Group Policy


We are a company of about 400 users.  Users are not local admins of their computers and our company policy doesn't allow us to do it. But now our manager wants to allow users to upgrade itunes and Java without our intervention. apart from those two programs users should not be able to install any other programs,
I know you can manually do it by downloading Itunes and Java when there is a update and run a script at start up, but can this be done automatically. I mean when there is a update users should be able to download itunes and java and install them. Can this be set by using Group Policies.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi Ukitsme

    Start the Active Directory Users and Computers snap-in.

    To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

    In the console tree, right-click your domain, and then click Properties.

    Click the Group Policy tab, select the policy that you want, and then click Edit.

    Under Computer Configuration, expand Software Settings.

    Right-click Software installation, point to New, and then click Package.

    In the Open dialog box, type the full Universal Naming Convention (UNC) path of the shared installer package that you want. For example, \file server\share\file name.msi.

    Make sure that you use the UNC path of the shared installer package.

    Click Open. Click Assigned, and then click OK. The package is listed in the right-pane of the Group Policy window.

    Close the Group Policy snap-in, click OK, and then close the Active Directory Users and Computers snap-in.

    When the client computer starts, the managed software package is automatically installed.

Another option is:

    Create a an user with privileges on the machines.
    Install CPAU

    Run CPAU with the -enc and -jobs switches (and the admin user) to encrypt the file

        "cpau -u domain\pcadmin -p password -ex "setup.exe" -enc -file install.job" - creates job file called install.job to run setup.exe as domain\pcadmin.

    Run cpau with -dec -file switches to run setup.exe as saved in the previous step.

        cpau -dec -file install.job -lwp

Hope this helps
You can through GPO also grant user install rights.

You can as pointed out using software deployment GPO push software install/updates as andrewjamesb illustrated.
This problem is very common and searching ee you would find this type of question at least 1000 times. There is no GPO that says "let users x and y upgrade installation z". There is only software deployment which can be user bound so non-admins could install user-assigned MSI packages. Or, as described before, you could assign those packages to computers so they will install at startup.

The GPO Arnold might be/is talking about is "always install elevated" - this should not be used here as it will enable users to install each and every msi package, including non-authorized (self-made) ones that could compromise your system.

The easiest solution as I see it is a (server-based) script that does the following: use wget weekly to download updates for those programs from apple's servers, and, if newer than the download of last week, delete the marker files (will tell you about those in a minute)
Then, at the client side, deploy a scheduled task that gets triggered on computer startup and checks whether the marker files is present, and if not, installs the application silently and creates a markerfile: md \\server\share\applesoftware\%computername%

We use it like this without problems.

Another solution would be some 3rd-party software like scriptlogics tool:
Thereby you can define what a weak user may do that normally only admins can. It extends windows' capabilities.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ukitsmeAuthor Commented:
Decided to run a script in the end
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.