Open bevanweiss opened 2 months ago
I'm unsure what things might break without the LocalSystem elevated aspect for CreateUser / RemoveUser / User Group memberships.
It would break all installs that do not launch from an elevated process. Therefore, you cannot change the Impersonate bit on the existing CustomActions. New CustomActions could be created that are Impersonated but they will fail unless the package is launched from an elevated process which is not something you can control from within the MSI package.
Installing domain users is not a bug fix. It's a feature.
I thought I'd been testing as non-elevated already. But I'll double check.
My original plan was to create new Custom Actions which would just be Impersonated versions, and they would call the exact same functions. The sched would then use either the CreateUser or CreateDomainUser as applicable based on whether the target user had an assigned domain or not. However it would have been a relatively big change for the UserGroup assignments, since they are currently done in the same CA deferred execution, and for a domain user, they might be joining a domain group.. which would need impersonation, or a domain user might be joining a local group, which as you say requires no impersonation (to elevate)
@bevanweiss - do you want this issue assigned to you, since you're working on the PR?
@bevanweiss - do you want this issue assigned to you, since you're working on the PR?
@barnson that sounds like a plan. My concept for the User domain stuff is still very much in line with (and would leverage some of the items in..) what I've got already 'ready for review' for the Group domain stuff.
Rob and I are both behind on PR reviews but we haven't forgotten! :)
WiX Version
5.0.0+41e11442
.NET or MSBuild or Visual Studio Version
8.0.400-preview.0.24324.5,
HeatWave Version
1.0.4.5
Windows Version
Win11 22H2 22621.3737
Repro Repo
No response
Repro Steps
When an MSI with the below component is run by a Domain Administrator on a domain joined workstation, the installation fails when the CreateUser custom action is run.
This is because whilst the Domain Administrator has adequate permissions to perform the domain action to create the user, the custom actions to actually CreateUser / RemoveUser (and RollBack) are performed without Impersonation of the Domain Administrator (and hence run as LocalSystem, not a valid user for domain actions)
If these are changed to
Then things work fine for creation of Domain Users. I'm unsure what things might break without the LocalSystem elevated aspect for CreateUser / RemoveUser / User Group memberships.
Actual Result
Installation failed. er = 5 (ERROR_ACCESS_DENIED) No user created in domain.
Expected Result
Installation succeeded. Domain user
testName1
created onTESTDOMAIN
domain.Acknowledgements