• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 900
  • Last Modified:

Windows 7: Deny install but allow software updates

Hi,

We have Windows 7 installed on most of our staff computers. Currently staff (by default settings - not sure how it came to be) do not have access to install programs - which is the way we want it.

However users also do not have permission to allow updates to programs already installed, which we would like to allow them to do.

- How do I  give users permissions to allow updates for installed programs.

- Where are the settings that allow/deny Windows 7 users install rights.

All computers are run on a domain.
0
FrankVarlet
Asked:
FrankVarlet
2 Solutions
 
Hilal1924Commented:
I don't think users will be able to Install windows Update if they are denied the right to install programs. Windows Updates are controlled either by group policy or local policy. And to Modify the Group policy you either need to be a Domain Administrator or a Local Administrator (Here is the Policy where you can modufy settings for windows update: Computer Configuration\Adminstrative Templates\Windows Componets\Windows Update
User Configuration\Adminstrative Templates\Windows Componets\Windows Update)

The basic logic is that one needs to be either Domain Administrator or a Local Administrator on the Machine to install the updates.
0
 
Donald StewartNetwork AdministratorCommented:
The setting you are looking for is "Allow Non-administrators to Receive Update Notifications"

This policy specifies whether logged-on non-administrative users will receive update notifications based on the configuration settings for Automatic Updates. If Automatic Updates is configured, by policy or locally, to notify the user either before downloading or only before installation, these notifications will be offered to any non-administrator who logs onto the computer.

If the status is set to Enabled, Automatic Updates will include non-administrators when determining which logged-on user should receive notification.

If the status is set to Disabled or Not Configured, Automatic Updates will notify only logged-on administrators.

http://technet.microsoft.com/en-us/library/cc720539%28WS.10%29.aspx
0
 
Donald StewartNetwork AdministratorCommented:

"The basic logic is that one needs to be either Domain Administrator or a Local Administrator on the Machine to install the updates."


couldnt be more wrong, the setting above allows non administrators(anyone) to install windows updates.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Jackie ManCommented:
According to the comment of abbright, it says:-

Using Microsoft System Center Configuration Manager (http://www.microsoft.com/systemcenter/en/us/configuration-manager.aspx) you can prepare update packages for installed software which users then can install without administrator privileges.

Source: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/Windows_7/Q_26819017.html
0
 
Donald StewartNetwork AdministratorCommented:
You can also use Privilege Authority(For free) to allow updating of non Microsoft applications by restricted users.


http://www.scriptlogic.com/products/privilegeauthority/
0
 
Hilal1924Commented:
I apologize for my comment. But the question is will it work without WSUS template ?

This policy is either meant for WSUS or SCCM. I don't think it will be applicable if WSUS or SCCM is not used.
0
 
Donald StewartNetwork AdministratorCommented:
"Allow Non-administrators to Receive Update Notifications"

Is a Automatic Updates policy. It doesnt matter if updates are applied by WSUS, SCCM or Microsoft Update(Automatic updates). So yes it is applicable if neither are used.

For explanation on all the settings see

http://community.spiceworks.com/how_to/show/1390

take note of  ***** Rob’s notes: *****


Side note:

wuau.adm can still be used if WSUS or SCCM is not implemented.
0
 
LeeTutorretiredCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now