Hi All ,
Apologies , this is nowwhere related to packaging , but as I did not get any response in deployment forum , I thought I should give it a try in this forum .

We have implemented CA USD tool in our company for software deployment . All desktops are locked down (No access to c drive) . In this scenario we want to install the applications with elevated rights .

We want to open up restricted areas in C drive on an application basis so that they can write runtime data to those directories with elevated rights .

Most of the people suggest to create application groups in AD and elevate rights for that group to restricted directories (C:\PF|[ProductName] ) and then deploy the application hence during installation rights to identified restricted folders will be elevated .

I have few questions (I am new to AD policies):

1) Does right elevation for such directories mean adding this application group to the Administrator group and then deploy
OR

2) Actually access target directory folders in the AD and assign elevated permissions

Kindly suggest pointers to best practises for the same from your experience .

Cheers ,
V
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

0
You are using CA to deploy MSI packages?
Answered 08/18/2005 by: VikingLoki
Second Degree Brown Belt

Please log in to comment
0
yes
Answered 08/18/2005 by: viv_bhatt1
Senior Purple Belt

Please log in to comment
0
There are many ways of going about setting the security. The standard process is to add a small custom action to your MSI packages that executes a command which will update security settings as the app needs them. SetACL.EXE is a very popular option, freely downloadable. You can even imbed it into the MSI's binary table and execute it from there.

With CA you don't really need to use AD. The package will only be deployed through Unicenter which will have it's own ID and credentials. That will have the ability to run the MSI install, which launches SetACL.exe. The only way AD would be involved is if you need tight security.

For example app 1 needs write access to Program Files\App1\tempdata. You could include SetACL.exe in the MSI binary table and execute it with a command line that sets the security of tempdata to give everyone read/write to Tempdata. The app will work fine.

BUT, if some sensitive data can be cached in tempdata, you may want to insure that only users of App1 have access to it. Then set the security for tempdata the same way as above, except give the App1Users group read/write access. The App1Users group will be an AD security group.
Answered 08/19/2005 by: VikingLoki
Second Degree Brown Belt

Please log in to comment
0
Sorry for late reply .

For App1Users group are you suggesting to use SetACL.exe to elevate rights in MSI .
This a good point but I have only one concern , as App1Users group is a group defined by the company in AD . Any changes to the naming convention of this group in future will call for a change in the package too .

I wanted to understand if I can achieve the same as suggested by you using group policies . Has anyone tried Xcal .

Cheers ,
V
Answered 08/26/2005 by: viv_bhatt1
Senior Purple Belt

Please log in to comment
Answer this question or Comment on this question for clarity