[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How to roll out software with local admin rights? (Possibly using Group Policy)

Posted on 2010-01-08
12
Medium Priority
?
849 Views
Last Modified: 2013-12-12
Hi guys,

I have a query, we have a runtime for our inhouse software that only functions if the local user has local admin rights..

If we setup the users with local admin rights we in effect grant all privaliges to that user so is fairly risky for security aspects.

Is there a way around this using GPO? The runtime is a msi is there a way the user can have normal privaliges but have the runtime installed with local admin rights?

Any information is greatly appreciated :)
0
Comment
Question by:Solpak
  • 4
  • 4
  • 3
  • +1
12 Comments
 
LVL 3

Accepted Solution

by:
Kyosh earned 1200 total points
ID: 26208511
Hello.

Try the option Always install with elevated privileges
See the following for more information:
http://technet.microsoft.com/en-us/library/cc737858%28WS.10%29.aspx
0
 
LVL 3

Expert Comment

by:Kyosh
ID: 26208528
Alternatively you can deploy the Software using GPO itself, it should then install as elevated only at runtime.
http://support.microsoft.com/kb/816102
0
 
LVL 1

Author Comment

by:Solpak
ID: 26208549
Thanks for the link but if I select this "Always install with elevated privileges" will this mean the user can install ANYTHING with elevated privaliges...or just the software I issue?

Main risk being rogue av installers or other software that may slow down the machine.
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 1

Author Comment

by:Solpak
ID: 26208586
Thanks Kyosh didnt see your 2nd reply im guessing this would resolve the issue I have said above?
0
 
LVL 3

Expert Comment

by:Kyosh
ID: 26208667
Your first and second reply should be correct.
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 26210207
How many users/machines do you need to deploy this on?

Another option would be to use a tool like psexec. This tool will let you install software remotely using your account with admin access. If you are interested in this method let me know and I can tell you more/write you up a sample script.

0
 
LVL 1

Author Comment

by:Solpak
ID: 26210646
xxdcmast if you could provide me with some information regarding that method of deployment that would also be appreciated :)
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 26210690
Ok well how many machines first?
0
 
LVL 3

Expert Comment

by:Kyosh
ID: 26211113
Be advised, psexec http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
(a part of pstools http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx)
will not be possible to implement via GPO.
It will also not work through windows firewall if you are installing remotely.
And finally, the password you supply will not be encrypted in anyway.
There have also been experiences where installing from a network share by using psexec have proven difficult.

For samples, please review the top link.
0
 
LVL 35

Assisted Solution

by:Joseph Daly
Joseph Daly earned 400 total points
ID: 26211246
Correct PSexec has nothing to do with GPO's. It is a standalone remote install program.
Installing from a network share is not hard at all. You basically only need to have permissions to the source directory.

This is th script I have used in the past successfully to install from a network location.

psexec computers.txt cmd /c \\server\share\install.msi /qn

Where the computers.txt is a document containing computernames with a single computer per line. This can be made in notepad.


Example computers.txt file
computer1
computer2
computer3
computer4

Open in new window

0
 
LVL 16

Assisted Solution

by:ThinkPaper
ThinkPaper earned 400 total points
ID: 26211860
it would actually be: (you need to put the "@" to specify text file)

psexec @computers.txt -u domain/admin -p password msiexec /i "\\server\share\install.msi" /qn
or
psexec //computer1,computer2 -u domain/admin -p password -c "\\server\share\setup.exe" /s

Some caveats with this method - passwords are passed cleartext (not encrypted) and this method only works if the application you are deploying supports some kind of silent (automated) deployment (i.e. using switches at the end of your command such as /S or /QN or /SILENT)
0
 
LVL 1

Author Comment

by:Solpak
ID: 26369066
Will allocate points this has been very helpful sorry for the late response.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses
Course of the Month17 days, 22 hours left to enroll

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question