Solved

Does Application Deployment Require Local Administrative Rights?

Posted on 2006-10-28
5
508 Views
Last Modified: 2008-01-09
In SBS 2003, I want to deploy the Shared Fax Client.  It's easy enough to do, however, when the installer runs on the client machine (when the user logs on), it aborts because the user does not have local admin rights to the machine.

I looked through all the app deployment options that SBS provides and I didn't see one that assigns a specific security context to the installation.  Have I missed it?  Other systems (such as Symantec Enterprise Anti-Virus) can remotely install their client apps without any user on the targeted client machine requiring admin rights.  And this makes sense because it's not good security policy to allow users even local admin rights to their machines.

Thus, my question here.  Microsoft isn't really expecting an account with local administrative rights to a client machine to have to be the one to logon in order to install SBS deployed apps, does it?
0
Comment
Question by:RG-MCSE
  • 3
  • 2
5 Comments
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
Yes, Microsoft IS expecting an account with local administrative rights to the client machine to be the one to install SBS deployed apps...

When you join a workstation to an SBS Network the proper way (using http://<servername>/connectcomputer), you are asked which user account to assign to that workstation.  The wizard then makes that user a member of the local administrators group.  There are arguments for and against this practice... I personally don't really mind that this is done since local administrator privs don't allow much other than permission to install applications on that workstation.  I then control that with a Software Restriction Policy. (http://support.microsoft.com/kb/324036)

Fax deployment guide:  http://sbsurl.com/fax

Other security options for users on an SBS Network:  http://sbsurl.com/add

Jeff
TechSoEasy
0
 

Author Comment

by:RG-MCSE
Comment Utility
Thanks, Jeff.

Not sure where to go from here except to sit down at each machine (already joined to the domain) and log on as an administrator at least one more time, something that intuitively seems just so retro in 2006.  :-D

I've inherited this network and its servers; SBS 2003 was clearly added after the infrastructure was already in place.  So it's a mix of XP and W2K workstations and almost none have anything but the Doman Admin group and the local Administrator account in the local Administrators group.

1.  Do you know of a way to add the Domain Users group to each machine's local Administrators group (and thus satisfy SBS 2003's bizarre (imo) inability to manage its own remote client app deployment via some mechanism like LOGON AS)?

2.  Lacking that capability, do you think A/D GPO is the way to go to deploy this Fax Client?  Will I run into the same requirement on the workstation or does GPO have the capability of pushing and installing apps to a workstation without any additional rights be assigned to the user (like my example of the Symantec product does)?

3.  Or, some other innovative method to save me from having to walk through the entire facility and sit at each client machine?  Again, some are W2K Pro and even the XP's don't necessarily have Remote Desktop turned on yet.

I've increased the points because of the added questions.

0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 250 total points
Comment Utility
Because you inherited this and you believe that SBS was added after the fact, then most likely you are viewing all of this from a failed deployment rather than how it's "supposed to work".

Generally, the fax client IS deployed automatically when you join a workstation to the network properly.  My guess is that this wasn't done... and if it wasn't then you will be running into all sorts of problems.  The proper method, using http://<servername>/connectcomptuer does all of the things listed in this blog post:  http://sbsurl.com/connectcomputer

Unfortunately, to fix this problem you DO need to go to each machine and do the following:


At the client machine:
1.  Log in with THAT machine's LOCAL administrator account.
2.  Unjoin the domain into a WORKGROUP
3.  Change the name of the computer (this is not an option, you must use a name that is unique and hasn't been used before on your SBS)
4.  Delete or rename the following directory C:\Program Files\Microsoft Windows Small Business Server\Clients if it exists
5.  Make sure that the network settings are configured to get an IP address automatically (DHCP enabled)
6.  Reboot

Then on the server, from the Server Management Console:
1.  Remove the client computers if it still shows in the Client Computer screen on the Server Management Console
2.  Add the client with it's NEW name using the Add Computer wizard

Then, go back to the client machine, log back in with the local Administrator account and join the domain by opening Internet Explorer and navigating to http://servername/connectcomputer

It is a lot, but I belive that the benefits far outweigh the cost...

Jeff
TechSoEasy


0
 

Author Comment

by:RG-MCSE
Comment Utility
Thanks, Jeff, both for your answers and speed of replying.

Your prescient addition of the link that describes all the many things "connectcomputer" does certainly served to quell any leanings I was initially developing to just do manually the couple of local admin tasks that I need to get the Fax Client deployed.  Since either way I have to sit at every computer (though I know I could have gimmicked an install via remote scheduling), what the heck, I'll use the opportunity to standardize their environment.  We're still early in the new support team's life-cycle that my suggesting this be done will not be of any concern to management, as in, "Didn't we just do that a few months ago?"  I agree, the benefits will be substantial long term.

I also appreciate the link to the E-Bitz site.  It's clear why you're so far and away the top expert in this forum.

Thanks again.

RG
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
No problem, and thanks for the compliment!  

Jeff
TechSoEasy
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This guide is intended for migrating Windows 2003 Standard with Exchange 2003 to Windows Small Business Server 2008. You will need the following: Exchange Best Practice Analyzer: http://www.microsoft.com/downloads/details.aspx?FamilyID=DBAB201F-…
If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now