Does Application Deployment Require Local Administrative Rights?

Posted on 2006-10-28
Last Modified: 2008-01-09
In SBS 2003, I want to deploy the Shared Fax Client.  It's easy enough to do, however, when the installer runs on the client machine (when the user logs on), it aborts because the user does not have local admin rights to the machine.

I looked through all the app deployment options that SBS provides and I didn't see one that assigns a specific security context to the installation.  Have I missed it?  Other systems (such as Symantec Enterprise Anti-Virus) can remotely install their client apps without any user on the targeted client machine requiring admin rights.  And this makes sense because it's not good security policy to allow users even local admin rights to their machines.

Thus, my question here.  Microsoft isn't really expecting an account with local administrative rights to a client machine to have to be the one to logon in order to install SBS deployed apps, does it?
Question by:RG-MCSE
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17827843
Yes, Microsoft IS expecting an account with local administrative rights to the client machine to be the one to install SBS deployed apps...

When you join a workstation to an SBS Network the proper way (using http://<servername>/connectcomputer), you are asked which user account to assign to that workstation.  The wizard then makes that user a member of the local administrators group.  There are arguments for and against this practice... I personally don't really mind that this is done since local administrator privs don't allow much other than permission to install applications on that workstation.  I then control that with a Software Restriction Policy. (

Fax deployment guide:

Other security options for users on an SBS Network:


Author Comment

ID: 17828073
Thanks, Jeff.

Not sure where to go from here except to sit down at each machine (already joined to the domain) and log on as an administrator at least one more time, something that intuitively seems just so retro in 2006.  :-D

I've inherited this network and its servers; SBS 2003 was clearly added after the infrastructure was already in place.  So it's a mix of XP and W2K workstations and almost none have anything but the Doman Admin group and the local Administrator account in the local Administrators group.

1.  Do you know of a way to add the Domain Users group to each machine's local Administrators group (and thus satisfy SBS 2003's bizarre (imo) inability to manage its own remote client app deployment via some mechanism like LOGON AS)?

2.  Lacking that capability, do you think A/D GPO is the way to go to deploy this Fax Client?  Will I run into the same requirement on the workstation or does GPO have the capability of pushing and installing apps to a workstation without any additional rights be assigned to the user (like my example of the Symantec product does)?

3.  Or, some other innovative method to save me from having to walk through the entire facility and sit at each client machine?  Again, some are W2K Pro and even the XP's don't necessarily have Remote Desktop turned on yet.

I've increased the points because of the added questions.

LVL 74

Accepted Solution

Jeffrey Kane - TechSoEasy earned 250 total points
ID: 17828288
Because you inherited this and you believe that SBS was added after the fact, then most likely you are viewing all of this from a failed deployment rather than how it's "supposed to work".

Generally, the fax client IS deployed automatically when you join a workstation to the network properly.  My guess is that this wasn't done... and if it wasn't then you will be running into all sorts of problems.  The proper method, using http://<servername>/connectcomptuer does all of the things listed in this blog post:

Unfortunately, to fix this problem you DO need to go to each machine and do the following:

At the client machine:
1.  Log in with THAT machine's LOCAL administrator account.
2.  Unjoin the domain into a WORKGROUP
3.  Change the name of the computer (this is not an option, you must use a name that is unique and hasn't been used before on your SBS)
4.  Delete or rename the following directory C:\Program Files\Microsoft Windows Small Business Server\Clients if it exists
5.  Make sure that the network settings are configured to get an IP address automatically (DHCP enabled)
6.  Reboot

Then on the server, from the Server Management Console:
1.  Remove the client computers if it still shows in the Client Computer screen on the Server Management Console
2.  Add the client with it's NEW name using the Add Computer wizard

Then, go back to the client machine, log back in with the local Administrator account and join the domain by opening Internet Explorer and navigating to http://servername/connectcomputer

It is a lot, but I belive that the benefits far outweigh the cost...



Author Comment

ID: 17828762
Thanks, Jeff, both for your answers and speed of replying.

Your prescient addition of the link that describes all the many things "connectcomputer" does certainly served to quell any leanings I was initially developing to just do manually the couple of local admin tasks that I need to get the Fax Client deployed.  Since either way I have to sit at every computer (though I know I could have gimmicked an install via remote scheduling), what the heck, I'll use the opportunity to standardize their environment.  We're still early in the new support team's life-cycle that my suggesting this be done will not be of any concern to management, as in, "Didn't we just do that a few months ago?"  I agree, the benefits will be substantial long term.

I also appreciate the link to the E-Bitz site.  It's clear why you're so far and away the top expert in this forum.

Thanks again.

LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17831597
No problem, and thanks for the compliment!  


Featured Post

[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Small Business Server 2011. NOTE: This guide has been written using the preview version of SBS2011 therefore some of the screens may …
The problem of the system drive in SBS 2003 getting full continues to be an issue, even though SBS 2008 and SBS 2011 are both in the market place.  There are several solutions to this, including adding additional drive space or using third party uti…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question