Workaround for Deploying Badly Authored MSI Installs
Novell Cool Solutions: Trench
By Glenn Alward
Digg This -
Updated: 8 Mar 2005
There's a problem being discussed here in the Novell Support Forums.
Badly authored MSI installs give error 1603 on a locked down workstation/user (User is only member of the 'Users' group) (See also this discussion).
SOLUTION: By triggering the install through the pre-distribution script with msiexec, and by adding a failure check (NAL doesn't check the errorlevel), these malicious MSIs can still be deployed to locked down users. Setting the desktop interaction for the nalntsrv on, gives the visual feedback through the progress bar.
%SOURCE_PATH%=UNC-DNS path to sourcedir cmdow.exe=freeware tool for hiding cmd boxes Made NALNTSERVICE interact with desktop for MSI progressbar System TEMP=User TEMP cmd.exe for the script engine %TREE%=Predefined System Environment var PreDistributionScript: @cmdow @ /hid %Systemroot%\system32\msiexec.exe /i %SOURCE_PATH%\
.MSI /qb! IF NOT %ERRORLEVEL%==0 echo Error! >"%TEMP%\%*;DN%" PostLaunchScript: @cmdow @ /hid IF Exist "%TEMP%\%*;DN%" Reg.exe delete HKLM\Software\Netware\NAL\1.0 \Distribute\%TREE%\%*;App:GUID% /f del /f /q "%TEMP%\%*;DN%"
Note: I had to make a split, because the reg entry for the app is made after the distribution (script).
You must use UNC paths for the SOURCE_PATH, as distribution scripts run in the system\workstation context and as such do not have access to the usermappings. This also implies that the Workstations must have RF rights on the snapshot dirs.
You can use another location for the 'link' dir, which in the example is %TEMP%, as long as the dir is the same for user & system context and both hav change rights there. An option could be C:\NALCache, you don't have to sync the tempdirs with this option.
If you have any questions you may contact Peter at firstname.lastname@example.org
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com