Jump to content
David Schwartz

Install flag to say it's for ALL USERS?

Recommended Posts

At work, all of our computers and networks and everything need to be compliant with PCI, HIPPA, and a half-dozen other security protocols.

 

So when we install software in Windows, we need to elevate to Admin. Most software has shows something that asks if we want to install for "this user" or "All Users".

 

Delphi doesn't ask that, and seems to default to "this user" -- which if you're forced to install as Admin, means a lot of stuff is not accessible if you're NOT running as Admin. We are forbidden from running any sort of normal stuff as Admin! 

 

So I'm unable to install updates or new software in my laptop.

 

Maybe there's a flag that lets you set this somewhere?

 

I know a lot of Delphi is used in healthcare environments that are subject to HIPPA and other provisions, so I can't be the only person having to deal with this.

 

(Note: I don't have this problem on my own machine; it's only an issue with my work computer.)

Share this post


Link to post
Guest

have you seen the "OPTION" button? normally we have this option there. all or these (if unchecked)

 

other way, you would can use PowerShell to indicate the MSWin user to install your software. and you can use UnAttended txt file to easy install and quiet!

 

look that

https://youtu.be/4zt1TnYttds

 

hug

Edited by Guest

Share this post


Link to post

Yes, the OPTIONS button was pointed out to me. I tried it, and sadly it didn't solve the problem.

 

Is there a video on using the PowerShell as suggested? I don't know anything about it.

Edited by David Schwartz

Share this post


Link to post
Guest
46 minutes ago, David Schwartz said:

Is there a video on using the PowerShell as suggested? I don't know anything about it.

above, the video is about RAD 10.1 Berlin show use of "Options" when installing the RAD, nothing more!

 

maybe is better this SoF posts:

https://stackoverflow.com/questions/50004647/how-to-run-a-program-as-another-user-and-add-arguments-in-powershell

https://stackoverflow.com/questions/33377545/how-to-prompt-to-run-exe-as-different-user-in-powershell

https://blog.atwork.at/post/Run-PowerShell-script-as-different-user

etc...

 

 

 

hug

Share this post


Link to post
Guest
1 hour ago, David Schwartz said:

Have you actually dealt with this problem? Anybody here who has?

I never has necessity to install the RAD with another ms-user, then, maybe I can try in next "format c:" 

you can test using a VM with MSWin10...

  • just plug your "RADStudio ISO" (if you dont have it, download it from Embarcadero) as you CD-drive on your VM and try use the video step-by-step!

image.thumb.png.0433368251d984c7b8c99aab4d00cefd.png

 

hug

Share this post


Link to post
Posted (edited)

We have VMs provided to us by IT, and they must also conform to all strict security policies. That is, we cannot use a VM to escape these silly policies.

 

This is on my company laptop. The VMs are on our intranet, and they're slower to use.

 

It's not fun.

 

Edited by David Schwartz

Share this post


Link to post
Guest
Just now, David Schwartz said:

We have VMs provided to us by IT, and they must also conform to all strict security policies. That is, we cannot use a VM to escape these silly policies.

 

but you can try in your Home-PC, as you said in another post!

any way, this is possible do it!

maybe I try do it in my pc just for curiosity!

 

hug

Share this post


Link to post

Security restrictions are PITA!

So you can just nag those security guys to do whatever they want but provide you, the software writer, with properly set instruments.

Alternatively, try to just copy files from UserData and registry entries from Admin's HKCU to your account

Share this post


Link to post

Working around AD policies is mission impossible.  Depending on the rules, the AD policies may decide to nix your changes to the registry and/or file system.

But - installing components to a public folder / public registry key by default would be a nice start.

 

@David Schwartz - I know the pain you are in.  I used to depend on LAPS to get stuff done, and that doesn't really help for installation of components. 

Luckily we managed to broker a deal where us devs got local admin rights, in exchange for treating the internet with extreme paranoia.

 

 

Share this post


Link to post
Guest
17 hours ago, David Schwartz said:

Have you actually dealt with this problem? Anybody here who has?

hi @David Schwartz

for clear understanding, how would be (in pratice) what you need do it?

if possible, more detais about it... install mswin, install rad, install components, etc... a "how do it"  for I try here!

 

hug

Share this post


Link to post
On 2/28/2021 at 5:51 PM, emailx45 said:

but you can try in your Home-PC, as you said in another post!

any way, this is possible do it!

maybe I try do it in my pc just for curiosity!

 

hug

This is a problem on my WORK MACHINE! I'm not screwing-up my personal machine trying to figure out a work-related problem!

 

If I had much interest in IT Administration, then maybe. But I just want to get stuff done without having to deal with walls designed to keep intruders out that in the end keep us from do what we were hired to do. It's above my pay-grade.

 

About 10 years ago I had a contract at a bank where every Friday at noon the Corp IT Dept shoved down a bunch of Windows updates, and part of that ended up revoking all of the Admin rights on all of the Dev computers. We'd back stuff up in the morning then there was a Dev meeting at 11AM for an hour, and everyone would leave for lunch. When we got back, we'd spend the rest of the afternoon getting our machines back to a working state, assuming the IT folks gave us back Admin rights before they quit for the day.

 

Where I'm at now, we don't GET Admin rights. Period! We can't even access the damn Registry!

 

Because even though we're behind two VPNs and several firewalls and have most of the CPU bandwidth on our laptops allocated to background security stuff, they fundamentally don't think they can trust anybody except the Managers. As if no company ever had problems with their managers...  (Actually, I was told it's mostly because one of the Sr. Mgrs insists on the ability to connect to any computer in the company at any time, including production machines. Which makes everybody's computer potentially an attack vector.)

 

Like I said, it's above my pay grade. I'm just trying to see if anybody here may have had to deal with this crap.

Share this post


Link to post
14 hours ago, emailx45 said:

hi @David Schwartz

for clear understanding, how would be (in pratice) what you need do it?

if possible, more detais about it... install mswin, install rad, install components, etc... a "how do it"  for I try here!

 

hug

I really don't know the depths of the security policies involved, but remove your main user from the Admin group, and create a separate admin login (not Administrator, but a separate user that's in the Admin group) that you use in a way that the two accounts are not coupled in any way. Then lock up your Registry so that only members of the Admin group can access it.

 

If you're really that curious, read up on HIPPA and PCI compliance, then find any others that impose restrictions on what you can access and factor them in.

 

Set things up so you have to login through a VPN and tunnel through a secondary firewall, and change passwords every 6 weeks.

 

In other words, pretend you want to manage medical bills and collections, and also collect credit card and check payments on your own servers. Where people can get access to their medical records that were submitted with the bills.

 

Is your brain hurting yet?

Share this post


Link to post
29 minutes ago, David Schwartz said:

We can't even access the damn Registry!

Your machine won't work if users can't read and write to HKCU and can't read from HKLM. So what do you mean by this? 

Share this post


Link to post
2 hours ago, David Heffernan said:

Your machine won't work if users can't read and write to HKCU and can't read from HKLM. So what do you mean by this? 

Hmmm.... Reading okay, agree. Writing not agree. I do need admin privilege to write else Windows virtualize my written stuff and its gone on restart. Am I wrong?

Share this post


Link to post
21 minutes ago, KodeZwerg said:

I do need admin privilege to write else Windows virtualize my written stuff and its gone on restart. Am I wrong?

If you needed admin to write to HKCU, then how would users save user preferences? And registry virtualisation? Well, that is only for processes without a manifest. That was only ever a crutch for migration back in 2005.

Share this post


Link to post
Posted (edited)
13 minutes ago, David Heffernan said:

If you needed admin to write to HKCU, then how would users save user preferences? And registry virtualisation? Well, that is only for processes without a manifest. That was only ever a crutch for migration back in 2005.

In my apps I do save settings in a file inside user folder so no admin is required.

Now you make myself nervous, I will build a test project to confirm what you told.

Question: What should be in manifest to let it work? I do not know any special setting yet to allow writing beside Admin.

 

Thanks in advance.

Edited by KodeZwerg

Share this post


Link to post
11 minutes ago, KodeZwerg said:

In my apps I do save settings in a file inside user folder so no admin is required.

Now you make myself nervous, I will build a test project to confirm what you told.

Are we both talking about HKCU here?

11 minutes ago, KodeZwerg said:

What should be in manifest to let it work?

Depends what you are trying to achieve.

Share this post


Link to post
10 minutes ago, David Heffernan said:

Are we both talking about HKCU here?

Depends what you are trying to achieve.

My demo would try to write to HKCU.

Since you mentioned manifest, I've asked for advice what it should contain to properly work.

Share this post


Link to post
5 minutes ago, KodeZwerg said:

My demo would try to write to HKCU.

If you can't write to HKCU then there's something wrong.

5 minutes ago, KodeZwerg said:

Since you mentioned manifest, I've asked for advice what it should contain to properly work.

It's a huge topic, and different programs will have very different content in their manifests. This is something that is documented, so if you want to learn more, that's where you start.

Share this post


Link to post
51 minutes ago, David Heffernan said:

Well, that is only for processes without a manifest.

That is why I requested 'what it should contain'. Anything special?

14 minutes ago, David Heffernan said:

This is something that is documented, so if you want to learn more, that's where you start.

I will search MSDN to get answer.

 

 

What I understood so far:

No manifest = no write permission.

Inside manifest no admin status needed.

 

Somehow dog bites his tail.

 

No need to reply.

Share this post


Link to post
52 minutes ago, KodeZwerg said:

Anything special?

Sometimes. It depends.

 

52 minutes ago, KodeZwerg said:

What I understood so far:

No manifest = no write permission.

Wrong.

Share this post


Link to post
Guest
Posted (edited)
7 hours ago, David Schwartz said:

Is your brain hurting yet?

not more than it should!!! Security is not for anyone, like me or anyother!

 

but, as you said: "It's above my pay-grade." -- for me too!

 

but will be good to know your tatic for do it in your pc... but as said:  "I'm not screwing-up my personal machine trying to figure out a work-related problem!", for me too!

 

So, let's leave this possible solution for the most suitable ones, after all they studied for it, and, they must be worth your monthly salary, right?

 

No more, after one more "inEgmatic" question, and, some even more "inEgmatic" posts, we stop here!

 

hug

Edited by Guest

Share this post


Link to post
On 2/27/2021 at 2:25 AM, David Schwartz said:

Delphi doesn't ask that, and seems to default to "this user" -- which if you're forced to install as Admin, means a lot of stuff is not accessible if you're NOT running as Admin. We are forbidden from running any sort of normal stuff as Admin! 
 

Isn't the idea that you get your organization's "trusted" admins to run the installers for you, and you (under a non-admin) user account can run and use the applications? Does that not work with Delphi?

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×