Solved

Windows 7: Deny install but allow software updates

Posted on 2011-03-01
10
882 Views
Last Modified: 2012-05-11
Hi,

We have Windows 7 installed on most of our staff computers. Currently staff (by default settings - not sure how it came to be) do not have access to install programs - which is the way we want it.

However users also do not have permission to allow updates to programs already installed, which we would like to allow them to do.

- How do I  give users permissions to allow updates for installed programs.

- Where are the settings that allow/deny Windows 7 users install rights.

All computers are run on a domain.
0
Comment
Question by:FrankVarlet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 12

Expert Comment

by:Hilal1924
ID: 35014092
I don't think users will be able to Install windows Update if they are denied the right to install programs. Windows Updates are controlled either by group policy or local policy. And to Modify the Group policy you either need to be a Domain Administrator or a Local Administrator (Here is the Policy where you can modufy settings for windows update: Computer Configuration\Adminstrative Templates\Windows Componets\Windows Update
User Configuration\Adminstrative Templates\Windows Componets\Windows Update)

The basic logic is that one needs to be either Domain Administrator or a Local Administrator on the Machine to install the updates.
0
 
LVL 47

Accepted Solution

by:
Donald Stewart earned 250 total points
ID: 35014106
The setting you are looking for is "Allow Non-administrators to Receive Update Notifications"

This policy specifies whether logged-on non-administrative users will receive update notifications based on the configuration settings for Automatic Updates. If Automatic Updates is configured, by policy or locally, to notify the user either before downloading or only before installation, these notifications will be offered to any non-administrator who logs onto the computer.

If the status is set to Enabled, Automatic Updates will include non-administrators when determining which logged-on user should receive notification.

If the status is set to Disabled or Not Configured, Automatic Updates will notify only logged-on administrators.

http://technet.microsoft.com/en-us/library/cc720539%28WS.10%29.aspx
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35014119

"The basic logic is that one needs to be either Domain Administrator or a Local Administrator on the Machine to install the updates."


couldnt be more wrong, the setting above allows non administrators(anyone) to install windows updates.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 46

Assisted Solution

by:Jackie Man
Jackie Man earned 250 total points
ID: 35014120
According to the comment of abbright, it says:-

Using Microsoft System Center Configuration Manager (http://www.microsoft.com/systemcenter/en/us/configuration-manager.aspx) you can prepare update packages for installed software which users then can install without administrator privileges.

Source: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/Windows_7/Q_26819017.html
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35014140
You can also use Privilege Authority(For free) to allow updating of non Microsoft applications by restricted users.


http://www.scriptlogic.com/products/privilegeauthority/
0
 
LVL 12

Expert Comment

by:Hilal1924
ID: 35014292
I apologize for my comment. But the question is will it work without WSUS template ?

This policy is either meant for WSUS or SCCM. I don't think it will be applicable if WSUS or SCCM is not used.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35014336
"Allow Non-administrators to Receive Update Notifications"

Is a Automatic Updates policy. It doesnt matter if updates are applied by WSUS, SCCM or Microsoft Update(Automatic updates). So yes it is applicable if neither are used.

For explanation on all the settings see

http://community.spiceworks.com/how_to/show/1390

take note of  ***** Rob’s notes: *****


Side note:

wuau.adm can still be used if WSUS or SCCM is not implemented.
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 35390598
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the features I've come to appreciate about Windows 7 and Windows Server 2008 R2 is the ability to pin applications to the task bar. As useful a feature as I've found this, it does have some quirks.  For example, have you ever tried pinning an…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question