Does Application Deployment Require Local Administrative Rights?

Posted on 2006-10-28
Medium Priority
Last Modified: 2008-01-09
In SBS 2003, I want to deploy the Shared Fax Client.  It's easy enough to do, however, when the installer runs on the client machine (when the user logs on), it aborts because the user does not have local admin rights to the machine.

I looked through all the app deployment options that SBS provides and I didn't see one that assigns a specific security context to the installation.  Have I missed it?  Other systems (such as Symantec Enterprise Anti-Virus) can remotely install their client apps without any user on the targeted client machine requiring admin rights.  And this makes sense because it's not good security policy to allow users even local admin rights to their machines.

Thus, my question here.  Microsoft isn't really expecting an account with local administrative rights to a client machine to have to be the one to logon in order to install SBS deployed apps, does it?
Question by:RG-MCSE
  • 3
  • 2
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17827843
Yes, Microsoft IS expecting an account with local administrative rights to the client machine to be the one to install SBS deployed apps...

When you join a workstation to an SBS Network the proper way (using http://<servername>/connectcomputer), you are asked which user account to assign to that workstation.  The wizard then makes that user a member of the local administrators group.  There are arguments for and against this practice... I personally don't really mind that this is done since local administrator privs don't allow much other than permission to install applications on that workstation.  I then control that with a Software Restriction Policy. (http://support.microsoft.com/kb/324036)

Fax deployment guide:  http://sbsurl.com/fax

Other security options for users on an SBS Network:  http://sbsurl.com/add


Author Comment

ID: 17828073
Thanks, Jeff.

Not sure where to go from here except to sit down at each machine (already joined to the domain) and log on as an administrator at least one more time, something that intuitively seems just so retro in 2006.  :-D

I've inherited this network and its servers; SBS 2003 was clearly added after the infrastructure was already in place.  So it's a mix of XP and W2K workstations and almost none have anything but the Doman Admin group and the local Administrator account in the local Administrators group.

1.  Do you know of a way to add the Domain Users group to each machine's local Administrators group (and thus satisfy SBS 2003's bizarre (imo) inability to manage its own remote client app deployment via some mechanism like LOGON AS)?

2.  Lacking that capability, do you think A/D GPO is the way to go to deploy this Fax Client?  Will I run into the same requirement on the workstation or does GPO have the capability of pushing and installing apps to a workstation without any additional rights be assigned to the user (like my example of the Symantec product does)?

3.  Or, some other innovative method to save me from having to walk through the entire facility and sit at each client machine?  Again, some are W2K Pro and even the XP's don't necessarily have Remote Desktop turned on yet.

I've increased the points because of the added questions.

LVL 74

Accepted Solution

Jeffrey Kane - TechSoEasy earned 1000 total points
ID: 17828288
Because you inherited this and you believe that SBS was added after the fact, then most likely you are viewing all of this from a failed deployment rather than how it's "supposed to work".

Generally, the fax client IS deployed automatically when you join a workstation to the network properly.  My guess is that this wasn't done... and if it wasn't then you will be running into all sorts of problems.  The proper method, using http://<servername>/connectcomptuer does all of the things listed in this blog post:  http://sbsurl.com/connectcomputer

Unfortunately, to fix this problem you DO need to go to each machine and do the following:

At the client machine:
1.  Log in with THAT machine's LOCAL administrator account.
2.  Unjoin the domain into a WORKGROUP
3.  Change the name of the computer (this is not an option, you must use a name that is unique and hasn't been used before on your SBS)
4.  Delete or rename the following directory C:\Program Files\Microsoft Windows Small Business Server\Clients if it exists
5.  Make sure that the network settings are configured to get an IP address automatically (DHCP enabled)
6.  Reboot

Then on the server, from the Server Management Console:
1.  Remove the client computers if it still shows in the Client Computer screen on the Server Management Console
2.  Add the client with it's NEW name using the Add Computer wizard

Then, go back to the client machine, log back in with the local Administrator account and join the domain by opening Internet Explorer and navigating to http://servername/connectcomputer

It is a lot, but I belive that the benefits far outweigh the cost...



Author Comment

ID: 17828762
Thanks, Jeff, both for your answers and speed of replying.

Your prescient addition of the link that describes all the many things "connectcomputer" does certainly served to quell any leanings I was initially developing to just do manually the couple of local admin tasks that I need to get the Fax Client deployed.  Since either way I have to sit at every computer (though I know I could have gimmicked an install via remote scheduling), what the heck, I'll use the opportunity to standardize their environment.  We're still early in the new support team's life-cycle that my suggesting this be done will not be of any concern to management, as in, "Didn't we just do that a few months ago?"  I agree, the benefits will be substantial long term.

I also appreciate the link to the E-Bitz site.  It's clear why you're so far and away the top expert in this forum.

Thanks again.

LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17831597
No problem, and thanks for the compliment!  


Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The problem of the system drive in SBS 2003 getting full continues to be an issue, even though SBS 2008 and SBS 2011 are both in the market place.  There are several solutions to this, including adding additional drive space or using third party uti…
The Exchange database may sometimes fail to mount owing to various technical reasons. A dismounted EDB file can be the source of many Exchange errors including mailbox inaccessibility for users. Resolving the root cause of mounting problems becomes …
If you are looking for an automated solution for backup single or multiple Office 365 user mailboxes to Outlook data file, then you can use Kernel Office 365 Backup & Restore tool. Go through the video to check out the steps to backup single or mult…
Watch the video to learn how one can deal with PST file corruption issue with an outstanding Kernel for Outlook PST Repair Tool easily. Using this tool, non-technical users can swiftly perform the repair process to restore their essential data witho…
Suggested Courses
Course of the Month3 days, 9 hours left to enroll

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question