Published Program Setup Stops Unexpectedly (259377)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
This article was previously published under Q259377

SYMPTOMS

When a user attempts to install a published program, the installation process may stop abruptly with no error message or notification. When this occurs, the Add/Remove Programs tool lists the published program as "Installed."

The Application event log records only the following events:
Source: Application Management
Event ID: 307
Description: The launch of the setup command for program Program name from policy Default Domain Policy succeeded.
No additional data is available.

CAUSE

This behavior can occur if the user does not have permission to install the program. This can occur when the following conditions exist:
  • The program that is being installed is not a Microsoft Software Installer-aware (MSI-aware) program.
  • A .zap file was used to publish the program.
  • The user is a member of either the local Users group or of the Domain Users group.
NOTE: Group Policy restrictions in the enterprise may deliberately prevent this action from taking place.

RESOLUTION

To resolve this issue, use either of the following methods.

Configure the User Account

Configuring the user account is the preferred method in a workgroup environment or on a stand-alone computer. Add the user to either the local Power Users group, or to a domain user group that has administrative privileges on the local workstation. If your group policy requirements do not allow the user to be granted elevated privileges, the user must request that a power user or administrator install the program.

Configure the Permission with Group Policy

In an Active Directory domain environment, you can implement the right to install programs with elevated privileges with Group Policy. You can implement this at the domain or organizational unit level.

NOTE: This policy appears in both the Computer Configuration and the User Configuration folder. To make this policy effective, you must enable the policy in both folders.

To add this right with Group Policy:
  1. Start the Active Directory Users and Computers snap-in, and then click the appropriate organizational unit or domain.
  2. Right-click the container, and then click Properties.
  3. Click the Group Policy tab, and then click New, or click the existing group policy, and click Edit. This starts Group Policy Manager.
  4. In Group Policy Manager, click the Computer Configuration folder.
  5. In the left pane, click the plus sign (+) next to the policy object to expand the view. Under the policy object, expand Administrative Templates.
  6. Expand Windows Components, and then click Windows Installer so that the Windows Installer policy settings appear in the right pane.
  7. Double-click the Always Install with Elevated Privileges policy setting.
  8. Click Enabled, and then click to select the Check to force this setting on check box.
  9. Click OK to accept the new policy settings.
  10. Repeat these steps in the User Configuration folder to complete the policy configuration.
  11. Quit Group Policy Manager and the Active Directory Users and Computers snap-in, and then restart the computer.
  12. Test the new settings.

MORE INFORMATION

Publishing programs by using a .zap file does not allow using elevated privileges. See the following Microsoft Knowledge Base article for additional information about using .zap files to publish non-MSI aware programs:

231747 How to Publish non-MSI Programs with .zap Files

Using this policy setting directs Software Installer to use system permissions, not user permissions, when it installs programs.

If you disable this policy or do not configure it, the system applies the current user's permissions when it installs programs that a system administrator does not distribute or offer. This behavior causes the program's installation not to succeed if the user account does not normally have the right to install programs.

The elevated privileges that this policy uses are usually reserved for programs that have been assigned to the user, assigned to the computer, or published in the Add/Remove Programs tool in Control Panel. This policy lets users install programs that require access to folders that the user might not have permission to view or change, including folders on highly restricted computers. One security issue that this policy presents is that users can take advantage of the permissions this policy grants to change their privileges and gain permanent access to restricted files and folders. You must use caution when you configure this policy in a network environment in which the use of this policy may conflict with security restrictions. Note that the User Configuration version of this policy is not guaranteed to be secure. Keep this in mind when you are evaluating network security.
Modification Type:MajorLast Reviewed:11/20/2003
Keywords:kbGPO kbprb kbsetup KB259377
©2003 Microsoft Corporation. All rights reserved.