Glenn Thimmes
7/21/2006 2:38:00 PM
Hello, and thanks in advance to anyone who can offer any assistance on the
following issue. I apologize for the length of this explanation, but this is
not a simple problem to explain.
I am currently putting together a new deployment for my company's software
that requires some new security considerations that we have never had to
address before. The critical requirement is that we can automate the
deployment of our software in a 200+ client environment where the users are
completely locked down and elevated permissions are required to install
anything. The second priority is the requirement that the user not be
presented with any installation options that they can affectively alter and
possibly configure incorrectly; all installation options must be
configurable by IT staff.
There are three options for this deployment that have presented themselves:
Group Policy MSI Push (this is supposed to run with elevated permissions,
but exactly what permissions? Can they be specified? Do the custom actions
still execute with the elevated permissions?)
Login Scripts
Bootstrap EXE that uses .Net impersonation to elevate permissions and run
each necessary installation piece.
Regardless of which method is used to enable the deployment, it will have to
accomplish the following tasks:
*Create program directory, move files, create shortcuts, and build registry
structure. (This part is by no means the challenge)
*Launch a dependant 3rd party MSI that requires command parameters in order
to set options and run silently. (This cannot be ran from within an MSI and
cannot be ran independently as a secondary MSI push because, as far as I
know, MSI pushes cannot have command parameters specified - PLEASE CORRECT
ME IF I'M WRONG)
*Launch a dependant 3rd party EXE installer that runs silently.
What is the best approach to accomplish this considering all the
requirements? The group policy push sounds convenient, but won't work
because of the third party MSI requiring command parameters to run silent.
Login scripts might work but it sounds complicated and, like the MSI push,
requires setting up for 200+ users.
The bootstrap exe currently sounds like a great option because we can use
..Net impersonation within a c# console application to elevate permissions
and then launch each piece separately: MSI install, 3rd party MSI, 3rd party
exe. The .Net 2.0 framework makes it possible to specify credentials in a
Process.Start call, but will those credentials really carry over when you
start an MSI using msiexe.exe?