Our desktops are locked down, which prevents users from installing unauthorized applications. One of our home grown applications can update it's self using a command script, but trying to register a DLL or OCX may fail under a normal AD user account. They also have no local admin rights either.
I've built a WinForm shim program that can invoke the update using elevated rights to accomplish the task and for now, used my admin account for test purposes. The shim is invoked by the logged in user that currently does not have the rights to do what is required and I don't want to run around every machine to perform the updates.
The question is, what are the minimal group(s) required to permit DLL or OCX registration? Must you be an administrator to do this or can one of the other groups (ie. Power User) provide that ability?
I was thinking of creating a special user account for the shim, for the purpose of the update and DLL/OCX registration on WinXP and only provide the minimal group rights to carry out the task. I couldn't find anywhere what group would allow regsvr32 to register the DLL or OCX file without an error.
Maybe there is a better way to do this?