Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Does Application Deployment Require Local Administrative Rights?

Posted on 2006-10-28
Medium Priority
Last Modified: 2008-01-09
In SBS 2003, I want to deploy the Shared Fax Client.  It's easy enough to do, however, when the installer runs on the client machine (when the user logs on), it aborts because the user does not have local admin rights to the machine.

I looked through all the app deployment options that SBS provides and I didn't see one that assigns a specific security context to the installation.  Have I missed it?  Other systems (such as Symantec Enterprise Anti-Virus) can remotely install their client apps without any user on the targeted client machine requiring admin rights.  And this makes sense because it's not good security policy to allow users even local admin rights to their machines.

Thus, my question here.  Microsoft isn't really expecting an account with local administrative rights to a client machine to have to be the one to logon in order to install SBS deployed apps, does it?
Question by:RG-MCSE
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17827843
Yes, Microsoft IS expecting an account with local administrative rights to the client machine to be the one to install SBS deployed apps...

When you join a workstation to an SBS Network the proper way (using http://<servername>/connectcomputer), you are asked which user account to assign to that workstation.  The wizard then makes that user a member of the local administrators group.  There are arguments for and against this practice... I personally don't really mind that this is done since local administrator privs don't allow much other than permission to install applications on that workstation.  I then control that with a Software Restriction Policy. (http://support.microsoft.com/kb/324036)

Fax deployment guide:  http://sbsurl.com/fax

Other security options for users on an SBS Network:  http://sbsurl.com/add


Author Comment

ID: 17828073
Thanks, Jeff.

Not sure where to go from here except to sit down at each machine (already joined to the domain) and log on as an administrator at least one more time, something that intuitively seems just so retro in 2006.  :-D

I've inherited this network and its servers; SBS 2003 was clearly added after the infrastructure was already in place.  So it's a mix of XP and W2K workstations and almost none have anything but the Doman Admin group and the local Administrator account in the local Administrators group.

1.  Do you know of a way to add the Domain Users group to each machine's local Administrators group (and thus satisfy SBS 2003's bizarre (imo) inability to manage its own remote client app deployment via some mechanism like LOGON AS)?

2.  Lacking that capability, do you think A/D GPO is the way to go to deploy this Fax Client?  Will I run into the same requirement on the workstation or does GPO have the capability of pushing and installing apps to a workstation without any additional rights be assigned to the user (like my example of the Symantec product does)?

3.  Or, some other innovative method to save me from having to walk through the entire facility and sit at each client machine?  Again, some are W2K Pro and even the XP's don't necessarily have Remote Desktop turned on yet.

I've increased the points because of the added questions.

LVL 74

Accepted Solution

Jeffrey Kane - TechSoEasy earned 1000 total points
ID: 17828288
Because you inherited this and you believe that SBS was added after the fact, then most likely you are viewing all of this from a failed deployment rather than how it's "supposed to work".

Generally, the fax client IS deployed automatically when you join a workstation to the network properly.  My guess is that this wasn't done... and if it wasn't then you will be running into all sorts of problems.  The proper method, using http://<servername>/connectcomptuer does all of the things listed in this blog post:  http://sbsurl.com/connectcomputer

Unfortunately, to fix this problem you DO need to go to each machine and do the following:

At the client machine:
1.  Log in with THAT machine's LOCAL administrator account.
2.  Unjoin the domain into a WORKGROUP
3.  Change the name of the computer (this is not an option, you must use a name that is unique and hasn't been used before on your SBS)
4.  Delete or rename the following directory C:\Program Files\Microsoft Windows Small Business Server\Clients if it exists
5.  Make sure that the network settings are configured to get an IP address automatically (DHCP enabled)
6.  Reboot

Then on the server, from the Server Management Console:
1.  Remove the client computers if it still shows in the Client Computer screen on the Server Management Console
2.  Add the client with it's NEW name using the Add Computer wizard

Then, go back to the client machine, log back in with the local Administrator account and join the domain by opening Internet Explorer and navigating to http://servername/connectcomputer

It is a lot, but I belive that the benefits far outweigh the cost...



Author Comment

ID: 17828762
Thanks, Jeff, both for your answers and speed of replying.

Your prescient addition of the link that describes all the many things "connectcomputer" does certainly served to quell any leanings I was initially developing to just do manually the couple of local admin tasks that I need to get the Fax Client deployed.  Since either way I have to sit at every computer (though I know I could have gimmicked an install via remote scheduling), what the heck, I'll use the opportunity to standardize their environment.  We're still early in the new support team's life-cycle that my suggesting this be done will not be of any concern to management, as in, "Didn't we just do that a few months ago?"  I agree, the benefits will be substantial long term.

I also appreciate the link to the E-Bitz site.  It's clear why you're so far and away the top expert in this forum.

Thanks again.

LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17831597
No problem, and thanks for the compliment!  


Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This guide is intended for migrating Windows 2003 Standard with Exchange 2003 to Windows Small Business Server 2008. You will need the following: Exchange Best Practice Analyzer: http://www.microsoft.com/downloads/details.aspx?FamilyID=DBAB201F-…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question