07: PolicyPak Least Privilege Manager: Install MSI Applications as Standard Users

Need a user to install an MSI app, but he doesn’t have the rights to do so? See how in a minute you can specify the applications he should be able to install, and just like that, a Standard User can install an MSI without UAC prompts.

PolicyPak: Use PP Least Privilege Manager to elevate MSI installers

Hi. This is Jeremy Moskowitz. In this video, I’m going to show you how you can use PolicyPak Least Privilege Manager to have users self-install MSI applications.

In previous videos, you saw me bypass UAC prompts for things like Procmon which requires UAC prompt and install applications that may be shipped as .EXE. But in this video, I’m going to show you how if a standard user double clicks on an application that’s an MSI, you know what’s going to happen here, if a standard user tries to do this, they get prompted right here for the “Install” with a little flag on it. And, look at this, of course it doesn’t work.

With PolicyPak Least Privilege Manager, we can elevate just when you need to, just for the circumstance. Over here on this machine, this is my Group Policy console, I’m going to for my “East Sales” users say I want all my East Sales users to “Let Standard Users Install Skype for Desktop.”

When I click “Edit” here on this Group Policy Object, I’m going to do this on the user side. You could do this on either user or computer side, but in this case for this demonstration, I’m doing it on the user side. We’re going to going to the “Least Privilege Manager” component and we’re going to “Add/New Windows Installer Policy.”

There are a couple ways you can do this. You can “Use simple rule” or “Use combo rule.” Combo rules are explained in other videos which are a little bit more complex. I’m going to do a simple rule. The simple rule I’m going to do is I’m going to say based on the exact file, so I want only this version of Skype for Desktop to be installed, that’s going to be the “Hash.” Or if I want to, I can do a “Signature” and say allow anything from this publisher. A combo would let me do any of these things. I’m going to just use “Hash” to make this simple and just do a quick demonstration.

I’m going to then “Select windows installer” file. Here on this machine, I have a copy of that file to make this demo a little easier for me. If I click on “SHARE” here and I go to “Apps To Manage,” I have the same copy I’m going to let users install themselves already here on my machine. I’ll just click it, and we get the “Hash.” When they try to run “SkypeSetup.msi,” as long as it’s this “Hash,” we’re going to elevate it in real time.

We’re going to “Run with elevated privileges” here. We’re going to just say, “Let Skype for Desktop install as Standard User.” We’ll leave the “State” as “Enabled.” We could if we want to use “Item Level Targeting,” which could say some users under these conditions go ahead and let them do it where other users not under these conditions don’t do it.

For instance, if you wanted certain people in maybe the West Sales users to be able to do this, you could filter based on group or OU membership. Or you can say only let them do it on laptops but not desktops. That’s another good idea for “Item Level Targeting.”

Anyway, we’ll go ahead and click “Finish” here. It’s just that simple. We’ve got the rule. We’ve got it saying do “Windows Installer policy,” “Elevated privileges” and based on the “Hash” “Condition.” It’s as simple as that.

Ten seconds ago, you saw me try to run the Skype installer MSI and it didn’t run. Now I’m going to be running GP Update (“gpupdate”) and see what happens as soon as Group Policy kicks in. Now, of course, Group Policy would kick in the next time a user logs on or just naturally in the background. I just happen to be using GP Update to make this happen.

At this point now, I can just double click “SkypeSetup” here. Before when we clicked “Next” here, we saw the “Install” button had a little flag on it which wouldn’t permit it. But now we’ve elevated it and just like that, “Skype 7.30,” which is the exact version that I used in my Hash, will now be enabled and works perfectly. It will run as a standard user, but we installed it with elevated privileges. There you go.

What about other MSIs? Well, you didn’t say that those were good, so because you didn’t say they were good, you can get this far. But let’s see what happens. We get prompted, which is exactly what we expect. That’s the general gist. If you want the MSI to be installed with elevated rights, you need to give it an explicit rule using PolicyPak Least Privilege Manager and then you’re off to the races.

I hope this helps you out. If you’re looking to get started, click on the Webinar/Download button and then go ahead and we’ll see you at the webinar and give you a trial.

Thanks so much.

  • 625
  • 02-Jul-2019