FrankVarlet
asked on
Windows 7: Deny install but allow software updates
Hi,
We have Windows 7 installed on most of our staff computers. Currently staff (by default settings - not sure how it came to be) do not have access to install programs - which is the way we want it.
However users also do not have permission to allow updates to programs already installed, which we would like to allow them to do.
- How do I give users permissions to allow updates for installed programs.
- Where are the settings that allow/deny Windows 7 users install rights.
All computers are run on a domain.
We have Windows 7 installed on most of our staff computers. Currently staff (by default settings - not sure how it came to be) do not have access to install programs - which is the way we want it.
However users also do not have permission to allow updates to programs already installed, which we would like to allow them to do.
- How do I give users permissions to allow updates for installed programs.
- Where are the settings that allow/deny Windows 7 users install rights.
All computers are run on a domain.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
"The basic logic is that one needs to be either Domain Administrator or a Local Administrator on the Machine to install the updates."
couldnt be more wrong, the setting above allows non administrators(anyone) to install windows updates.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can also use Privilege Authority(For free) to allow updating of non Microsoft applications by restricted users.
http://www.scriptlogic.com/products/privilegeauthority/
http://www.scriptlogic.com/products/privilegeauthority/
I apologize for my comment. But the question is will it work without WSUS template ?
This policy is either meant for WSUS or SCCM. I don't think it will be applicable if WSUS or SCCM is not used.
This policy is either meant for WSUS or SCCM. I don't think it will be applicable if WSUS or SCCM is not used.
"Allow Non-administrators to Receive Update Notifications"
Is a Automatic Updates policy. It doesnt matter if updates are applied by WSUS, SCCM or Microsoft Update(Automatic updates). So yes it is applicable if neither are used.
For explanation on all the settings see
http://community.spiceworks.com/how_to/show/1390
take note of ***** Rob’s notes: *****
Side note:
wuau.adm can still be used if WSUS or SCCM is not implemented.
Is a Automatic Updates policy. It doesnt matter if updates are applied by WSUS, SCCM or Microsoft Update(Automatic updates). So yes it is applicable if neither are used.
For explanation on all the settings see
http://community.spiceworks.com/how_to/show/1390
take note of ***** Rob’s notes: *****
Side note:
wuau.adm can still be used if WSUS or SCCM is not implemented.
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
User Configuration\Adminstrativ
The basic logic is that one needs to be either Domain Administrator or a Local Administrator on the Machine to install the updates.