Guys, girls, I'm a developer so forgive my naivete on system fronts, I've come for the guru's who know better than I on these issues.
I am trying to be a corporate citizen and not run my services on Win2k3 server as adminstrator. Unfortunately there is a "configuration manager" which will need to from time to time upgrade the entire application via an MSI.
I've been desperately trying to find information on MSDN but they all end up hyperlinking away to something which isn't an answer, so I have read that you can "bless" an MSI to run as administrator. This scenario is OK, if the application needs a blessing from the IT dept, but the application must be able to call the MSI (i.e to rollback a failed upgrade) automatically.
I'm trying desperately to avoid lowering the security of the environment and to run with the least priveleges possible. AFAIK there is no SMS available, but I do have a full domain setup which can have settings changed etc.
UPDATE: The installation has to install a windows service, so it must run with administrative privilege.
I'd try to publish the MSI in AD, that way you can also upgrade the app by using patchfiles (MSP) if that's appropriate. You can have the app install on restart (in startup) where it will run as the system account. Is this a route that works for you?
Have you tried simply changing the security settings on the installation folder and appropriate registry keys? Often when something won't run as administrator its because it is trying to do stuff in file locations that are read only to non-admins (aka Program Files and anything in the HKEY_LOCAL_MACHINE registry hive) once you change those permissions it should be able to run and execute in there fine. Just do some digging to find out what user account the application actually runs as and give that account what it needs.