views:

1367

answers:

3

I have a WSI installer package that I'm using to install my application. The application itself can be run by a normal user, but I have a configuration app that should only be run by a system administrator. Thus, I don't want it to appear in the Start Menu for all users, just for the administrator.

Is there any way to tell Windows Installer to create some shortcuts for all users, and others for administrator only?

+1  A: 

Usually in All Users directory (C:\Documents and settings\All Users) there are shortcuts that appear everywhere. If you want only in the Administrator group you should put it in C:\Documents and settings\Administrator or whatever the name of the user is (This can probably be found during instalation - which requires administrative rights).

Iulian Şerbănoiu
+1  A: 

since I doubt that you will know the name of every admin and there is no start folder for just admins, then I think a better solution would be for you to have the configuration app check to see if the user running it is an admin then exit gracefully if it is not.

EDIT:

Perhaps I should explain further why I think adding the shortcut for just admins is a case of solving the wrong problem. Here are some scenarios that I think will illustrate the pitfalls:

1) What if you look in the local admins group and add the shortcut for every user listed. Now a week later I am added to the local admins. I don't have the shortcut.

2) Often escpecially in an enterprise, individuals are not listed in the local admins, groups are. You could in theory: Query AD to find the members of each group (let's not even consider nested groups here) then add the proper folders under Documents and settings for each of those users even though they may or may not ever log onto this machine. Even if you did, if that group member ship changes, then some admin could log on and not have the shortcut.

3) Let's say that you add it for every admin. What happens when my admin rights are taken away? I'll still have the shortcut.

It is possible to get around some of these issues by having your MSI install a script that tests to see if the current user is an admin and if they are the script puts the shortcut in start for them. Then register the script as an Active Setup item. Then whenever a new admin logs on they would get the shortcut. This would not however remove the shortcut if they lost their admin privileges.

Regardless of all of this if I understand the situation, then there is nothing preventing any user admin or not from going to whatever the shortcut points to and running it.

So, again I will say that adding the shortcut only for admins is solving the wrong problem. The right problem to solve is to make it so that you have to be an admin to run the config utility.

EBGreen
+1  A: 

You can put the shortcuts in question inside a subfolder, and deny non-Administrator users access to the contents of the folder. They will see an empty folder, Administrator will see a folder full of shortcuts. This is not the ideal solution, but the best that a non-Administrator user can accomplish without privilege escalation.

Sparr
This is what I would consider to be the next best solution after making the app smart enough to not run for a non-admin.
EBGreen