Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 4

Conditional Permissions

I am trying to write an MSI InstallShield 2010 project which will set the proper permissions on a few folders. The problem is that Vista users are covered in the group "Everyone". As far as I know, no "Authenticated Users" group normally exists on Windows Vista. Our own corporate users, who use Windows XP are all covered in the group "Authenticated Users", but none of our corporate users are included in the "Everyone" group.

If I try to set permissions for both "Everyone" and "Authenticated Users" in the install, it will fail on both operating systems since one group, or the other, will not be present on the target operating system. This will cause the install to fail and abort.

Is there a way to set permissions for both groups conditionally based on whether or not the user groupo exists on the target operating system?

Labels (1)
0 Kudos
(2) Replies
Level 10 Flexeran
Level 10 Flexeran

Authenticated users should exist on Vista or newer versions of Windows (it's listed as an account on Windows 2008 and Windows 7 machines that I checked). Unless you are using the MSI LockPermissions support, it should be possible to set permissions for Everyone and Authenticated Users on Windows XP or newer version of Windows.

If you are using the MSI LockPermissions support or InstallShield ISLockPermissions support, unfortunately, there is no way to conditionally apply permissions (this is possible with the new MsiLockPermissionsEx table in Windows 7/MSI 5.0). A custom action would be required in this case to apply permissions as needed based on the target operating system (note that InstallScript custom actions can call the InstallScript SetObjectPermissions function, which is functionally equivalent to the ISLockPermissions table support).
0 Kudos
Level 2

There is a difference between LockPermissions and ISLockPermissions though.

In our install we have for each OS version a separate component that creates the same folder. For Windows 2003 IIS_WPG will be added and for XP the ASPNET is added.
When using the LockPermissions table only the entries are processed for the LockObjects that are actually being installed.
When using the ISLockPermissions table all permissions in the table are executed unconditionally, regardless of the component install state.

After several hours of investigation we went back to the LockPermission table. It's a pity cause the support for automatic conversion of localized names was a very nice feature.
0 Kudos