NAL processes in the User and System scope

  • 3919348
  • 05-Jun-2007
  • 30-Apr-2012

Environment

Novell ZENworks 6.5 Desktop Management Support Pack 2 - ZDM6.5 SP2 Application Launcher (NAL)
Novell ZENworks 7 Desktop Management Support Pack 1 - ZDM7 SP1 Application Launcher (NAL)

Situation

NAL processes in the User and System scope

Resolution

The following will explain which security space NAL operates in under various configurations. This is important to consider when troubleshooting the launch or distribution of a NAL application.

Configuration: User Associated apps

Local machine accessNW server accessWindows server access
Distribution Options


Application Files (also including Icons/Shortcuts, Registry, INI Settings, Text Files)SYSTEMeDir userDomain user
Distribution ScriptsSYSTEMeDir workstationDomain workstation
Pre-Distribution Process TerminationSYSTEMn/an/a
Run Options


ApplicationLocal usereDir userDomain user
Application (with Environment set to Secure or Unsecure System)SYSTEMeDir workstationDomain workstation
Launch ScriptsLocal usereDir userDomain user
Common


ReportingLocal usereDir userDomain user
UninstallSYSTEMn/an/a
Uninstall ScriptsLocal usereDir userDomain user

Configuration: Workstation Associated apps

Local machine access

NW server access

Windows server access
Distribution Options


Application Files (also including Icons/Shortcuts, Registry, INI Settings, Text Files)SYSTEMeDir workstationDomain workstation
Distribution ScriptsSYSTEMeDir workstationDomain workstation
Pre-Distribution Process TerminationSYSTEMn/an/a
Run Options


ApplicationLocal usereDir userDomain user
Application (with Environment set to Secure or Unsecure SystemSYSTEMeDir workstationDomain workstation
Launch ScriptsLocal usereDir userDomain user
Common


Reporting (Cache, Distribution)SYSTEMeDir workstationDomain workstation
Reporting (Launch, Uninstall)Local usereDir userDomain user
UninstallSYSTEMn/an/a
Uninstall scriptsLocal usereDir userDomain user

Configuration: Workstation Associated, Force Run apps

Local machine accessNW server accessWindows server access
Distribution Options


Application Files (also including Icons/Shortcuts, Registry, INI Settings, Text Files)SYSTEMeDir workstationDomain workstation
Distribution ScriptsSYSTEMeDir workstationDomain workstation
Pre-Distribution Process TerminationSYSTEMn/an/a
Run Options


ApplicationSYSTEMeDir workstationDomain workstation
Application (with Environment set to Secure or Unsecure System)SYSTEMeDir workstationDomain workstation
Launch ScriptsSYSTEMeDir workstationDomain workstation
Common


ReportingSYSTEMeDir workstationDomain workstation
UninstallSYSTEMn/an/a
Uninstall ScriptsLocal usereDir workstationDomain workstation

Configuration: Workstation Associated, Force Run, Force Run as User if Workstation Associated apps

Local machine accessNW server accessWindows server access
Distribution Options


Application Files (also including Icons/Shortcuts, Registry, INI Settings, Text Files)SYSTEMeDir userDomain user
Distribution ScriptsSYSTEMeDir workstationDomain workstation
Pre-Distribution Process TerminationSYSTEMn/an/a
Run Options


ApplicationLocal usereDir userDomain user
Application (with Environment set to Secure or Unsecure System)SYSTEMeDir workstationDomain workstation
Launch ScriptsLocal usereDir userDomain user
Common


ReportingLocal usereDir userDomain user
UninstallSYSTEMn/an/a
Uninstall ScriptsLocal usereDir userDomain user

MSI Applications have two points of security elevation that can be managed by NAL:

1. AlwaysInstallElevated

2. Distribute in Workstation Security Space if Workstation Associated


1. AlwaysInstallElevated

The AlwaysInstallElevated is a DWORD value that exists under HKLM and HKCU (specifically, in Software\Policies\Microsoft\Windows\Installer). When set to 1, the security of the Windows Installer service is used to perform installs of MSI applications. If set to 0 (or non-existent), then the logged-in user's security is used to perform the install. NAL automatically sets these two keys (among others) to 1 before calling the MSI APIs to perform the install. Specifically, NAL backs up the current values, sets them to 1, then calls the MSI install, then sets the values back to their original value.

However, using the Windows Installer service to elevate the distribution of an MSI does not necessarily take care of all the security permissions necessary to complete an MSI install while logged in as a non-Administrative user to the local machine. MSIs are made up of Standard Actions and Custom Actions (so are MSPs). Most MSIs are only using Standard Actions, and these are performed using the Windows Installer service when AlwaysInstallElevated is set to 1. However, there are some MSIs that will utilize Custom Actions. Custom Actions are additional actions defined within an MSI that allow the MSI developer to call additional setup routines during the course of the MSI install. Usually these custom actions are calling EXEs or DLL entry points to complete some nested install. Windows Installer runs these Custom Actions (by default) in the context of the user, so as to limit access to the system by Custom Actions. However, the Windows Installer will run these as the service if two conditions are met: AlwaysInstallElevated is set to 1; and the Custom Action must be defined to run in the security context of the service. So, when distributing MSI NAL apps, the AlwaysInstallElevated condition is always met. The only condition left to meet is that the Custom Action be defined to run in the security context of the service.

To do this, you can either ask the MSI author to change the Custom Action attribute that defines elevation, or you could do it yourself with InstallShield's Editor feature, usually found in AdminStudio Standard or Professional Edition (which is different than the AdminStudio version that ships with ZENworks). If for some reason you cannot meet this last requirement of getting the Custom Action to be defined to run in the security context of the service, then your Custom Actions will be run in the security context of the calling user. Normally, when distributing MSI NAL apps, the calling user is the currently logged in Windows user. If this is a non-Administrative account, then the Custom Action could fail, resulting in the failure of the MSI install altogether (usually results in a 1603 fatal error). This is why you may need to take advantage of the second point of security elevation that NAL MSI apps offer:

2. Distribute in Workstation Security Space if Workstation Associated(available in ZENworks 6.5 and higher) is a feature found in the Distribution Options of a NAL MSI app. Currently available for workstation associated applications, this feature changes the calling user from the currently logged in Windows user to the SYSTEM user. Which means that the SYSTEM users security is used when performing the Custom Actions.

NOTE: Not all MSIs will install when called from the System scope. For example, the ZPM agent (prior to 6.3.2.858) has a custom action that registers with the PatchLink server. This action must be performed as an administrative user because it is attempting to make an HTTP connection. In these cases, using a Run As command line could be an alternative install method.

.

Additional Information

Reference material:

For more information on Custom Actions, visitMicrosoft documentation

For more information on DevStudio available from InstallShield, visitInstallShield's site

For more information on NAL file system access in 7, visitZENworks Documentation

For more information on NAL file system access in 6.5, visitZENworks documentation

For more information on NAL file system access in 4.0.1, visitTID 10081393

Formerly known as TID# 10095935

Change Log

nov 26 08 Dave Brazzeal bolded, underlined and added yellow highlighting on the section headers and changed added 1. and 2. under the msi section.