System account privileges / rights assingment
- From: Masa <Masa@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 4 Jan 2009 10:36:09 -0800
We decided to deploy L2TP connection settings on our clients AD environment
using CMAK and Group Policies. I created CMAK installation executable, and
made MSI installation package of it using Visual Studio 2008. I tested the
installation package using administrator account on our clients AD
environment and it worked as supposed. After that I assigned this package to
one test computer using Group Policy; everything worked as supposed. However
installation failed when I assigned it to another computer.
After doing some work I found out that SYSTEM account (under which Windows
Installer service runs when performing installation) had not enough rights to
complete CMAK package installation (namely running cmstp.exe executable on
successfully installed and extracted CMAK cabinet).
Using instructions on http://blogs.msdn.com/adioltean/articles/271063.aspx I
launched command prompt running under system account and tried to run
cmstp.exe (found in unpackaced CMAK cabinet) as described in article
http://support.microsoft.com/kb/266793; this test, like every other test I
ran, worked fine on the other computer, but on the computer having this
“installation problem” it failed with error message “You do not have
necessary access rights…”.
Once again after some frustrating information digging I launched Microsoft
Internet Explorer using System account. When I opened “tools/internet
options/connections”, all the settings were grayed out. Since these test
computers have had such GPO’s deployed that had disabled domain users
launching internet connection wizard, I thought that I could correct the
problem by enabling these settings for “Authenticated users” using GPO (I
suppose that CMAK package somehow involves IE and thus needs these rights,
but since I did not find any documentation regarding this issue, I’m not
sure)…but this did not work. Items in Internet Explorer internet connection
settings tab staid greyed for system account, for other domain accounts which
I logged in these settings became enabled.
One question alike: I suppose that System account is local account, and you
can not apply User GPO to it separately?…however since it was possible to
assign GPO to system account using Group Policy Management Console I even
tried it, with no luck however.
Finally I decided to give up. I made separate MSI package using Visual
Studio 2008 which installs phonebook (.pbk) file containing tunneling
definition to domain computers (+creates VPN desktop icons & makes some
register settings needed on the environment). Installing this package using
GPO works well.
I’m sure that the actual solution is simple, and I would want to know how to
enable connection tab on IE settings for system account on domain
environment…and of course I would appreciate if somebody could tell me how
these settings may become disabled for such a powerful account as system
account.
.
- Prev by Date: Re: Power Users
- Next by Date: How do I change local users ADMINs in domain OU to Power users via
- Previous by thread: Power Users
- Next by thread: How do I change local users ADMINs in domain OU to Power users via
- Index(es):
Relevant Pages
|
