[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 869
  • Last Modified:

Configure non-admin accounts to install updates of non-microsoft applications using Active Directory (GPO)?

What are the best options for granting a standard domain user via group policy the ability to download, install updates programs without needing admin privileges. For example install updates for Java, Windows updates and Adobe Acrobat Reader (or any other application which may need such privileges).
 
Ideally I would like to setup WSUS for Windows updates which I’m aware this might be my remedy but due to time constraints not the best option at the moment.
 
I would really appreciate any information regarding this issue.
 
Thanks in advance!
0
cvistas
Asked:
cvistas
  • 3
  • 2
  • 2
  • +4
4 Solutions
 
Mike KlineCommented:
You would probably need them to have admin privleges on the workstations.  You can do that with restricted groups.  Create a group called "Patch Updated Admins" (or whatever is best for you)

Read Florian's blog entry on restricted groups   http://www.frickelsoft.net/blog/?p=13

WSUS out of the box won't patch adobe/java (third party programs can help with that)

Thanks

Mike
0
 
argh226Commented:
Have a look at WPKG : http://wpkg.org/

Works very well for us!
0
 
John HurstBusiness Consultant (Owner)Commented:
Without WSUS, you cannot install Java, Adobe and Flash components without admin priviledges. You can set up Windows 7 to install updates on shutdown and that keeps critical updates complete without WSUS.  ... Thinkpads_User
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
McKnifeCommented:
This question is definitely an evergreen.

You should install WSUS, time constraints are not really an "excuse", because it sets up so fast, maybe easier than anything comparable.
Together with WSUS, one can install LUP, see http://sourceforge.net/apps/mediawiki/localupdatepubl/index.php?title=Main_Page , LUP enables WSUS to distribute 3rd party updates.
Of course you can use software like "powerbroker" from beyondtrust that can explicitely enable weak users to patch certain applications, but that wouldn't be easier than WSUS + LUP and if you wanted the manageable edition, it wouldn't be free (LUP and WSUS are free).

Then, last option, we can use the builtin update mechanisms of Adobe Reader And Adobe Flash - those don't care for user rights but update using services/tasks with system rights. Java, however, does not.
0
 
Donald StewartNetwork AdministratorCommented:
I second the suggestion for LUP and WSUS.

Then all you need to configure to allow non-admins to install updates is the GPO "Allow non-admins to receive update notifications"

Another free way to allow updating specific programs without giving admin rights is to use Privilege Authority

http://www.scriptlogic.com/landing/google/pa/index.asp?src=technet-PA-1

But might I suggest that allowing/relying on users to update their own machines is very bad practice. Users will routinely ignore updating. You should(With WSUS) schedule updates.

Look over:

Managing the WSUS Automatic Updates Client Download, Install, and Reboot Behavior with Group Policy

http://technet.microsoft.com/en-us/library/cc512630.aspx
0
 
ThinkPaperCommented:
If you really don't have time to set up WSUS, you can at least make sure the updates are pointing to microsoft and set the group policy or local policy for the machines to download automatically and notify when patches are available. the user would then get little "pop ups" when availables are ready for install and the user just have to click to get them installed.

this will not take care of non-ms updates though, and won't prevent users from NOT installing (unless you set it to automatically install upon download w/out user interaction or force install option when the user attempts to log out).

http://technet.microsoft.com/en-us/library/cc720539(v=ws.10).aspx
0
 
argh226Commented:
I cannot see any domain without WSUS these days... works flawlessly.
That being said, as for the second part of installation, I suppose it depends of the admin skills, there isn't any bad choice, as long you can work with it.
0
 
cvistasAuthor Commented:
I've requested that this question be deleted for the following reason:

None
0
 
John HurstBusiness Consultant (Owner)Commented:
Deletion cancelled.

cvistas - You did not have the courtesy to respond to a single post in here. There are answers in here that are correct (use WSUS or live with what you have without it).

Providing a reason of "none" to delete is entirely and totally unacceptable.

... Thinkpads_User
0
 
Donald StewartNetwork AdministratorCommented:
I concur
0
 
John HurstBusiness Consultant (Owner)Commented:
Recommend split

mkline71    http:#a38386823
Thinkpads_User  http:#a38386831
McKnife   http:#a38387028
dstewartjr http:#a38387664

.... Thinkpads_User
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 3
  • 2
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now