Solved

Allow non-admin users to update applications with the Principal of Least Priviledge

Posted on 2009-04-03
7
549 Views
Last Modified: 2013-12-04
I have a program, Lexis-Nexis Time Matters 9, that needs to install an update. Most of the users on our network have local admin accounts. I know this is bad, and I'm trying to change it. When updates like this need to take place, I do not know how to allow users to run the update. When I run it as a non-admin user, it is an msiexec executable.

This is an SBS 2003 domain, and I am somewhat comfortable with Group Policy, and I think I would simply need to allow user access to some registry keys/files to allow this to happen. I have combed through a computer with Procmon, but I can't see something (obvious) that should be changed.

How do I allow users to install updates to programs that they already have permission to run, so that I don't have to run a sneaker net for every update?
0
Comment
Question by:pixelchef
  • 3
  • 2
  • 2
7 Comments
 
LVL 9

Accepted Solution

by:
samiam41 earned 250 total points
ID: 24065128
If the file is an msi, then use this:

http://support.microsoft.com/kb/887405

Substitute the msi mentioned in the article for the msi of the LN app.  I do this to install Adobe Reader and other 3rd party apps.
0
 
LVL 9

Assisted Solution

by:samiam41
samiam41 earned 250 total points
ID: 24065134
One last thing, since this could become a way for you to install other 3rd party apps and updates, I would recommend a quick jog through this app.  It helped me in the beginning.

And above all else, TEST - TEST - TEST.

http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Deploy-Applications.html
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 250 total points
ID: 24083303
You can assign apps in msi file format to computers (using system rights, will install without users being logged on) or to users (using system rights as well, but here, the user will be able to decide if he wants that package). There are varoius ways to create or obtain MSI packages:
-wrap a silent setup (a setup that supports swtches like /quiet) into an MSI package using WIWW (vinsvision)
-look for native MSI software or MSI versions of software (sometimes they come as exe and sometimes as MSI package)
-use a tool to record what a setup does and have that "recording" repackaged into an msi - even freeware is able to do that: wininstall LE 10 by scalable software.
-read how others did it at appdeploy.com
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:pixelchef
ID: 24088146
Thank you for the links and help. I was not able to get the MSI to install, and thought it was because of options that I needed to set during the installation. So I created an 'administrative install', which started to push out the update through the application's native upgrade (which requires local admin rights). So this upgrade was a flop, but I will definitely be using these in the future.

Lexis Nexis has released an MSI that updates the installed application. Is this update MSI what I should have pushed out, or would it have worked to use the MSI that contains the latest service release? Is this behavior consistent for any MSI, or does it depend on the vendor?

Do you have any ideas why the MSI was not installing, or more importantly, how I would test these sort of problems? The machines were definitely in scope...
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 250 total points
ID: 24090118
To find out why it did not install, simply have a look at the application event log at the client.
0
 

Author Closing Comment

by:pixelchef
ID: 31566464
Thanks all. I haven't gotten it all figured out, but this is a great start.
0
 
LVL 9

Expert Comment

by:samiam41
ID: 24363824
Thanks for the points and grade!  Take care.

0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
"Disruption" is the most feared word for C-level executives these days. They agonize over their industry being disturbed by another player - most likely by startups.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now