The information in this article applies to the following products:
Prism Deploy
Prism Pack
PC Updater
PictureTaker Enteprise Edition
Problem:
SIFs created with any version of PC Updater or PictureTaker and versions 5.0 and earlier of Prism Deploy and Prism Pack produce an error message when a non-admin user is logged in. The error differs slightly depending upon the version that was used to create the SIF. Below are some screenshots showing the error produced by SIFs from 3 different versions of Prism.
SIF created with Prism Deploy or Prism Pack 5.0
SIF created with Prism Deploy or Prism Pack 4.11
SIF created with Prism Deploy or Prism Pack 4.02
Explanation:
Microsoft made an architectural change in Windows 2000 SP4 and Windows Server 2003 that added a new privilege - the ability to impersonate another account (SeImpersonatePrivilege). Under Windows 2000 SP4 and Windows 2003 Server, the security policy governing the impersonation privilege is by default granted only to administrators, service accounts and COM+ processes running as specific identities.
The introduction of this policy in its default configuration has an adverse effect on SIFs that were created with older versions. When a typical user is logged in, the SIFs (via prismxl.sys) are denied the ability to use the impersonate privilege, thus they cannot create files or registry entries in locked-down areas because neither the logged in user nor prismxl.sys has the necessary rights.
Resolution:
1) Upgrade your target machines to version 5.1. Browse to the related tech note Q10015: How to Upgrade Prism Deploy 4.x or 5.x to Prism Deploy 5.1.1 for details.
2) Update SIFs to version 5.1: Open the SIF in the 5.1 Prism Pack or Prism Deploy Editor. Next, open the properties page of the SIF, then click OK. This will update the SIF’s engine to use the re-architected prismxl.sys, which is allowed to use the impersonation privilege.