[gptalk] Re: GPO S/W Deployments

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Sun, 7 Sep 2008 16:52:37 -0700


That policy (Always install elevated) only applies to MSI installations that
are un-managed (i.e. not deployed via GP). As such, its probably not a good
idea, from a security perspective, to enable that policy unless you really
really need to.


Any software deployed via GP is automatically elevated (either per-computer
or per-user). However, there are circumstances when settings within
individual MSI packages will try to thwart this (e.g. by requiring that only
administrators can install).  But normally, GP-deployed packages are already




From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Robert Mariani
Sent: Sunday, September 07, 2008 3:57 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] GPO S/W Deployments


Hi All,

  I would like to ask the experts about GPO software deployments.  


Currently I have software being deployed via MSI/MST computer based GP's
which are linked to the computers OU. 

In the GPO I have set Windows installer for standard logging and enabled
"Always install with elevated privileges".  Does having this privilege -
even though only applied to the computer allow a user (who is just a domain
user) to install software.  I have only found conflicting advice using


Is this a recommended setting for deploying software?  We only use computer
targeted software deployments rather than publishing to a user.



Robert Mariani
Applications Manager

The Buchan Group, Melbourne
Architecture+Master Planning+Interiors+Graphics
A  133 Rosslyn St West Melbourne Vic 3003 Australia
GPO Box 4584 Melbourne Vic 3001 Australia
W  www.buchan.com.au <http://www.buchan.com.au/> 

This message is transmitted subject to our email policies and may only be
relied on by an authorised recipient.
Click on this link to view the policies:

Other related posts: