Windows Performing per-user installations on Windows Server

Instead of performing machine-wide installations, some applications like IAP Desktop do per-user installations. That means all files are installed to the (roaming) user profile and not to c:\Program Files\. It also means that the installation doesn’t require administrative privileges, which is a big plus in corporate environments.

Unfortunately, per-user installations typically don’t work on Windows Server: If we try to run a per-user installation package, Windows Installer will bark at us with a rather unhelpful error message:

The system administrator has set policies to prevent this installation.

The policy that this error message refers to is the DisableUserInstalls group policy, which:

[...] is a per-machine system policy that can be used when the administrator only wants per-machine applications installed.
[...] An attempt to perform an installation in the per-user installation context causes the installer to display an error message and stops the installation. In this case, the Windows Installer also prevents per-user installations from a terminal server.

That’s good to know, but what if we really want to install a per-user installation package like IAP Desktop?

Run with elevation

If we have administrative privileges on the affected machine, we can override the policy by launching the installer with elevated privileges:

  1. Start an elevated command prompt
  2. Launch the installer:

    msiexec /i "IapDesktop.msi"

    Note that msiexec is rather picky about how we specify the package name/path and won’t accept “.\IapDesktop.msi” as a valid path.

Changing the policy

A more permanent way to deal with the DisableUserInstalls policy is to change it, either by using a group policy or by editing the local group policy on the server:

  1. In the Group Policy Editor navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Installer

  2. Open the Prohibit User Installs policy and configure the following settings:

    • Status: Enabled
    • User install behavior: Allow user installs

    Click OK.

  3. Open the Turn off Windows Installer policy and configure the following settings:

    • Status: Enabled
    • Disable Windows Installer: Never

    Click OK.

But changing policies also requires administrative privileges – what if we don’t have these? Then we can use another option, which is to perform an administrative install.

Performing an administrative installation

Instead of letting Windows Installer perform a regular installation, we can request it to perform an administrative installation. During an administrative installation, msiexec extracts all files embedded in the MSI files, but does not apply any configuration changes that a regular installation would entail.

Administrative installations were initially intended to serve a couple of purposes, but primarily to save resources:

  • By serving extracted files on a network share, client computers can perform installs, repairs, and reinstalls of the respective package without having to download the entire MSI over the network.

    If the MSI is only a few MB in size, serving the extracted files might provide little advantage over simply putting the MSI file on the file share – but in the case of large MSI packages, being able to directly access selected files could help save some bandwitdth and speed up the installation.

    Back in the days when disk space was scarce, some MSI packages also allowed certain features to be advertised only. These features were then installed on first use – and having a file share that contained the extracted installation media could make a real difference in how fast this on-demand installation could be performed.

  • Similar to advertising a feature, Windows Installer allows features to be run from source. In this case, the files are not copied to the local disk at all but read from the network share remotely every time they are needed. Again, the idea is to save disk space on the client computer.

Today, disk space is rarely an issue, so features like advertised installs and run from source have mostly lost their appeal. However, administrative installations are still a handy way to extract an MSI file – and that doesn’t require administrative privileges.

Because an administrative installation doesn’t do anything beyond extracting files, it’s not a proper installation. Registry keys, services, start menu entries – there might be all sorts of resources a proper installation creates, but an administrative installation doesn’t.

Fortunately, the IAP Desktop installer is pretty lightweight, and none of these limitations are a problem. To install IAP Desktop on Windows Server without administrative privileges, we can therefore:

  1. Open a command prompt.

  2. Download the installer and save the MSI to the Downloads directory.

  3. Run the installer:

    msiexec /A "%USERPROFILE%\Downloads\IapDesktop.msi" TARGETDIR="%APPDATA%" /QB!

    Notice the following command line switches in the command:

    • /A instructs msiexec to perform an administrative install
    • TARGETDIR specifies the directory to extract files to
    • /QB! runs the installation silently
  4. View the extracted files:

    explorer "%APPDATA%\Google\IAP Desktop" 

IAP Desktop is now ready to run – the only thing missing is an entry in the start menu.

Any opinions expressed on this blog are Johannes' own. Refer to the respective vendor’s product documentation for authoritative information.
« Back to home