RG-MCSE
asked on
Does Application Deployment Require Local Administrative Rights?
In SBS 2003, I want to deploy the Shared Fax Client. It's easy enough to do, however, when the installer runs on the client machine (when the user logs on), it aborts because the user does not have local admin rights to the machine.
I looked through all the app deployment options that SBS provides and I didn't see one that assigns a specific security context to the installation. Have I missed it? Other systems (such as Symantec Enterprise Anti-Virus) can remotely install their client apps without any user on the targeted client machine requiring admin rights. And this makes sense because it's not good security policy to allow users even local admin rights to their machines.
Thus, my question here. Microsoft isn't really expecting an account with local administrative rights to a client machine to have to be the one to logon in order to install SBS deployed apps, does it?
I looked through all the app deployment options that SBS provides and I didn't see one that assigns a specific security context to the installation. Have I missed it? Other systems (such as Symantec Enterprise Anti-Virus) can remotely install their client apps without any user on the targeted client machine requiring admin rights. And this makes sense because it's not good security policy to allow users even local admin rights to their machines.
Thus, my question here. Microsoft isn't really expecting an account with local administrative rights to a client machine to have to be the one to logon in order to install SBS deployed apps, does it?
ASKER
Thanks, Jeff.
Not sure where to go from here except to sit down at each machine (already joined to the domain) and log on as an administrator at least one more time, something that intuitively seems just so retro in 2006. :-D
I've inherited this network and its servers; SBS 2003 was clearly added after the infrastructure was already in place. So it's a mix of XP and W2K workstations and almost none have anything but the Doman Admin group and the local Administrator account in the local Administrators group.
1. Do you know of a way to add the Domain Users group to each machine's local Administrators group (and thus satisfy SBS 2003's bizarre (imo) inability to manage its own remote client app deployment via some mechanism like LOGON AS)?
2. Lacking that capability, do you think A/D GPO is the way to go to deploy this Fax Client? Will I run into the same requirement on the workstation or does GPO have the capability of pushing and installing apps to a workstation without any additional rights be assigned to the user (like my example of the Symantec product does)?
3. Or, some other innovative method to save me from having to walk through the entire facility and sit at each client machine? Again, some are W2K Pro and even the XP's don't necessarily have Remote Desktop turned on yet.
I've increased the points because of the added questions.
Not sure where to go from here except to sit down at each machine (already joined to the domain) and log on as an administrator at least one more time, something that intuitively seems just so retro in 2006. :-D
I've inherited this network and its servers; SBS 2003 was clearly added after the infrastructure was already in place. So it's a mix of XP and W2K workstations and almost none have anything but the Doman Admin group and the local Administrator account in the local Administrators group.
1. Do you know of a way to add the Domain Users group to each machine's local Administrators group (and thus satisfy SBS 2003's bizarre (imo) inability to manage its own remote client app deployment via some mechanism like LOGON AS)?
2. Lacking that capability, do you think A/D GPO is the way to go to deploy this Fax Client? Will I run into the same requirement on the workstation or does GPO have the capability of pushing and installing apps to a workstation without any additional rights be assigned to the user (like my example of the Symantec product does)?
3. Or, some other innovative method to save me from having to walk through the entire facility and sit at each client machine? Again, some are W2K Pro and even the XP's don't necessarily have Remote Desktop turned on yet.
I've increased the points because of the added questions.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, Jeff, both for your answers and speed of replying.
Your prescient addition of the link that describes all the many things "connectcomputer" does certainly served to quell any leanings I was initially developing to just do manually the couple of local admin tasks that I need to get the Fax Client deployed. Since either way I have to sit at every computer (though I know I could have gimmicked an install via remote scheduling), what the heck, I'll use the opportunity to standardize their environment. We're still early in the new support team's life-cycle that my suggesting this be done will not be of any concern to management, as in, "Didn't we just do that a few months ago?" I agree, the benefits will be substantial long term.
I also appreciate the link to the E-Bitz site. It's clear why you're so far and away the top expert in this forum.
Thanks again.
RG
Your prescient addition of the link that describes all the many things "connectcomputer" does certainly served to quell any leanings I was initially developing to just do manually the couple of local admin tasks that I need to get the Fax Client deployed. Since either way I have to sit at every computer (though I know I could have gimmicked an install via remote scheduling), what the heck, I'll use the opportunity to standardize their environment. We're still early in the new support team's life-cycle that my suggesting this be done will not be of any concern to management, as in, "Didn't we just do that a few months ago?" I agree, the benefits will be substantial long term.
I also appreciate the link to the E-Bitz site. It's clear why you're so far and away the top expert in this forum.
Thanks again.
RG
No problem, and thanks for the compliment!
Jeff
TechSoEasy
Jeff
TechSoEasy
When you join a workstation to an SBS Network the proper way (using http://<servername>/connectcomput
Fax deployment guide: http://sbsurl.com/fax
Other security options for users on an SBS Network: http://sbsurl.com/add
Jeff
TechSoEasy