UAC security Server 2008, Vista and Windows 7

That part of it is little different from XP. If the Windows 7 or Vista client needs to install software, then they need the local rights to be able to do this.

When using UAC, if it pops up looking for administrator rights, the user would have to give them.
... Thinkpads_User

Hi,

I would use the following approach. Give the user two accounts, both with the same or similar passwords. The first account is the user's normal account, used for day-to-day computing tasks. The second is a 'useradmin' account, which can be local, or A.D.-based, and is a local administrator on the Windows Vista/7 computer, Each time the use needs to exercise an option which requires administrative privilege, UAC will show a prompt. useradmin is the account the user enters along with the password.

Thanks guys,
So does this simply mean that its not possible at all to allow certain applications to upgrade without admin rights but not others?
If I give them a local admin account they would also be able to install applications that managment prohibits.
As a workaround would there be any methods where I can give the users local admin rights but deny them from installing unknown applications via group policy?

what i do for my users is give them access at the program directory level, there are some programs i do not want to do a walk-up all the time to a workstation to do updates for so i allow the users to have access to those directories by modifying the NTFS permissions on the local machine, for instance:

if a user needs to update an application and they have only user access on their machine, i would got to program files on there machine looke for the directory of the application> right click> properties and under the security tab give them full access to it. this way they can write/update that specific directory and not have access to modify or create others as an admin would. take into consideration that UAC would have to be lowered all the way to avoid being prompted all the time.

I will give this a try Gridlock. Have you tried this in your environment with Adobe and Java by any chance?
I am wondering if any updates ever need to change the registry as I would think that just allowing them access to the particular progs dir, that it would still require admin rights if an update needed to change the registry.

I do not think it is wise to give end-users administrative rights to their computers, too much can go wrong. There are some use cases where it is appropriate to give end users those rights. A good example is XP users with laptops in an out-of-band management scenario.

If a certain app. is prohibited by group policy, then no one, not even an admin. will be able to install it on the computer. Local admin, domain admin, it doesn't matter in that case.

I do agree Firebar and that is why I would like to keep my users without local admin rights (mainly from a login perspective + prohibit them from installing applications). I like UAC for this reason and I am against turning it off as painful as it can be sometimes. I am highly considering your two accounts per user method right now as long as I can prohibit their local admin rights as well.
How do you propose I prohibit applications via GP so my users can not install or use them?
Back in server 2003 I remember adding simple blocks to ms games etc by GP using the exe name of the application. I would like something much stronger than this however as all the user needs to do is change the exe name and then run it. Is there a better way in GP that it can be achieved?

I also agree with Firebar. Also note my first point - that this is much like XP (or any NT windows machine) in that you must be administrator to install most things. If you provide a second user id with admin rights and you allow that userid to install things, they will be able to install whatever they want. GP that prevent installs will also (probably) prevent the installation of most updates. ... Thinkpads_User

i agree with firebar and thinkpads but i am not suggesting admin rights on the machine, at work all my users have user right and my mobile users user rights aas well with the inclusion of network config right to be able to modify their network setting when they are abroad. but to answer your question yes IT101 it has worked for me at the NTFS level with full right to specific directories only while having user rights only on the local machines. do not apply to the full program files directory only to those directories they need to write to, like applying updates. test it out, if you don't fell comfortable you can always revoke those privledges.

The GPO setting "prohibit user from running specified applications" will keep them out of the apps listed in the policy setting.


Screen-shot-2010-09-06-at-8.23.2.png

Yeah thats the policy I was referring to. I believe users are getting smarter nowadays and I would regard this policy as usless now. E.G with this policy set with mspaint.exe as one of the prohibited applications; all the user has to do it rename the application to mspaint2.exe and the policy is rendered useless.
I can also see problems with the "Run only specified Windows applications" policy as this would become a very exaustive list.
If only there was a policy that would prohibit all but selected applications from running with local administrative privliges.

hmm.. a user with user level rights shouldn't be able to rename an executable file to an application. check this link out from Petri -

http://www.petri.co.il/forums/showthread.php?t=43146

this might have the option you need, some how there's going to be some administrative overhead.

hmmm... thanks GridLock, looks very close to what I am after. I will have a play with this policy and report back.

no problem. let me know if that works. i'll check back tomorrow.

I have created an adobe reader package with GP. It works well for installing the initial application as the user does not need to be a local admin.
However I come to the same problem in regards to updates. As soon as there is an update for adobe reader the user is asked for admin credentials to install it. I have looked around and cannot find a way to send out any patches through the GP.

Ok,
I have sent them an email regarding their solution and pricing. I would however like to know if there is another way to resolve this without running third party software. I do not believe my client will pay for the third party software at this point in time.

Thanks Gridlock,
I am getting everything to work just as described in the article but I am having issues with patching the applications. E.G I have installed Adobe 9.3 via the Software Package in GP but I have an .msp patch file that would upgrade v 9.3 to 9.3.4 but I do not know how to do this.
In the previous article you just added it says: "Specifically, you can install Windows Installer packages (.MSI files), Transform Files (.MST files), and patch files (.MSP files).". But I can not see how I can install the .MSP files. ANy ideas? I will keep looking.

From the help of two of Gridlocks links and some other links I found I have come to a valid solution that will do for now.
I can use a GPO to install the applications and once the application has a new update I repatch the applications msi and update the GPO with the new msi. This solves the issue but means I must manually patch and deploy the patch.