安装程序无法为WinServer2012 +上的%ProgramData%\ MyFirm \ MyApp设置正确的文件夹权限. [英] Setup cannot set correct folder permission for %ProgramData%\MyFirm\MyApp on WinServer2012+.
问题描述
我的BasicMsi安装程序可以每台计算机安装一个应用程序(32位)MyApp.安装程序在启动时需要管理员权限.
将MyApp应用程序安装到操作员选择的INSTALLDIR文件夹中(通过UI/CommadLine),并使用子文件夹和文件创建%ProgramData%\<MyFirm>\<MyApp>
结构.
在msi表LockPermissions中,将权限设置为修改 LOCAL 用户组管理员"和用户"(由SID定位)的文件夹<MyApp>
的权限(读取/写入/删除...). .
<MyApp>
和子文件夹中的文件在运行时由应用程序MyApp使用和修改.
该安装程序将应用程序安装在从Win7到Win10的系统 和从WinServer2003到WinServer2016的 上(32/64;打开/关闭UAC).
该应用程序由运营商使用本地用户组管理员"或用户"(不以管理员身份运行")中的帐户启动.
There is my BasicMsi setup that installs an application (32bit) MyApp per-machine. The installer requires admin rights at startup.
The application MyApp is installed into the INSTALLDIR-folder selected by the Operator (by UI/CommadLine) and a %ProgramData%\<MyFirm>\<MyApp>
structure is created with subfolders and files.
In the msi-table LockPermissions, permissions are set to modify (read/write/delete...) for folder <MyApp>
for LOCAL user groups 'Administrators' and 'Users' (located by SID).
Files in <MyApp>
and subfolders are used and modified by the application MyApp at runtime.
The setup installs the application on systems from Win7 to Win10 and from WinServer2003 to WinServer2016 (32/64; UAC on/off).
The application is launched by the Operator(s) with account in the local user groups 'Administrators' or 'Users' (NOT 'Run as admin').
问题:
在仅 WinServer2012和WinServer2016 安装后(未选中WinServer2008;并且 WinServer2003-IS OK ),具有本地组Administrators或Users帐户的操作员没有写权限/delete/在文件夹<MyApp>
和子文件夹中创建文件.
结果-该应用程序无法正常运行(仅适用于WinServer2012和WinServer2016).
Problem:
after installation on WinServer2012 and WinServer2016 ONLY (WinServer2008 is not checked; and WinServer2003 - IS OK) an Operator with account in the local group Administrators or Users does not have permissions to write/delete/create files in the folder <MyApp>
and subfolders.
The result - the application does not work correctly (ONLY for WinServer2012 and WinServer2016).
请帮助我,提出以下问题:
Help me, please, with Questions:
- %ProgramData%下的文件夹权限有什么区别,或者Win10(或WinServer2003)与(WinServer2012和WinServer2016)的本地内置用户组(管理员"或用户")的权限有什么区别? ?
- 系统中应进行哪些其他更改(WinServer2012和
WinServer2016),这样安装程序就可以从本地帐户
组管理员或用户在文件夹中具有写/删除权限
%ProgramData%\<MyFirm>\<MyApp>
没有以管理员身份运行"(打开/关闭UAC)?
- what is the difference in folders permissions under %ProgramData%, or what is the difference of rights of local built-in user groups ('Administrators' or 'Users') for Win10 (or WinServer2003) versus (WinServer2012 and WinServer2016) ?
- what else should be changed in the system (WinServer2012 and
WinServer2016) by the installer so that accounts from the local
groups Administrators or Users have write/delete rights in the folder
%ProgramData%\<MyFirm>\<MyApp>
without 'Run as Administrator' (UAC on/off) ?
谢谢.
推荐答案
更新:在Windows Installer中设置权限:MSILockPermissionsEX和ISLockPermissions (使用Installshield).
UPDATE: Setting Permissions in Windows Installer: MSILockPermissionsEX and ISLockPermissions (using Installshield).
权限检查 :该文件夹上显示的实际权限是什么?您可以使用Windows Explorer => Properties => Security => Advanced => Double click user / group to see detailed access
.检查可用和不可用的系统之间的差异.
Permission Inspection: What are the actual permissions showing on the folder? You can use Windows Explorer => Properties => Security => Advanced => Double click user / group to see detailed access
. Check for differences between the systems that work and don't work.
如果这还不够好,请尝试SysInternals的 AccessEnum 或 AccessChk 用于显示有关为该对象定义的权限的详细信息的工具.
If that is not good enough maybe try SysInternals' AccessEnum or AccessChk tools to show details about the permissions defined for the object in question.
Privilege Inspection: I would also use Process Explorer to check what NT Privileges your process runs with - just to check for any differences ("torpedoes full spread" in sci-fi terms - as in "what the heck are we doing" - can't hurt). I don't really think this should affect things - privileges and permissions are different (privileges apply system-wide - such as changing system-time, log on as a service, etc... - permissions are defined for securable objects such as files and folders).
- 启动流程浏览器
- 双击您的申请流程(如果启动)
- 转到安全性"标签并查看下面的框:
记录 :您是否进行了正确的记录?如果不是,请安装并创建详细的日志文件.并且可以在这里查看我的答案一个>.而更加详尽版本,其中包含更多有关了解日志条目的提示.
Logging: Did you do proper logging? If not, install and create a verbose log file. And maybe check my answer here. And a more elaborate version with more hints on understanding the log entries.
这篇关于安装程序无法为WinServer2012 +上的%ProgramData%\ MyFirm \ MyApp设置正确的文件夹权限.的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!