Restricted Public Properties
In the case of a managed installation, the package author may need to limit which public properties are passed to the server side and can be changed by a user that is not a system administrator. Some restrictions are commonly necessary to maintain a secure environment when the installation requires the installer to use elevated privileges. If all of the following conditions are met, a user that is not a system administrator can only override an approved list of restricted public properties:
- The system is Windows 2000.
- The user is not a system administrator.
- The application or product is being installed with elevated privileges.
If all of the above conditions are true, the installer defaults to the following list of restricted public properties that can be changed by any user:
- ACTION
- AFTERREBOOT
- ALLUSERS
- EXECUTEACTION
- EXECUTEMODE
- FILEADDDEFAULT
- FILEADDLOCAL
- FILEADDSOURCE
- INSTALLLEVEL
- LIMITUI
- LOGACTION
- NOCOMPANYNAME
- NOUSERNAME
- MSIENFORCEUPGRADECOMPONENTRULES
- MSIINSTANCEGUID
- MSINEWINSTANCE
- MSIPATCHREMOVE
- PATCH
- PRIMARYFOLDER
- PROMPTROLLBACKCOST
- REBOOT
- REINSTALL
- REINSTALLMODE
- RESUME
- SEQUENCE
- SHORTFILENAMES
- TRANSFORMS
- TRANSFORMSATSOURCE
The author of an installation package can extend this default list to include additional public properties by using the SecureCustomProperties property.
Setting the EnableUserControl property or the EnableUserControlsystem policy extends the list to all public properties. All users can then change any public property.
The installer sets the RestrictedUserControl property whenever the list of public properties passed to the server by non-administrator users is restricted.
Related topics