We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


Does Application Deployment Require Local Administrative Rights?

RG-MCSE asked
Medium Priority
Last Modified: 2008-01-09
In SBS 2003, I want to deploy the Shared Fax Client.  It's easy enough to do, however, when the installer runs on the client machine (when the user logs on), it aborts because the user does not have local admin rights to the machine.

I looked through all the app deployment options that SBS provides and I didn't see one that assigns a specific security context to the installation.  Have I missed it?  Other systems (such as Symantec Enterprise Anti-Virus) can remotely install their client apps without any user on the targeted client machine requiring admin rights.  And this makes sense because it's not good security policy to allow users even local admin rights to their machines.

Thus, my question here.  Microsoft isn't really expecting an account with local administrative rights to a client machine to have to be the one to logon in order to install SBS deployed apps, does it?
Watch Question

Jeffrey Kane - TechSoEasyPrincipal Consultant
Most Valuable Expert 2016
Top Expert 2014

Yes, Microsoft IS expecting an account with local administrative rights to the client machine to be the one to install SBS deployed apps...

When you join a workstation to an SBS Network the proper way (using http://<servername>/connectcomputer), you are asked which user account to assign to that workstation.  The wizard then makes that user a member of the local administrators group.  There are arguments for and against this practice... I personally don't really mind that this is done since local administrator privs don't allow much other than permission to install applications on that workstation.  I then control that with a Software Restriction Policy. (http://support.microsoft.com/kb/324036)

Fax deployment guide:  http://sbsurl.com/fax

Other security options for users on an SBS Network:  http://sbsurl.com/add



Thanks, Jeff.

Not sure where to go from here except to sit down at each machine (already joined to the domain) and log on as an administrator at least one more time, something that intuitively seems just so retro in 2006.  :-D

I've inherited this network and its servers; SBS 2003 was clearly added after the infrastructure was already in place.  So it's a mix of XP and W2K workstations and almost none have anything but the Doman Admin group and the local Administrator account in the local Administrators group.

1.  Do you know of a way to add the Domain Users group to each machine's local Administrators group (and thus satisfy SBS 2003's bizarre (imo) inability to manage its own remote client app deployment via some mechanism like LOGON AS)?

2.  Lacking that capability, do you think A/D GPO is the way to go to deploy this Fax Client?  Will I run into the same requirement on the workstation or does GPO have the capability of pushing and installing apps to a workstation without any additional rights be assigned to the user (like my example of the Symantec product does)?

3.  Or, some other innovative method to save me from having to walk through the entire facility and sit at each client machine?  Again, some are W2K Pro and even the XP's don't necessarily have Remote Desktop turned on yet.

I've increased the points because of the added questions.

Principal Consultant
Most Valuable Expert 2016
Top Expert 2014
Because you inherited this and you believe that SBS was added after the fact, then most likely you are viewing all of this from a failed deployment rather than how it's "supposed to work".

Generally, the fax client IS deployed automatically when you join a workstation to the network properly.  My guess is that this wasn't done... and if it wasn't then you will be running into all sorts of problems.  The proper method, using http://<servername>/connectcomptuer does all of the things listed in this blog post:  http://sbsurl.com/connectcomputer

Unfortunately, to fix this problem you DO need to go to each machine and do the following:

At the client machine:
1.  Log in with THAT machine's LOCAL administrator account.
2.  Unjoin the domain into a WORKGROUP
3.  Change the name of the computer (this is not an option, you must use a name that is unique and hasn't been used before on your SBS)
4.  Delete or rename the following directory C:\Program Files\Microsoft Windows Small Business Server\Clients if it exists
5.  Make sure that the network settings are configured to get an IP address automatically (DHCP enabled)
6.  Reboot

Then on the server, from the Server Management Console:
1.  Remove the client computers if it still shows in the Client Computer screen on the Server Management Console
2.  Add the client with it's NEW name using the Add Computer wizard

Then, go back to the client machine, log back in with the local Administrator account and join the domain by opening Internet Explorer and navigating to http://servername/connectcomputer

It is a lot, but I belive that the benefits far outweigh the cost...


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


Thanks, Jeff, both for your answers and speed of replying.

Your prescient addition of the link that describes all the many things "connectcomputer" does certainly served to quell any leanings I was initially developing to just do manually the couple of local admin tasks that I need to get the Fax Client deployed.  Since either way I have to sit at every computer (though I know I could have gimmicked an install via remote scheduling), what the heck, I'll use the opportunity to standardize their environment.  We're still early in the new support team's life-cycle that my suggesting this be done will not be of any concern to management, as in, "Didn't we just do that a few months ago?"  I agree, the benefits will be substantial long term.

I also appreciate the link to the E-Bitz site.  It's clear why you're so far and away the top expert in this forum.

Thanks again.

Jeffrey Kane - TechSoEasyPrincipal Consultant
Most Valuable Expert 2016
Top Expert 2014

No problem, and thanks for the compliment!  

Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.