Hi Josh,

Thank you for your reply, according to my reading of Is(), I think USER_INADMINGROUP is the right thing I can use. Currently I am setting up the building and testing systems to confirm that.

BTW, as I said, we made all our CAs from a binary implemented with c/c++. Is there any way we can do it (Is(USER_INADMINGROUP, "")) from our c/c++ code? I think we can either get the code/programs behind Is(USER_INADMINGROUP, ""), or directly call Is() from c/c++. But I haven't done so so far, can you let me know if that's possible and how to do it?


Thanks,
Peter

Ooops, speak too early!

It is still not working :mad:

I created a simple project (testrights), in which only one ISScript function -

function CheckAdmin(hMSI)
// To Do: Declare local variables.
begin
if( Is(USER_INADMINGROUP, "")) then
MsiSetProperty(hMSI, "ADMINLOGIN", "1");
MessageBox("ADMINLOGIN is 1", INFORMATION);
else
MsiSetProperty(hMSI, "ADMINLOGIN", "0");
MessageBox("ADMINLOGIN is 0", INFORMATION);
endif;
end;

I created a CA and put the CA in various locations (UI and Execute sequences) and none of them works completely. The problem is that when I tried in an account that is a member of administrators group, it still said "ADMINLOGIN is 0":eek:

I am attaching the zipped project, if anybody is insterested, please try it.

Please note that "Require Administrative Privileges" is set to "No" in the project, which is needed in my reall project.

Please also note that I have added MSIUSEREALADMINDETECTION in Property Manager table, it seems no help.


Thanks,
Peter

Here is the zipped project

I also tried with hardcoded login info like:

if( Is(USER_INADMINGROUP, "Domain_name\\User_name")) then

or

if( Is(USER_INADMINGROUP, "Domain_name\User_name")) then

the same result as

if( Is(USER_INADMINGROUP, "")) then

Calling Is(USER_ADMINISTRATOR) or Is(USER_INADMINGROUP) check whether the user is a member of the BUILTIN\Administrators security group, meaning the local machine's admin group. A network domain account is not a part of this group unless a network admin added the domain user as a member of a local machine's admin group.

The USER_INADMINGROUP and USER_ADMINISTRATOR checks are working as expected. Is the user the setup is running under a member of the local admin group on the machine you are testing on? If you use the SysInternals Process Explorer utility to view the setup process' access token, is BUILTIN\Administrators listed (process properties->Security tab)?

Note the second parameter to the Is function is ignored with all USER_* options. The current thread/process token is used to determine group membership.

In bat files I use the OPENFILES command to detect if the user has admin privileges as shown below. I suppose you could put something like the code below in a bat file and have a CA launch it.

REM 2003 Server
VER | FIND "Version 5.2." > nul
IF %ERRORLEVEL% == 0 (
REM Do OPENFILES to check for administrative privileges
OPENFILES > nul
IF ERRORLEVEL 1 (
COLOR CF
ECHO.You must be logged on as Administrator to run this program'.
PAUSE
EXIT /B 1
)
)

REM Vista
VER | FIND "Version 6.0." > nul
IF %ERRORLEVEL% == 0 (
REM Do OPENFILES to check for administrative privileges
OPENFILES > nul
IF ERRORLEVEL 1 (
COLOR CF
ECHO.Right click on this bat file and select 'Run as administrator'.
PAUSE
EXIT /B 1
)
)

First to 'rguggisberg', I made a simple testing .bat file with your code, and tried it with an administrators member account on Vista, I still got 'Logged-on user does not have administrative privilege.' error, so I think I messed up the account itself. Please see below.

To Josh,

First of all, I think I need to clarify the following:
- I do all develop and building on my dev machine
- My testing machine (only talk about Vista now) is in the same domain as my dev system
- I created admin and non-admin accounts on the testing system
- When do testing, I log on to the testing machine with the local account info (admin or non-admin user), then I created mapped drive to point to the image on my dev system. When prompted for logon info during map drive creation, I input logon info for my dev system.

Now I use the Process Explorer to check the setup process. On dev machine, the testrights setup.exe displayed BUILTIN\Administrators with flag 'Owner' (first figure in the attached document file); when the image copied to the testing system (not on mapped drive), using Process Explorer there to open the setup.exe, it showed BUILTIN\Administrators, but with flag 'Deny', my guess is that it's because we have set 'Require Administrative Privileges' to 'No', this is the second figure in the attached file, please note that I did it from an account with local administrator rights (a member of local administrators group), and executing the copied (not via mapped drive) setup.exe still failed to detect the admin rights of the account (the install still gave message saying "ADMINLOGIN is 0", the same on executing the batch file - see the beginning of this reply).

By curiosty, I also opened another setup.exe with Process Explore on the testing systesm (Vista, the same account with admin rights by being a member of the local administrator group), which it has 'Require Administrative Privileges' set to 'Yes' (but it's a InstallScript MSI project instead of Basic MSI), it showed both empty 'Group' and 'Privilege' entries (see the third figure in the attached doc file), does this sound correct?

I am now suspecting some where has been messed up on account/system/policy setup, but I don't have enough expertise on those areas, please provide any help based on my information above.

It's kind of too wordy but I have tried to provide as much detailed info as possible.

Again thank you both for replying,
Peter

Peter,
In Vista there are admin users and there is 'THE' admin user. I ran a little test and get your results if I am logged on as an admin but it works fine if I am logged on as THE admin.
Try right clicking on your test bat file and select 'Run as administrator'. I bet that works. If you are an administrator Vista will prompt for you to continue. If you are not an administrator it will prompt for the administrator password. Of course this assumes that you have UAC enabled.

You can view your users in Control Panel, User Accounts, 'Manage another account'
Ron

Hi Ron,

Thank you for your help on testing my project. I will test with your reply later.

With all that said, so there is NO WAY to check for admin rights on Vista with UAC on, either by InstallShield or any programs that can be invoked by InstallShield? Only when you are 'THE' administrator will all the documented functions/properties work, right? That's so sad (to both Microsoft and InstallShield).

As stated from the very beginning, what I wanted is to detect if the current user (process/thread or whatever you name it) has privileged/admin rights, ON VISTA WITH UAC ON BUT DO NOT ELEVATE (via UAC dialog), I think it's not that hard, and should be considered as a relatively common case in package installation request. But it turned out to be the end of THE (INSTALLSHIELD/MICROSOFT) world:mad: Sigh...

Peter,
Yes, you can check without being THE admin. The OPENFILES command will fail if you are not THE admin... that is how you know... by checking the ERRORLEVEL of the OPENFILES command. If the OPENFILES does not fail, then you know that you ARE THE admin.
Best wishes,
Ron