[wix-users] How to execute a custom action with user privileges (non elevated)
Roland Kieslinger
rkieslinger at rzl.at
Mon Nov 27 23:54:52 PST 2017
The major reason why I need the specific non elevated token is the requirement of accessing the users mapped network drives. In my bootstrapper he is able to choose a shared directory in his network. Most oft he time, they choose a mapped network drive. Then at install time I need to access the chosen directory in my custom actions. I think I'll stick to my current solution. Impersonating the user token of the bootstrapper should be the correct way.
I'm not very familiar with service accounts, but I guess they won't help me solving my basic problem, right?
-----Ursprüngliche Nachricht-----
Von: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] Im Auftrag von Paul Mumford via wix-users
Gesendet: Montag, 27. November 2017 23:48
An: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Cc: Paul Mumford <paul.mumford at gmail.com>
Betreff: Re: [wix-users] How to execute a custom action with user privileges (non elevated)
What worked for me was to have a service account on the target machine which was only allowed to deal with the application and use impersonation programmaticly. Requires the tiny bit of extra effort of making the account i guess but it did indeed solve the problem.
On 27 November 2017 at 20:56, Roland K via wix-users < wix-users at lists.wixtoolset.org> wrote:
> Yes, I know. But in my case it makes a huge difference, if I get the
> elevated or non elevated user token and if the InstallScope of your
> msi is set to "perMachine", it seems you always get the elevated user
> token with Impersonate="yes".
>
> My current working solution is doing a second impersonation manually
> inside the custom actions by duplicating the right, non elevated user
> token of the bootstrapper.
>
> Joel Budreau via wix-users <wix-users at lists.wixtoolset.org> schrieb am
> Mo., 27. Nov. 2017, 21:04:
>
> > You can execute a custom action and set Impersonate=“yes”. This will
> > make the custom action execute with the user’s credentials (not the
> > SYSTEM account).
> >
> > - Joel
> >
> > > On Nov 16, 2017, at 1:51 AM, Roland Kieslinger via wix-users <
> > wix-users at lists.wixtoolset.org> wrote:
> > >
> > > Hello!
> > >
> > > Is it possible to execute a custom action with user privileges
> > > (non
> > elevated)?
> > >
> > > If a user with local admin rights logs on on windows, 2 tokens are
> > generated. One token without admin rights (filtered token) and one
> > token with admin rights. If he maps a network drive, this usually
> > happens using the filtered token, except he does it explicitly with
> > admin rights, for example by starting cmd elevated and using "net
> > use...". But if he does
> the
> > mapping with the filtered token, I have no chance to access the
> > network drive in my setup, because I always get the token with admin
> > rights
> there.
> > >
> > > I thought I get the filtered token, when I'm executing a custom
> > > action
> > in the immediate phase, but it seems that's not the case.
> > >
> > >
> > >
> > > __________________________________________________________________
> > > __ WiX Toolset Users Mailing List provided by FireGiant
> > http://www.firegiant.com/
> >
> >
> > ____________________________________________________________________
> > WiX Toolset Users Mailing List provided by FireGiant
> > http://www.firegiant.com/
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant
> http://www.firegiant.com/
>
____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/
More information about the wix-users
mailing list