Export (0) Print
Expand All

Installing a Package with Elevated Privileges for a Non-Admin

An administrator can use the following methods to enable a non-administrator user to install an application with elevated system privileges.

  • In Windows Vista with Windows Installer, a member of the Administrators group can provide authorization for a non-administrator to elevate the installation through User Account Control (UAC) as described in Using Windows Installer with UAC.

    Windows Vista:  Required.

The following methods can also be used to install an application with elevated system privileges.

  • An administrator can advertise an application on a user's computer by assigning or publishing the Windows Installer package using application deployment and Group Policy. The administrator advertises the package for per-machine installation. If a non-administrator user then installs the application, the installation can run with elevated privileges. Non-administrator users cannot install unadvertised packages that require elevated system privileges.
  • An administrator can go to the user's computer and advertise the application for per-machine installation. Because the Windows Installer always has elevated privileges while doing installs in the per-machine installation context, if a non-administrator user then installs the advertised application, the installation can run with elevated privileges. Non-administrator users still cannot install unadvertised packages that require elevated privileges.
  • A non-privileged user can install an advertised application that requires elevated privileges if a local system agent advertises the application. The application can be advertised for a per-user or per-machine installation. An application installed using this method is considered managed. For more information, see Advertising a Per-User Application To Be Installed with Elevated Privileges.
  • An administrator can set the AlwaysInstallElevated policy for both per-user and per-machine installations. This method can open a computer to a security risk, because when this policy is set, a non-administrator user can run installations with elevated privileges and access secure locations on the computer, such as the SystemFolder or the HKLM registry key.

    If the application is installed per-machine while the AlwaysInstallElevated policy is set, the product is treated as managed. In this case, the application can still perform a repair with elevated privileges if the policy is removed. Also, if the application is installed per-user while the AlwaysInstallElevated policy is set, the application is unable to perform a repair if the policy is removed.

  • An administrator can go to a user's computer and do a per-machine installation of the application. Because privileges are required to perform this type of installation, per-machine installations are always managed.

Related topics

Installation Context

 

 

Community Additions

ADD
Show:
© 2014 Microsoft