in the Application Compatibility
> Toolkit
> 5.5 folder on the Start menu, and below Custom Databases in the left
> pane select New Database and press Ctrl+R.
>
> 3. Give the new database a name and press Enter.
>
> 4. Press Ctrl+P to create a new application fix. In the Create new
> Application Fix dialog, type the name of the program to be fixed.
>
> 5. Click Browse and find the executable you want to apply the fix to
> and click Open. Click Next to continue.
>
> 6. On the Compatibility Modes screen, select None under Operating
> Systems and click Next. On the Compatibility Fixes screen scroll down
> the menu and select the RunAsInvoker fix, which Figure 1 shows.
>
> 7. At this point you can click Test Run to see if the fix has the
> desired effect on the application. Click Next to continue.
>
> 8. On the Matching Information screen, you can fine-tune how the
> compatibility engine identifies the executable. Let’s leave the
> default settings and click Finish.
>
> 9. Click the Save icon at the top of the Compatibility Administrator
> window (see Figure 2), and save the database to the C drive on the
> local computer.
>
> 10. Select Install from the File menu and click OK to confirm the
> installation of the database. You should now be able to run the
> targeted application without the need to elevate privileges.
>
> After the compatibility fix has been thoroughly tested, it can be
> distributed. To do so, use Group Policy and a batch file that calls
> the sdbinst.exe command line.
>
>
>   Michael C. Nicol
> Systems Administrator III, MCSE
> (510)585-1575
>  
>
>
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Jon
> Johnsen
> Sent: Monday, August 02, 2010 2:47 PM
> To: Richard DeShong
> Cc: [hidden email]
> Subject: Re: [Micronet] Software Installation Problem
>
>   Richard,
>
> The problem is that some of his software will not install unless it's
> installed using the default, real administrator account or a real OU
> administrator account; it will not install using an account placed  in
> the local administrator group.
>
> We have settled on a work-around which is acceptable to the professor
> and us.
>
> Jon Johnsen
> Information Systems Office
> 433 University Hall
> School of Public Health, UC Berkeley
> 510 643-4357
>
>
> On 8/2/2010 2:39 PM, Richard DeShong wrote:
>> You could create an additional admin account for the user, something
>> like "username-setup", or "username-install", that the user would use
>> when they want to install new programs.
>>
>> --
>> Richard DeShong.
>>
>> -----Original Message-----
>> From: Karl R. Grose
>>
>> On 07/30/2010 15:53, Jon Johnsen wrote:
>>
>>> software will install only by using the local admin account, or,
>>> sometimes, an OU or domain admin account. This is consistent with my
>>> observations. Such software plain cannot be installed using an
>>> account in the local admin group.
>> Or is it that some software does not understand UAC and will not
>> prompt correctly for the escalation of privileges needed to perform
>> the installation? In those cases, does running the installation
>> deliberately with escalated privilege (run as administrator) help?
>>
>> --Karl
>>
>> =======
>>> Is this conclusion correct? If so, aside from "giving" this faculty
>>> member the local admin account, can someone suggest a solution? (He
>>> is an active user, whose office is not close to our office, so
>>> making frequent, semi-urgent trips to his office isn't a practical
>>> solution, especially in the rainy season.)
>>
>>
>> ---------------------------------------------------------------------
>> -
>> --- The following was automatically added to this message by the list
>> server:
>>
>> To learn more about Micronet, including how to subscribe to or
>> unsubscribe from its mailing list and how to find out about upcoming
>> meetings, please visit the Micronet Web site:
>>
>> http://micronet.berkeley.edu
>>
>> Messages you send to this mailing list are public and world-viewable,
>> and the list's archives can be browsed and searched on the Internet.
>> This means these messages can be viewed by (among others) your
>> bosses, prospective employers, and people who have known you in the past.
>>
>>
>>
>> ---------------------------------------------------------------------
>> -
>> --- The following was automatically added to this message by the list
>> server:
>>
>> To learn more about Micronet, including how to subscribe to or
>> unsubscribe
> from its mailing list and how to find out about upcoming meetings,
> please visit the Micronet Web site:
>>
>> http://micronet.berkeley.edu
>>
>> Messages you send to this mailing list are public and world-viewable,
>> and
> the list's archives can be browsed and searched on the Internet.  This
> means these messages can be viewed by (among others) your bosses,
> prospective employers, and people who have known you in the past.
>
>
> ----------------------------------------------------------------------
> --- The following was automatically added to this message by the list
> server:
>
> To learn more about Micronet, including how to subscribe to or
> unsubscribe from its mailing list and how to find out about upcoming
> meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable,
> and the list's archives can be browsed and searched on the Internet.  
> This means these messages can be viewed by (among others) your bosses,
> prospective employers, and people who have known you in the past.
>
>
>
> ----------------------------------------------------------------------
> --- The following was automatically added to this message by the list
> server:
>
> To learn more about Micronet, including how to subscribe to or
> unsubscribe from its mailing list and how to find out about upcoming
> meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable,
> and the list's archives can be browsed and searched on the Internet.  
> This means these messages can be viewed by (among others) your bosses,
> prospective employers, and people who have known you in the past.
>



 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Software Installation Problem

Michael C. Nicol
In reply to this post by Lucy Greco-2

Sorry, Lucy, for the slow response.  Your staff.berkeley.edu email address got caught in my spam filter.

 

The pictures were visible in the HTML email I sent, but the list server changed it to plain text and the pictures were lost.

 

The following line contains  the download  site  for Microsoft’s  ACT- Application Compatibility Toolkit version 5.6.  The site has FAQs, deployment, quick-start, and Step-By-Step Guides.

 

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=24da89e9-b581-47b0-b45e-492dd6da2971

 

 

  [hidden email]
Systems Administrator III, MCSE
(510)585-1575
 Description: cid:image003.jpg@01CB2F1B.3C9A2AB0

 

 

From: Lucy Greco [mailto:[hidden email]]
Sent: Monday, August 02, 2010 3:37 PM
To: Michael C. Nicol; 'Jon Johnsen'; 'Richard DeShong'
Cc: [hidden email]
Subject: RE: [Micronet] Software Installation Problem

 

Pretty pictures smile

 

Lucy Greco

Assistive Technology Specialist

Disabled Student's Program UC Berkeley

(510) 643-7591

http://attlc.berkeley.edu

http://webaccess.berkeley.edu

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Michael C. Nicol
Sent: Monday, August 02, 2010 3:31 PM
To: 'Jon Johnsen'; 'Richard DeShong'
Cc: [hidden email]
Subject: Re: [Micronet] Software Installation Problem

 

Sorry, forgot pictures..

 

Figure 1

 

 

Figure 2

 

 

 

  Michael C. Nicol

Systems Administrator III, MCSE

(510)585-1575

 

 

 

 

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Michael C. Nicol
Sent: Monday, August 02, 2010 3:25 PM
To: 'Jon Johnsen'; 'Richard DeShong'
Cc: [hidden email]
Subject: Re: [Micronet] Software Installation Problem

 

John,

 

You might be tempted to disable the UAC , but there is a work around in Windows 7 for these types of issues.

 

You will need to edit the application's manifest allowing the executable to run AsInvoker.

 

You can either update the .xml file manually, or Haven Tools has a program called Resource Tuner that wets admins modify application manifest embedded in a precompiled executable. 

 

Visual Studio has mt.exe that can be used, and it's also part of the Windows SDK...

 

Modifying the .xml is pretty easy.  All you need to do is find the .xml file in the  manifest folder and change the requestedExecutionLevel value from requireAdministrator to asInvoker.

 

If modifying the application manifest isn’t possible, you can load the Application Compatibility Toolkit (ACT) 5.5, a free download from Microsoft, and use Compatibility Administrator to create a compatibility fix using the RunAsInvoker shim and deploy the resulting database to your workstations:

 

1. Log in to Windows 7 as an administrator and install ACT.

 

2. Open Compatibility Administrator in the Application Compatibility Toolkit

5.5 folder on the Start menu, and below Custom Databases in the left pane select New Database and press Ctrl+R.

 

3. Give the new database a name and press Enter.

 

4. Press Ctrl+P to create a new application fix. In the Create new Application Fix dialog, type the name of the program to be fixed.

 

5. Click Browse and find the executable you want to apply the fix to and click Open. Click Next to continue.

 

6. On the Compatibility Modes screen, select None under Operating Systems and click Next. On the Compatibility Fixes screen scroll down the menu and select the RunAsInvoker fix, which Figure 1 shows.

 

7. At this point you can click Test Run to see if the fix has the desired effect on the application. Click Next to continue.

 

8. On the Matching Information screen, you can fine-tune how the compatibility engine identifies the executable. Let’s leave the default settings and click Finish.

 

9. Click the Save icon at the top of the Compatibility Administrator window (see Figure 2), and save the database to the C drive on the local computer.

 

10. Select Install from the File menu and click OK to confirm the installation of the database. You should now be able to run the targeted application without the need to elevate privileges.

 

After the compatibility fix has been thoroughly tested, it can be distributed. To do so, use Group Policy and a batch file that calls the sdbinst.exe command line.

 

 

  Michael C. Nicol

Systems Administrator III, MCSE

(510)585-1575

 

 

 

 

-----Original Message-----

From: [hidden email]

[mailto:[hidden email]] On Behalf Of Jon Johnsen

Sent: Monday, August 02, 2010 2:47 PM

To: Richard DeShong

Cc: [hidden email]

Subject: Re: [Micronet] Software Installation Problem

 

  Richard,

 

The problem is that some of his software will not install unless it's installed using the default, real administrator account or a real OU administrator account; it will not install using an account placed  in the local administrator group.

 

We have settled on a work-around which is acceptable to the professor and us.

 

Jon Johnsen

Information Systems Office

433 University Hall

School of Public Health, UC Berkeley

510 643-4357

 

 

On 8/2/2010 2:39 PM, Richard DeShong wrote:

> You could create an additional admin account for the user, something

> like "username-setup", or "username-install", that the user would use

> when they want to install new programs.

> 

> --

> Richard DeShong.

> 

> -----Original Message-----

> From: Karl R. Grose

> 

> On 07/30/2010 15:53, Jon Johnsen wrote:

> 

>> software will install only by using the local admin account, or,

>> sometimes, an OU or domain admin account. This is consistent with my

>> observations. Such software plain cannot be installed using an

>> account in the local admin group.

> Or is it that some software does not understand UAC and will not

> prompt correctly for the escalation of privileges needed to perform

> the installation? In those cases, does running the installation

> deliberately with escalated privilege (run as administrator) help?

> 

> --Karl

> 

> =======

>> Is this conclusion correct? If so, aside from "giving" this faculty

>> member the local admin account, can someone suggest a solution? (He

>> is an active user, whose office is not close to our office, so making

>> frequent, semi-urgent trips to his office isn't a practical solution,

>> especially in the rainy season.)

> 

> 

> ----------------------------------------------------------------------

> --- The following was automatically added to this message by the list

> server:

> 

> To learn more about Micronet, including how to subscribe to or

> unsubscribe from its mailing list and how to find out about upcoming

> meetings, please visit the Micronet Web site:

> 

> http://micronet.berkeley.edu

> 

> Messages you send to this mailing list are public and world-viewable,

> and the list's archives can be browsed and searched on the Internet.

> This means these messages can be viewed by (among others) your bosses,

> prospective employers, and people who have known you in the past.

> 

> 

> 

> ----------------------------------------------------------------------

> --- The following was automatically added to this message by the list

> server:

> 

> To learn more about Micronet, including how to subscribe to or unsubscribe

from its mailing list and how to find out about upcoming meetings, please

visit the Micronet Web site:

> 

> http://micronet.berkeley.edu

> 

> Messages you send to this mailing list are public and world-viewable, and

the list's archives can be browsed and searched on the Internet.  This means

these messages can be viewed by (among others) your bosses, prospective

employers, and people who have known you in the past.

 

 

-------------------------------------------------------------------------

The following was automatically added to this message by the list server:

 

To learn more about Micronet, including how to subscribe to or unsubscribe

from its mailing list and how to find out about upcoming meetings, please

visit the Micronet Web site:

 

http://micronet.berkeley.edu

 

Messages you send to this mailing list are public and world-viewable, and

the list's archives can be browsed and searched on the Internet.  This means

these messages can be viewed by (among others) your bosses, prospective

employers, and people who have known you in the past.

 

 

 

-------------------------------------------------------------------------

The following was automatically added to this message by the list server:

 

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

 

http://micronet.berkeley.edu

 

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.