Link to home
Start Free TrialLog in
Avatar of mrroonie
mrroonieFlag for United Kingdom of Great Britain and Northern Ireland

asked on

give domain users rights to update existing installed programs

Hello all

i have a few 7 Pro boxes in my domain and every couple of weeks their users are asking me to install updates for adobe reader, quicktime, java etc. as they are being bugged by the 'you have updates' popups.

i have heard there is a program you can install on the server that lets them install updates but doesn't give them admin rights so they can't install rubbish i don't want on my network, but i'll be damned if i can remember what it's called.

is there a way to do this via GPO? if possible i would prefer it done via policy, but if not a free 3rd party app would be good enough.

my DC is Windows Server std 2008.

any ideas appreciated
Avatar of Mohamed Ghousullah Hafeez
Mohamed Ghousullah Hafeez
Flag of United States of America image

These pops-ups come because while the system is rebooted the there are some startup scripts or plugins which check the current version and provide the update popup.

Find the path for update plugin for Adobe, Quicktime and Java and disable those startup script through GPO or through Windows defender in each machine.
Avatar of mrroonie

ASKER

thanks for the reply but i would rather let the users update them themselves, saves me installing a ton of updates every time i'm at their machine trying to fix something else altogether
There is no simple way to "allow" users to install the updates themselves, but you can stop the autoupdaters from running. You can then use GPO to distribute the current versions in full to users.

Java
http://www.windowsitpro.com/article/java/use-group-policy-to-distribute-jre-with-its-automatic-update-feature-disabled

Adobe CS5
http://kb2.adobe.com/cps/850/cpsid_85016.html

Adobe Flash
http://kb2.adobe.com/cps/167/16701594.html

Apple Quicktime
http://www.appdeploy.com/packages/detail.asp?id=520

Adobe Acrobat
http://kb2.adobe.com/cps/837/cpsid_83709.html
thanks for the reply ltubnor but the problem with that is for example i have a couple of users who need to run an older version of java for certain bespoke apps - that means i'd have to set up a standard OU for a lot of people, and then various different OU's for the users requiring older versions of whatever program they need. this includes java, firefox, flash player, even adobe reader (don't ask!).

i'm looking for a free version of this - http://www.gfi.com/network-security-vulnerability-scanner/

i know it's out there somewhere as i remember speaking to someone about it. the only problem is i can't remember who, and i can't remember what the name of it was
There is a handy program out there called Patch My PC that would definitely simplify the process for you quite a bit, but the person who initiates the updates would still need to have admin rights:

http://www.patchmypc.net/
hi Run5k,

yes its that sort of thing i'm looking for, but at a domain-wide level that can be run server-side with admin creds so i don't have to do it on individual machines
There is no easy way to do this..... I agree with blocking the app updates, and having standard versions. Its less of a support nightmare that way.

There are some methods to do what you want, but you are talking about tracking down every reg key/folder/file that gets updated during an upgrade, and allowing permissions to the Users group. Thats a bigger nightmare even...

Then there are policies like the "Always Install Elevated" policy, that allows all installers to run with elevated permissions, but there you go with the nightmare scenarios again.....

It really is best to be a managed process....
ok, everyone seems to be suggesting what i want to do is a bad idea and will create a lot more work for me.

the thing is - it sounds to me that if i do disable the autoupdaters and then push the current version out via GPO - wouldn't that create a load more work for me? as i'd have to find all the current versions for flash player etc then change the GPO every other week, or whenever a newer version came out. and as i posted previously i'd need to create several GPOs to make sure the right PC's got the right patches.

also - pushing newer versions out via GPO - this would definitely just overwrite the version already installed wouldn't it? after a while i wouldn't find 6 versions of flash player in programs and features?

i was hoping for something resembling a customizable WSUS, that once i told it what to look for it would find the patches for me and push them out after i've approved them.  is there nothing like that out there? i've found a few that look like they do what i want them to but they aren't cheap. does anyone have any experience with those?
ASKER CERTIFIED SOLUTION
Avatar of Don
Don
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Forgot about that path....

BeyondTrust Introduces PowerBroker Desktops Free Edition
http://www.beyondtrust.com/PressReleases/PowerBroker-for-Desktops-Free-Edition.aspx?section=Press-Releases

Just adding to dstewartjr's thoughts, similar product.....  (no assist wanted if you choose his answer, or this one)...
thanks guys - this is the sort of thing i want, sorry for the late reply. i've had a look at the links and it looks like i'm going to have to go for the localupdatepublisher - i like the idea of pushing them out as per WSUS, and the other 2 look like they are going to cost a small fortune (PA was over £1000 for 150 workstations)

i've installed the localupdate publisher on the WSUS server but every time i try to open it am getting hit with:

WsusInvalidServerException: could not connect to WSUS server.
Exception of type
'Microsoft.Update.Services.Administration.WsusInvalidServerException' was thrown.

i have made sure its pointing to local host, have double checked i've installed the 64 bit version. there is nothing in the event log about this, it just pops up when i try to upen the update publisher.

its server 2008 std x64 - NOT R2

any idea whats going on? i've searched the help on the localupdate... website but it seems i'm the only one (un)lucky enough to receive this error
doh! forgot to 'run as administrator - error's sorted. just testing it out to make sure it works so i can assign points

thanks for your help! really appreciated
Excellent - local update publisher is the way forward. thanks