Microsoft Press Windows Vista Administrator's Pocket Consultant ebook
Page 20
Use the Start menu to locate the program that you want to always run with different credentials.
Right-click the application's shortcut and then click Properties.
In the Properties dialog box, select the Shortcut tab.
Click the Advanced button.
In the Advanced Properties dialog box, shown in Figure 5-2, select the Run As Administrator check box.
Figure 5-2: Configure an application to run with different credentials.
Click OK.
The application will now always prompt for the credentials of another user before running if it requires more than a standard user access token. Keep in mind that if you are using a standard account and prompting is disabled, the application will fail to run.
Optimizing Virtualization and Installation Prompting for Elevation
With regard to applications, two areas of User Account Control can be customized:
Automatic installation detection and prompting
Virtualization of write failures
In Group Policy under Computer ConfigurationWindows Settings Security SettingsLocal PoliciesSecurity Options, two security settings control the related behaviors. These security settings are:
User Account Control: Detect Application Installations And Prompt For Elevation Determines whether Windows Vista automatically detects application installation and prompts for elevation or consent. Because this setting is enabled by default, Windows Vista automatically detects application installations and prompts users for elevation or consent to continue the installation. If you disable this setting, users are not prompted, in which case, the users will not be able to elevate permissions by supplying administrator credentials.
User Account Control: Virtualize File And Registry Write Failures To Per-User Locations Determines whether file and registry virtualization is on or off. Because this setting is enabled by default, error notifications and error logging related to virtualized files and registry values are written to the virtualized location rather than the actual location to which the application was trying to write. If you disable this setting, the application will silently fail when trying to write to protected folders or protected areas of the registry.
In a domain environment, you can use Microsoft Active Directory directory service–based Group Policy to apply the desired security configuration to a particular set of computers. You can also configure these settings on a per computer basis using local security policy. To do this, follow these steps:
Click Start, All Programs, Administrative Tools, Local Security Policy. This starts the Local Security Policy console.
In the console tree, under Security Settings, expand Local Policies and then select Security Options.
Double-click the setting you want to work with, make any necessary changes, and then click OK.
Installing Programs: The Essentials
Program installation is fairly straightforward. Not so straightforward are troubleshooting the many things that can go wrong and fixing problems.. To solve problems that might occur, you first need to understand the installation process. In many cases, the typical installation process starts when Autorun is triggered. Autorun in turn invokes a setup program. Once the setup program starts, the installation process can begin. Part of the installation process involves checking the user's credentials to ensure he or she has the appropriate privileges to install the program, and prompting for consent if he or she doesn't. As part of installing a program, you might also need to make a program available to all or selective users on a computer.
Working with Autorun
When you insert an application CD or DVD into a CD or DVD drive, Windows Vista checks for a file named Autorun.inf. If present, Autorun.inf specifies the action that the operating system should take and can also define other installation parameters. Auto-run.inf is a text-based file that can be opened in any standard text editor. If you were to examine the contents, you'd see something similar to the following code:
[autorun]
OPEN=SETUP.EXE AUTORUN=1
ICON=SETUP.EXE,4
SHELL=OPEN
DisplayName=Microsoft Digital Image Suite 9
ShortName=PIS
PISETUP=PIPpisetup.exe
This Autorun.inf file opens a file named Setup.exe when the CD or DVD is inserted into the CD or DVD drive. Because the file is an actual program, this program is invoked. The Autorun.inf file also specifies an icon to use, the status of the shell, the program display name, the program's short name, and an additional parameter, which in this case is the location of another setup program to run.
The file specified to open won't always be a program. Consider the following example:
[autorun]
OPEN=AutorunShelExec default.htm
This Autorun.inf file executes a shell and opens a file named Default.htm when the CD or DVD is inserted into the CD or DVD drive. As a result, when Autorun.inf is triggered, Default.htm opens in the computer's Web browser. It's important to note that even in this case, the document opened in the Web browser contains links that point to a setup program.
Tip
With an application CD or DVD in a drive, you can restart the Autorun process at any time. Simply open and then close the drive bay.
Application Setup and Compatibility
Most applications have a setup program that uses InstallShield, Wise Install, or Microsoft Windows Installer. When you start the setup program, the installer helps track the installation process and should also make it possible to easily uninstall the program. If you are installing an older application, the setup program might use an older version of one of these installers, and this might mean the uninstall process won't completely uninstall the program.
Even if you are absolutely certain a program has a current installer, you should consider the possibility that you will need to recover the system if something goes wrong with the installation. To help ensure that you can recover your system, you should create a System Restore checkpoint before installing the program, as discussed in Chapter 16, "Supporting and Troubleshooting Windows Vista." Then if you run into problems, you can try to uninstall the program and use System Restore to recover the system to the state it was in prior to installing the program.
Before installing any application, you should check to see whether it is compatible with Windows Vista. To determine compatibility, you can perform the following check:
Check the software packaging, which should specify whether the program is compatible. Look for the Microsoft Windows Vista logo.
Check the software developer's Web site for a list of compatible operating systems.
Note
Also as part of the compatibility check, check for updates or patches for the program. If available, install updates or patches after installing the program.
With legacy applications, Windows Vista uses the Program Compatibility Assistant to automatically make changes for known compatibility issues. If the Program Compatibility Assistant detects a known compatibility issue when you run a legacy application, it notifies you about the problem and provides possible solutions for resolving the problem automatically. You can then allow the Program Compatibility Assistant to reconfigure the application for you, or you can elect to manually configure compatibility as discussed in the "Configuring Program Compatibility" section of this chapter.
For legacy applications, you can also use the Compatibility Administrator (CompatAdmin.exe), provided in the Windows Application Compatibility Toolkit, to create an application manifest that sets the application's run level. The Compatibility Administrator can also help identify other types of compatibility issues with legacy applications. The Windows Application Compatibility Toolkit can be downloaded from http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/default.mspx.
Permissions Required for Installing, Uninstalling, and Maintaining Applications
To install programs under Windows Vista, you must either use an account with administrator pe
rmissions or provide administrator permissions when prompted. Keep the following in mind:
If you are using a standard user account, you will be prompted for consent when you run the application's setup program. If prompting for consent is disabled, you will not be able to install applications.
If you are using an administrator account, you will be prompted for consent when you run the application's setup program. If prompting for consent is disabled, the application's setup program will run immediately.
Administrator privileges are also required to uninstall applications. In many cases, however, you can perform maintenance tasks, such as modifying or repairing an application, with a standard user account.
Making Programs Available to All or Selected Users
Usually when you install a program, the program is made available to all users on a computer. This occurs because the program's shortcuts are placed in the Start Menu folder (%SystemDrive%ProgramDataMicrosoftWindowsStart Menu) for all users so that any user who logs on to a system has access to the program. Some programs prompt you during installation to choose whether you want to install the program for all users or only for the currently logged on user. Other programs simply install themselves only for the current user.
If setup installs a program so that it is only available to the currently logged on user and you want other users to have access to the program, you'll need to take one of the following actions:
Log on to the computer using each user account that should have access to the program. Then rerun setup. In this way, you can selectively make the program available to the appropriate users. You will also need to remember to run setup again each time a new user account is added to the computer and that user needs access to the program.
For programs that don't require per-user settings to be added to the registry before running, you can in some cases make the program available to all users on a computer by adding the appropriate shortcuts to the Start Menu folder for all users. Copy or move the program shortcuts from the currently logged on user's profile to the Start Menu folder for all users.
If you want to make a program available to all users on a computer, you can copy or move a program's shortcuts by completing the following steps:
Right-click the Start button and select Explore. This starts Windows Explorer with the currently logged on user's Start Menu folder selected.
Under Programs, right-click the folder for the program group or the shortcut you want to work with. Then select Copy or Cut from the shortcut menu.
Right-click the Start button and select Explore All Users. This starts Windows Explorer with the Start Menu folder for all users selected.
Right-click Program and then select Paste. The program group or shortcut should now be available to all users of the computer.
If you want to make a program available only to the currently logged on user rather than all users on a computer, you can move a program's shortcuts by completing the following steps:
Right-click the Start button and select Explore All Users. This starts Windows Explorer with the Start Menu folder for all users selected.
Select Program, right-click the folder for the program group or shortcut that you want to work with, and select Cut.
Right-click the Start button and select Explore. This starts Windows Explorer with the currently logged on user's Start Menu folder selected.
Right-click Programs and then select Paste. The program group or shortcut should now be available only to the currently logged on user.
Note
Moving the program group or shortcut hides the fact that the program is available on the computer—it doesn't prevent other users from running the program. Using the Run dialog box or from Windows Explorer, other users on a computer will still be able to run the program.
Deploying Applications Through Group Policy
You can make applications available to users over the network through Group Policy. When you use Group Policy to deploy applications, administrators have two distribution options.
The first option is to assign the application to users or computers. When an application is assigned to a computer, it is completely installed the next time the computer is restarted and becomes available to all users of that computer the next time they log on. When an application is assigned to a user, it is completely installed the next time the user logs on to the network. An assigned application can also be configured for install-on-first-use. In this configuration, the application is made available through shortcuts on the user's desktop or Start menu. With install-on-first-use configured, the application installs when the user clicks on a shortcut to launch the application.
The second option is to publish the application and make it available for installation. When you publish an application, the application can be made available through extension activation. With extension activation configured, the program is installed when a user tries to open any file with an extension specific to the application. For example, if a user double-clicks a file with a .doc extension, Microsoft Word could be installed automatically using an extension activation configuration.
You deploy applications for computers using a Microsoft Windows Installer Package (.msi file) and Computer ConfigurationSoftware SettingsSoftware Installation policy. You deploy applications for users using a Windows Installer Package (.msi file) and User ConfigurationSoftware SettingsSoftware Installation policy. The basic steps required to deploy applications through Group Policy are as follows:
For clients to access the Windows Installer Package, it must be located on a network share. As necessary, copy the Windows Installer Package (.msi file) to a network share that will be accessible to the appropriate users.
Access the Group Policy Object (GPO) from which you want to deploy the application in the Group Policy Object editor. Once deployed, the application will be made available to all clients for which the GPO is applicable. This means the application will be available to computers and users in the related domain, site, or organizational unit (OU).
Expand Computer ConfigurationSoftware Settings or User ConfigurationSoftware Settings as appropriate, right-click Software Installation, point to New, and then select Package.
Use the Open dialog box to locate the Windows Installer Package (.msi file) for the application and then click Open. You are then given the choice to select the deployment method as Published, Assigned, or Advanced.
To publish or assign the program, select Published or Assigned as appropriate and then click OK. If you are configuring computer policy, the program is available the next time a computer affected by the GPO is restarted. If you are configuring user policy, the program is available to users in the domain, site, or OU the next time they log on. Currently logged on users will need to log off and then log on.
To configure additional deployment options for the program using the properties sheet, select Advanced and then click OK. You can then set additional deployment options as necessary.
Configuring Program Compatibility
When you want to install 16-bit or MS-DOS programs, you might need to make special considerations. Additionally, sometimes to get older programs to run, you might need to adjust compatibility options. Techniques for handling these situations are discussed in the following sections.
Special Installation Considerations for 16-Bit and MS-DOS Programs
Many 16-bit and MS-DOS programs that don't require direct access to hardware will install and run on Windows Vista without any problems. However, most 16-bit and MS-DOS programs do not support long file names. To help ensure compatibility, Windows Vista maps between long and short file names as necessary. This ensures long file names are protected when they are modified by a 16-bit or MS-DOS program. Additionally, it is important to note that some 16-bit and MS-DOS programs require 16-bit drivers, which are not supported on Windows Vista and as a result, these programs won't run.
Most existing 16-bit and MS-DOS programs were originally written for Windows 3.0 or W
indows 3.1. Windows Vista runs these older programs using a virtual machine that mimics the 386-enhanced mode used by Windows 3.0 and Windows 3.1. Unlike earlier Windows releases, each 16-bit and MS-DOS application runs as a thread within a single virtual machine. This means if you run multiple 16-bit and MS-DOS applications, they all share a common memory space. Unfortunately, if one of these applications hangs or crashes, it usually means the others will as well.
You can help prevent one 16-bit or MS-DOS application from causing others to hang or crash by running it in a separate memory space. To do this, follow these steps.
Right-click the program's shortcut icon and then select Properties. If the program doesn't have a shortcut, create one and then display the shortcut's Properties dialog box.
On the Shortcut tab, click the Advanced Button. This displays the Advanced Properties dialog box.
Select the Run In Separate Memory Space check box.
Click OK twice to close all open dialog boxes and save the changes.
Note
Running a program in a separate memory space uses additional memory. However, you'll usually find that the program is more responsive. Another added benefit is that you'll be able to run multiple instances of the program—as long as all the instances are running in separate memory spaces.
Tip
The Windows Vista command prompt (CMD.EXE) is a 32-bit command prompt. If you want to invoke a 16-bit MS-DOS command prompt, you can use http://www.COMMAND.COM. Type command in the Run dialog box.
Forcing Program Compatibility
Some programs won't install or run on Windows Vista even if they work on previous versions of the Windows operating system. If you try to install a program that has known compatibility problems, Windows Vista should display a warning prompt telling you about the compatibility issue. In most cases, you won't want to continue installing or running a program with known compatibility problems, especially if the program is a system utility such as an antivirus program or a disk partitioning program, because running an incompatible system utility can cause serious problems. Running other types of incompatible programs can also cause problems, especially if they write to system locations on disk.