Microsoft KB Archive/259459

= How to allow users who are not administrators to install MSI packages =

Article ID: 259459

Article Last Modified on 8/29/2006

-

APPLIES TO

 Microsoft Windows Installer 1.0, when used with:  Microsoft Windows NT 4.0

 Microsoft Windows 2000 Standard Edition  Microsoft Windows Installer 1.1, when used with:  Microsoft Windows NT 4.0

 Microsoft Windows 2000 Standard Edition</li></ul> </li> Microsoft Windows Installer 1.2, when used with:  Microsoft Windows NT 4.0</li></ul>

 Microsoft Windows 2000 Standard Edition</li></ul> </li></ul>

-

<div class="notice_section">

This article was previously published under Q259459

<div class="notice_section">

Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

<div class="summary_section">

SUMMARY
This article describes three methods by which an administrator can enable a nonadministrator user to install managed Windows Installer applications.

<div class="moreinformation_section">

MORE INFORMATION
An application is called a &quot;managed application&quot; if elevated (system) privileges are used to install the application. A situation in which you might need to install a managed application is if you are installing an application on Windows NT or Windows 2000 and do not have administrative privileges on that computer. By using the following methods, an administrator can enable a nonadministrator user to install managed applications.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.  On a computer running Windows NT 4.0 or Windows 2000, an administrator can set the AlwaysInstallElevated registry keys for both per-user and per-machine installations on the computer. If you want to make sure that all Windows Installer packages are installed with elevated (system) privileges, you must set the AlwaysInstallElevated value to &quot;1&quot; under the following registry keys:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

WARNING: This particular method can open the computer to a security risk because once an administrator with elevated privileges has set these registry keys, nonadministrator users can run installations with elevated privileges and access secure locations on the computer, such as the System folder or HKLM registry key.

</li> On Windows NT 4.0 or Windows 2000, an administrator can install or advertise the package on the computer for a per-machine installation (per-machine means that it will be available for all users of that computer). The Windows Installer always has elevated privileges while performing per-machine installations. The administrator uses elevated privileges to advertise the package. If a nonadministrator user then installs the application, the installation can run with elevated privileges. Nonadministrator users still cannot install unadvertised packages that require elevated system privileges. The following is an example of a command line used by an administrator doing a per-machine installation:

msiexec -i c:\pathtofile\mypackage.msi ALLUSERS=1

Here is an example of how the administrator would advertise the package on the computer per-machine:

msiexec -jm c:\pathtofile\mypackage.msi

For more information, see the Help topic &quot;Advertisement&quot; in the Windows Installer Platform SDK:

http://msdn.microsoft.com/library/en-us/msi/setup/advertisement.asp

</li> On Windows 2000, an administrator can advertise an application on a user's computer by assigning or publishing the Windows Installer package using application deployment and Group Policy. The administrator uses elevated privileges to advertise the package per machine. If a nonadministrator user then installs the application, the installation can run with elevated privileges. Nonadministrator users still cannot install unadvertised packages that require elevated system privileges.

For more information on Group Policy, see the &quot;Introduction to Windows 2000 Group Policy&quot; white paper:

http://www.microsoft.com/windows2000/docs/GPIntro.doc

</li></ul>

<div class="references_section">