Powershell – Deploy MSI via GPO to specific users “Admin right issue”

You must not be using the 'Installed Software' part of the group policy. The key here is understanding the context that the different parts of the group policy object run as in different scenarios.

If you're pushing out the MSI via a script, then if it's a login script, the script runs with the logging-on user's credentials.

If you want to have this work, you need to deploy the script where it runs in an elevated context. The following are probably the most well known ways from group policy:

• A startup script (runs as NT AUTHORITY\SYSTEM)
• A scheduled task (can be run as NT AUTHORITY\SYSTEM)
• Installed Software (runs as NT Authority\System)

A startup script runs every time the machine starts up. After the machine account authenticates to the domain, gets it token from a domain controller, and then evaluates the group policies it needs to apply. Any scripts identified in the Computer Configuration > Startup Scripts area are executed as the context of the process doing the policy update and at startup, is NT AUTHORITY\System.

A scheduled task allows you to specify a task object that could appear in the Task Scheduler on the target machines. With a scheduled task, you have considerable abilities to specify what executes when, on what conditions/triggers, and with what context. This is probably the most versatile method of what's available.

You mentioned you were trying to push out an MSI. This actually allows you a different way to install the MSI. THIS ONLY WORKS IF THE FILE IS AN MSI OR CAN BE MADE INTO AN MSI. Group Policy provides a way through this mechanism to sort of tattoo a system with software so that it can't be removed unless specified as such in the policy object. Working with MSIs isn't the easiest and this mechanism isn't perfect. Working with Orca, cabinet file manipulation, and XML flags is too much to go into for this answer but it's yet another way where the GPO can install software (specifically MSI files).

HTH