User based install

Hi is it possible to use this toolkit as a user based install rather than system?

I need to target an ad group

Running as system is not a requirement. If your users are local admins on their machines it is feasible to deploy to an AD group. Do you intend to deploy using GPO? If so, I would look into execute it as a startup script.

In general terms installing applications requires elevation (run as admin). Last time I checked the Deploy-Application.exe did require elevation and will not run unless elevated. PowerShell.exe does not however, so depending on what you’re planning on doing it might be possible to just run powershell with parameters to start the script eventhough the user is not a member of the local administrators group on the system. If you’re planning on doing tasks such as the following however you need to elevate the process regardless of what type of exe it is:

  • Creating, modyfing or deleting files and folders in Program Files dir, Windows dir, ProgramData dir, other users profiles etc
  • Creating, modyfing or deleting registry entries other than your own HKU hive.
  • Creating, modyfing or deleting system services, some scheduled tasks and so forth (these are basically registry entries, the registry is basically files located under C:\Windows - which normal users are not allowed to fiddle with)… yeah, you might already know all this…

So the question is - what are you planning on doing in detail?

PS. Can’t remember I’ve tried executing the Deploy-Application.ps1 in a non-elevated PS console, so I can’t really promise that will work either… But definitely worth testing out :)…

Hey thanks for info.
Yup using powershell instead of the exe from sccm 2012 works, and I’ve been targeting users in ad groups to hit their primary devices.
It’s to install an outlook add-in that needs outlook closed.
I’m using -closeapps and -blockexecution.
but for a post install task i’d like outlook reopened.
-blockexecution is blocking it so just figuring out where to place the execute-process task atm.

oops figured to remove the reg key hehe

I see. Well if you’re using SCCM you will have an elevated scenario per default (Someone correct me if I’m wrong here, but AFAIK the CcmExec service is started by nt authority\system per default, hence all the sub processes, such as application deployment scripts, it starts as well).

Every Office plugins differ from one another, but I’ve packaged a VSTO file a while back, that needed some registry entries in the users registry hive. Got it done with the following:

<code>
[scriptblock]$HKCURegistrySettings = {
        Set-RegistryKey -Key &#039;HKCU\Software\Microsoft\Office\Word\Addins\my.addin.name&#039; -SID $UserProfile.SID
        Set-RegistryKey -Key &#039;HKCU\Software\Microsoft\Office\Word\Addins\my.addin.name&#039; -Name &#039;Description&#039; -Value &#039;my.addin.name&#039; -Type String -SID $UserProfile.SID
        Set-RegistryKey -Key &#039;HKCU\Software\Microsoft\Office\Word\Addins\my.addin.name&#039; -Name &#039;FriendlyName&#039; -Value &#039;my.addin.name&#039; -Type String -SID $UserProfile.SID
        Set-RegistryKey -Key &#039;HKCU\Software\Microsoft\Office\Word\Addins\my.addin.name&#039; -Name &#039;LoadBehavior&#039; -Value 3 -Type Dword -SID $UserProfile.SID
        Set-RegistryKey -Key &#039;HKCU\Software\Microsoft\Office\Word\Addins\my.addin.name&#039; -Name &#039;Manifest&#039; -Value &#039;file://$envProgramFilesX86\$appVendor\$appName\my.addin.name.vsto&#039; -Type String -SID $UserProfile.SID
}
Invoke-HKCURegistrySettingsForAllUsers -RegistrySettings $HKCURegistrySettings</code>

Which means the addin gets installed for every user logging on the the system. Then deployed it to a collection of devices.

But yeah… Keep in mind that if you want to repoen outlook for the user you do not want to use Execute-Process, but Execute-ProcessAsUser (at least if the installation is running with any other account than the current logged on user). Otherwise you risk having outlook running as system which would (1) not open the current logged on users mailbox and most importantly (2) open up the posibility for the user to start processes (such as a PowerShell console) as the system account – which have access to pretty much everything on the system.

If outlook is started with system it will most likely appear pretty messed up, but you could always open a CMD through a Save As window and check with the command whoami.

As always I write to much, but HTH :)…

Hi Pelle,
Sorry for not getting back to you before been away. Thanks so much for the info. Definitely should have used execute-processasuser. Luckily it was a user based install so it execute-process was under a user context.
Having done it with the 2012 application model. I should have followed the documentation and go oldschool using package/program for a recurring schedule.

I tried utilizing a custom client setting that had a software deployment evaluation daily. But that doesn’t apply for a user-based application. I can see in appdiscovery that it is checking daily. But it’s not enforcing the user install daily if it’s not there.

<Forget what I just wrote here…>

Do you have multiple users on the same device? If so, are some supposed to have acces to the application and shortcuts and so fort, while others shouldn’t? If so - Consider App-V. Since recently Microsoft Desktop Optimization Pack (MDOP) licensing has changed (don’t know the correct licensing terms here but…) from an extension to your Windows Software Assurance to being included by default. So if you’re an SA customer it’s good news if you’re ready to take that step.

If you’re not familiar with App-V - App-V brings the application to a layer above the OS so to speak, isolating it from the system… this way there’s no way to access the application unless it’s deployed either to your user account or globally on the machine… It’s also supported form an sccm perspective so it would be quite easily deployed in your environment. Does require some training however.

That was a side note though… I will have to return at a later poitn for suggestions on your current situation :)…

Ah unfortunately app-v isn’t in our environment. And to answer your question yes there are some instances where a device will have multiple users. I don’t think it’s too much of a problem for this scenario as they need to have an account in the backend for them to use the add-in it’s mailexpress (ability to send large attachments via outlook). Thanks for all your help will keep keeping on hehe. The toolkit is great, think I might slowly implement all apps + packages to use it.

Can I just chime in and say that for per user stuff you should probably be using GPO’s.

The per user stuff works well in the PSADT, does what it says on the tin, but by it’s nature it is a one off installation. There are many situations where the registry key might be deleted or the users profile recreated etc.

To ensure consistency you should really use group policy if it’s available to you.

When I want to run PSADT in the user context I have been editing AppDeployToolkitConfig.xml

<Toolkit_RequireAdmin>False</Toolkit_RequireAdmin>

If there is a better method, please let us know.

Didn’t know about that posibility until now! I haven’t had the need for it myself yet, but seems useful for OP. I don’t think it’s necessary though, if deployed through CM…