Solved

UAC security Server 2008, Vista and Windows 7

Posted on 2010-09-05
21
678 Views
Last Modified: 2012-05-10
Hi,
I am running MS SBS 2008 at one of my clients companies and they have a mixed client environment of XP, Vista and 7.

For XP I give the users local admin rights but for the Vista and 7 machines I do not.

What I want to achieve on the Vista and 7 machines is to allow the user to install certain application updates but not give them full administrator privliges.

This way when daily or weekly updates for Adobe Reader, Java etc prompt for administrator credentials they can use their own (or simply click yes to the UAC popup). But if they wanted to install another application like msn etc their credentials would not allow such an action.

How can I achieve this?
0
Comment
Question by:IT101
  • 9
  • 6
  • 3
  • +1
21 Comments
 
LVL 90

Expert Comment

by:John Hurst
ID: 33610778
That part of it is little different from XP. If the Windows 7 or Vista client needs to install software, then they need the local rights to be able to do this.

When using UAC, if it pops up looking for administrator rights, the user would have to give them.
... Thinkpads_User
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 33611025
Hi,

I would use the following approach. Give the user two accounts, both with the same or similar passwords. The first account is the user's normal account, used for day-to-day computing tasks. The second is a 'useradmin' account, which can be local, or A.D.-based, and is a local administrator on the Windows Vista/7 computer, Each time the use needs to exercise an option which requires administrative privilege, UAC will show a prompt. useradmin is the account the user enters along with the password.
0
 

Author Comment

by:IT101
ID: 33613729
Thanks guys,
So does this simply mean that its not possible at all to allow certain applications to upgrade without admin rights but not others?
If I give them a local admin account they would also be able to install applications that managment prohibits.
As a workaround would there be any methods where I can give the users local admin rights but deny them from installing unknown applications via group policy?
0
 
LVL 7

Expert Comment

by:GridLock137
ID: 33613774
what i do for my users is give them access at the program directory level, there are some programs i do not want to do a walk-up all the time to a workstation to do updates for so i allow the users to have access to those directories by modifying the NTFS permissions on the local machine, for instance:

if a user needs to update an application and they have only user access on their machine, i would got to program files on there machine looke for the directory of the application> right click> properties and under the security tab give them full access to it. this way they can write/update that specific directory and not have access to modify or create others as an admin would. take into consideration that UAC would have to be lowered all the way to avoid being prompted all the time.
0
 

Author Comment

by:IT101
ID: 33613835
I will give this a try Gridlock. Have you tried this in your environment with Adobe and Java by any chance?
I am wondering if any updates ever need to change the registry as I would think that just allowing them access to the particular progs dir, that it would still require admin rights if an update needed to change the registry.
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 33613949
I do not think it is wise to give end-users administrative rights to their computers, too much can go wrong. There are some use cases where it is appropriate to give end users those rights. A good example is XP users with laptops in an out-of-band management scenario.

If a certain app. is prohibited by group policy, then no one, not even an admin. will be able to install it on the computer. Local admin, domain admin, it doesn't matter in that case.
0
 

Author Comment

by:IT101
ID: 33613980
I do agree Firebar and that is why I would like to keep my users without local admin rights (mainly from a login perspective + prohibit them from installing applications). I like UAC for this reason and I am against turning it off as painful as it can be sometimes. I am highly considering your two accounts per user method right now as long as I can prohibit their local admin rights as well.
How do you propose I prohibit applications via GP so my users can not install or use them?
Back in server 2003 I remember adding simple blocks to ms games etc by GP using the exe name of the application. I would like something much stronger than this however as all the user needs to do is change the exe name and then run it. Is there a better way in GP that it can be achieved?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 33614020
I also agree with Firebar. Also note my first point - that this is much like XP (or any NT windows machine) in that you must be administrator to install most things. If you provide a second user id with admin rights and you allow that userid to install things, they will be able to install whatever they want. GP that prevent installs will also (probably) prevent the installation of most updates. ... Thinkpads_User
0
 
LVL 7

Expert Comment

by:GridLock137
ID: 33614052
i agree with firebar and thinkpads but i am not suggesting admin rights on the machine, at work all my users have user right and my mobile users user rights aas well with the inclusion of network config right to be able to modify their network setting when they are abroad. but to answer your question yes IT101 it has worked for me at the NTFS level with full right to specific directories only while having user rights only on the local machines. do not apply to the full program files directory only to those directories they need to write to, like applying updates. test it out, if you don't fell comfortable you can always revoke those privledges.
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 33614279
The GPO setting "prohibit user from running specified applications" will keep them out of the apps listed in the policy setting.


Screen-shot-2010-09-06-at-8.23.2.png
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 

Author Comment

by:IT101
ID: 33614407
Yeah thats the policy I was referring to. I believe users are getting smarter nowadays and I would regard this policy as usless now. E.G with this policy set with mspaint.exe as one of the prohibited applications; all the user has to do it rename the application to mspaint2.exe and the policy is rendered useless.
I can also see problems with the "Run only specified Windows applications" policy as this would become a very exaustive list.
If only there was a policy that would prohibit all but selected applications from running with local administrative privliges.
0
 
LVL 7

Expert Comment

by:GridLock137
ID: 33614756
hmm.. a user with user level rights shouldn't be able to rename an executable file to an application. check this link out from Petri -

http://www.petri.co.il/forums/showthread.php?t=43146

this might have the option you need, some how there's going to be some administrative overhead.
0
 

Author Comment

by:IT101
ID: 33614772
hmmm... thanks GridLock, looks very close to what I am after. I will have a play with this policy and report back.
0
 
LVL 7

Expert Comment

by:GridLock137
ID: 33614917
no problem. let me know if that works. i'll check back tomorrow.
0
 

Author Comment

by:IT101
ID: 33622684
I have created an adobe reader package with GP. It works well for installing the initial application as the user does not need to be a local admin.
However I come to the same problem in regards to updates. As soon as there is an update for adobe reader the user is asked for admin credentials to install it. I have looked around and cannot find a way to send out any patches through the GP.
0
 
LVL 7

Accepted Solution

by:
GridLock137 earned 500 total points
ID: 33623054
in this case you will need an application like the one that ScriptLogic provides, i used this in one of my past positions and it worked great. it allows you to remotely control all MS and third party installs and updates for those apps from a central location. download the trial and give it a shot, it's perfect for what you want to do:

http://www.scriptlogic.com/Products/PatchAuthorityUltimate/

0
 

Author Comment

by:IT101
ID: 33623257
Ok,
I have sent them an email regarding their solution and pricing. I would however like to know if there is another way to resolve this without running third party software. I do not believe my client will pay for the third party software at this point in time.
0
 
LVL 7

Assisted Solution

by:GridLock137
GridLock137 earned 500 total points
ID: 33623449
here is a good article but it's the same, there will have to be some administrative overhead.

http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Deploy-Applications.html

0
 

Author Comment

by:IT101
ID: 33623554
Thanks Gridlock,
I am getting everything to work just as described in the article but I am having issues with patching the applications. E.G I have installed Adobe 9.3 via the Software Package in GP but I have an .msp patch file that would upgrade v 9.3 to 9.3.4 but I do not know how to do this.
In the previous article you just added it says: "Specifically, you can install Windows Installer packages (.MSI files), Transform Files (.MST files), and patch files (.MSP files).". But I can not see how I can install the .MSP files. ANy ideas? I will keep looking.
0
 

Author Comment

by:IT101
ID: 33872403
From the help of two of Gridlocks links and some other links I found I have come to a valid solution that will do for now.
I can use a GPO to install the applications and once the application has a new update I repatch the applications msi and update the GPO with the new msi. This solves the issue but means I must manually patch and deploy the patch.
0

Featured Post

Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now