Deploying and using Active Sync in a secured (non-admin) environment

We have a Windows Server 2003 SP2 (standard edition) based Active Directory Domain, and all of our users are restricted users (non-admin).

I have added a GPO to Publish Active Sync 4.5 to the user, and it does show up in the user's Add-Remove programs, but when the user tries to install it, they get the error message complaining that they are not an administrative user.

I have also read that Active Sync wants administrative rights simply to synchronize on a daily basis, but I've also heard restricted users are able to use active sync.

Is it possible to publish, install, and use Active Sync 4.5 for non-admins?  If so, how?
LVL 1
OneSeventeenAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
David Scott, MCSEConnect With a Mentor Network AdministratorCommented:
if assigning doesn't work:

in the gpo you used to assign the msi, go to computer configuration\administrative templates\windows components\windows installer

enable "Always install with elevated privileges."

read the explanation of that setting as it opens up some security, so i'd disable it after you're done with the installs
0
 
JimboEfxCommented:
Hello OneSeventeen,

As a first port of call have you seent he comments here:
http://www.appdeploy.com/packages/detail.asp?id=518

Regards,

JimboEfx
0
 
OneSeventeenAuthor Commented:
Most of those solutions seem to be related to version before 4.5, where the admin needed to create their own .msi out of a .exe file.

There is a link to a forum comment by "WISEUSER" on appdeploy.com:

The answer is to recondition the "CA_Nt5_PrimeInf" custom action in the "InstallExecuteSequnce" table, by adding "AND ( NOT REINSTALL )" to the condition. Remember to use a transform for this.

What exactly does this mean?  How do perform those instructions?
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
David Scott, MCSENetwork AdministratorCommented:
if you publish it, users have to be admins to install it.

assign it instead of publishing it
0
 
OneSeventeenAuthor Commented:
Just published it, I'll have the user log off and log back on to see if it worked.
0
 
David Scott, MCSENetwork AdministratorCommented:
you mean assigned it?
0
 
OneSeventeenAuthor Commented:
I will read up on that first, because it does look a little scary...

I'm shocked that corporate environments are:
1. the most likely place to use Active Sync
2. the most likely place to restrict user privileges

and that Active Sync doesn't seem to have any easy way to install for users with restricted privileges.

I assigned it, and it installed, but the user cannot configure active sync because admin rights are required.
Tips?
0
 
David Scott, MCSENetwork AdministratorCommented:
i'm in favor of locking down machines via group policy instead of  not giving them admin rights on their machines.  Its more trouble than its worth in my experience.  

have good content filtering and web reporting software (websense, 8e6, etc) and users will be more hesistant to  go to wacky sites and click on links that install stuff. plus have good gateway AV, AS, IPS.  

anyway my 2 cents.  

regarding the active sync, i think the security is by design as active sync allows people to put company data on a mobile device which could be a security nightmare if not controlled.  

how many users do you have that need to configure the active sync?  

you could use the old right click run as and enter admin credentials trick to configure the active sync while logged in as a user, but still you'll have to do on own.

i'd try the install with elevated privleges, i think that will give them admin access to that program, then disable it


0
 
OneSeventeenAuthor Commented:
We have gateway AV, content filtering, and web reporting software, but our main problems are with users being able to install software and make system changes.

Anyway, with that said I got fed up and made the user a power user on his box.  I anticipate more problems from this computer now, and we still can't sync because the computer doesn't recognize his phone, but that's another story.

I'm going to accept the solution anyway because it does work.  I'm hesitant because it doesn't meet the requirement of "in a secured (non-admin) environment", but it appears that the true solution is that there isn't one.

Thanks for the help!
0
 
OneSeventeenAuthor Commented:
thanks again
0
All Courses

From novice to tech pro — start learning today.