• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 349
  • Last Modified:

Windows 7 best practice

We just got 8 new Windows 7 PCs in our office and we would like to use the UAC feature. The problem is everytime a user needs something installed someone that knows the Admin network password have to come over and type it in and that is just not efficient. What is the best practice with networked Windows 7? Of course we could just give all of the users local Admin access but that defeats the purpose of having UAC right?
0
coronoahcoro
Asked:
coronoahcoro
  • 6
  • 3
  • 2
  • +3
4 Solutions
 
Boyd (HiTechCoach) Trimmell, Microsoft Access MVPCommented:
<<The problem is everytime a user needs something installed someone that knows the Admin network password have to come over and type it in and that is just not efficient.>>

IMHO, that is the best way and only.  Has work for 1000's of my uses for years staring back with Windows 2000.

0
 
athomsfereCommented:
UAC is more for security by showing you when changes to the OS are being made.

basic security in desktop support says you should not
a) have all users as admins
b) run in admin mode for day to day tasks (LPA).

Do your users really need to install that much software? They should be installing what is required for their duties only. Otherwise you are creating more opportunity for malware, and system stability problems.
0
 
armina_99Commented:
There are several things you can do.

First of, Using UAC doesn't mean you'll get a popup for every action you do.

Not every program requires elevated access in order to function. It would be a good idea to first check if you run into problems with a normal user.

Secondly, if you would make users local admin, the UAC will still be helpful because UAC will prevent virusses and spyware to get installed unnoticed, which is the true reason for having UAC enabled in the first place.

Then there's the option to promote users to Power Users. A power user is like a local admin, but not with all rights. A power user can install software.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
coronoahcoroAuthor Commented:
Hmm ok that makes sense. I just dont know what other companies do with this situation. How about updates like Java, Adobe Reader, Flash, Web browser, Windows update, etc? That happens very often compared to software installation. What do you guys do with that?
0
 
armina_99Commented:
We never do updates like that.

We test them locally in a secure place, and if we want to update the client software, we create MSI packages and use software distribution to enroll our clients with updated software.

Windows Update can be done with a normal user and doesn't require UAC. We do screen every windows update though, and only allow those we have tested.
0
 
Jerry MillsCommented:
All good points above.  My suggestion for consideration is to create an ITadmin account on the clients.  Then remote (RDP) in to ITadmin account from IT - install his program and you won't need to physically run over.

You should always know what is being installed anyway.  

Additional benefit of creating ITadmin account in advance is when a user catches a virus or malware you can get on his computer (hopefully before it is massively infected) and clean it up.  I do that on satellite office and it has saved me 200 mile trips.

0
 
armina_99Commented:
JLM100: do note that if you use RDP to take over a pc, and the user is sitting behind it, you will lock his pc. This can be a strange experience for the end-user, especially if you do this unnoticed. If the user logs in while you work on the system, he will kick you out.

I would recommend programs like VNC to share a desktop with the user sitting behind it. RDP is ment to take over another desktop when the pc is unattended, not to share experiences.

You could technically use Remote assistance for this, but its a big step getting the connection set up, as the end-user has to do lots of steps first. We also use VNC to take over a pc if we manually need to install software that we do not want to enroll using an MSI package during start up.
0
 
Jerry MillsCommented:
amina_99: I agree - but normally the user contacts IT to do the install and is prepared for the black screen event or it is done after work hours.  I use 'gotoassit' when users wants to watch.  VNC still requires prep on the client end as far as I am aware.

It really depends on the enviroment under consideration.  Is it a 24x7 shop or monday - friday 8 to 5?

0
 
armina_99Commented:
Even though the user can be fully aware that their pc is taken over, they will not get a good experience if they get a welcome screen with their username and the text locked just because someone from tech support is installing an application. If I were an end user, I might feel that tech support is trying to hide something. That never is a good thing.

VNC indeed requires to be installed, but that could be done using an MSI and spread to all pc's in one action. You can configure VNC with the ability to ask for the user's concent. Its also free, which can be something to be taken into consideration too. But then again, there are many software packages that you can choose for taking over a PC. I just wanted to express that using RDP for this purpose really is a bad idea. Even if you could install the software after hours, note that you'll be forcing tech support to work after hours too. Company policy must allow this, and you must be willing to work after hours too. In our company we rather do it while the user watches, and sometimes you have to install the software under the name of the user. Most installations take little time anyway.
0
 
coronoahcoroAuthor Commented:
This is just Friday 8 - 5. Maybe I can try the VNC solution but again I believe I have to go to each and every PC to install it one by one.

I'm not familiar with creating MSI package could you please give me some information about that?
0
 
armina_99Commented:
An MSI package is an installation package that will install software onto a pc. Sometimes you can download the software as an MSI package, and if it has a silent install flag, you don't have to worry.

When it doesn't come in MSI form, you will have to do some labor in order to create an MSI package. You will have to create a snapshot of a machine, then install the software, then make another snapshot of that same machine.

Then you will have to compare both snapshots and extract the changes that you want into an MSI. There is software for doing all this, but you will have to test the msi extensively. Its the only way to distribute software to many pc's all at once.

See also: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_22740173.html
0
 
armina_99Commented:
If creating MSI packages really isn't your thing, perhaps you can use FastPush to deploy VNC to your clients.

See: http://www.darkage.co.uk/howtos/
0
 
Jerry MillsCommented:
Signup for GoToAssist or other support and you won't need to go on site or install additional software that will also need to be maintained.

Then you can watch the user and enter password when needed.  If you install VNC you will have another package to support.  I hear armin_99's passion!  

http://www.gotoassist.com/en_US/entry.tmpl
0
 
upalakshithaCommented:
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 6
  • 3
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now