How to roll out software with local admin rights? (Possibly using Group Policy)

Hi guys,

I have a query, we have a runtime for our inhouse software that only functions if the local user has local admin rights..

If we setup the users with local admin rights we in effect grant all privaliges to that user so is fairly risky for security aspects.

Is there a way around this using GPO? The runtime is a msi is there a way the user can have normal privaliges but have the runtime installed with local admin rights?

Any information is greatly appreciated :)
LVL 1
SolpakTechnical DirectorAsked:
Who is Participating?
 
KyoshCommented:
Hello.

Try the option Always install with elevated privileges
See the following for more information:
http://technet.microsoft.com/en-us/library/cc737858%28WS.10%29.aspx
0
 
KyoshCommented:
Alternatively you can deploy the Software using GPO itself, it should then install as elevated only at runtime.
http://support.microsoft.com/kb/816102
0
 
SolpakTechnical DirectorAuthor Commented:
Thanks for the link but if I select this "Always install with elevated privileges" will this mean the user can install ANYTHING with elevated privaliges...or just the software I issue?

Main risk being rogue av installers or other software that may slow down the machine.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
SolpakTechnical DirectorAuthor Commented:
Thanks Kyosh didnt see your 2nd reply im guessing this would resolve the issue I have said above?
0
 
KyoshCommented:
Your first and second reply should be correct.
0
 
Joseph DalyCommented:
How many users/machines do you need to deploy this on?

Another option would be to use a tool like psexec. This tool will let you install software remotely using your account with admin access. If you are interested in this method let me know and I can tell you more/write you up a sample script.

0
 
SolpakTechnical DirectorAuthor Commented:
xxdcmast if you could provide me with some information regarding that method of deployment that would also be appreciated :)
0
 
Joseph DalyCommented:
Ok well how many machines first?
0
 
KyoshCommented:
Be advised, psexec http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
(a part of pstools http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx)
will not be possible to implement via GPO.
It will also not work through windows firewall if you are installing remotely.
And finally, the password you supply will not be encrypted in anyway.
There have also been experiences where installing from a network share by using psexec have proven difficult.

For samples, please review the top link.
0
 
Joseph DalyCommented:
Correct PSexec has nothing to do with GPO's. It is a standalone remote install program.
Installing from a network share is not hard at all. You basically only need to have permissions to the source directory.

This is th script I have used in the past successfully to install from a network location.

psexec computers.txt cmd /c \\server\share\install.msi /qn

Where the computers.txt is a document containing computernames with a single computer per line. This can be made in notepad.


Example computers.txt file
computer1
computer2
computer3
computer4

Open in new window

0
 
ThinkPaperIT ConsultantCommented:
it would actually be: (you need to put the "@" to specify text file)

psexec @computers.txt -u domain/admin -p password msiexec /i "\\server\share\install.msi" /qn
or
psexec //computer1,computer2 -u domain/admin -p password -c "\\server\share\setup.exe" /s

Some caveats with this method - passwords are passed cleartext (not encrypted) and this method only works if the application you are deploying supports some kind of silent (automated) deployment (i.e. using switches at the end of your command such as /S or /QN or /SILENT)
0
 
SolpakTechnical DirectorAuthor Commented:
Will allocate points this has been very helpful sorry for the late response.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.