Allow users to install software on thier desktops without being a Local Admin

Does anybody know of a way to allow users to install software on their machines without being a Local Admin?

This is kind of a unique situation where our users have the potential to be able to "install" hundreds of .exe and .msi files.  The "install" programs are essentially contain data and this data is copied to a specific location during the install.

Installing via GPO or SCCM isn't an option as there are potentially 100's of programs that can be installed.

Below is the link for the software and all of the programs that can be installed just so you have an idea what I'm talking about.

At this point I can only see granting local admin rights, but wanted to see if anybody had any creative solution.
LVL 34
Scott CSenior EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
Installing via GPO or SCCM isn't an option   So that leaves out Beyond Trust and the like tools that do this via GPO settings. And I agree with your observation.

I can only see granting local admin rights   This is not something you should do. The impending damage is worse than you might first think. We do not let our clients install software. We manage the times we can assist them.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
you could create msi packages for eacch of them then publish them and allow users to install via add/remove programs, but yes that would be a lot of work, but a once time job only.
Scott CSenior EngineerAuthor Commented:
John, I totally agree.  We don't want to grant rights as you said the potential damage is exactly what we're afraid of.

I was hoping to find something like allowing installation of programs from a particular publisher or something like that.  

I just don't see a good way of doing this outside of the "bad" way or else they contact us when they need another app installed.
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Shaun VermaakTechnical SpecialistCommented:
You can build click-once installers which installs into user's AppData such as Chrome when you install it without administrators rights.

Click-once installers can also be signed with a Code-signing Certificate
JohnBusiness Consultant (Owner)Commented:
Chrome is a bit different. Lots of software must write to the registry and so need real admin permissions to install.
Shaun VermaakTechnical SpecialistCommented:
Not correct. All registry setting are visualized in modern OS to allow it to write to HKLM without actually doing it. Anybody can that their code and build a Click-once application
JohnBusiness Consultant (Owner)Commented:
I will have to look at my software because I have software that will not do that.

So it may be correct for you but not for me.
Shaun VermaakTechnical SpecialistCommented:
For those you can use ACT (application compatibility toolkit) to write shims for it. For Windows 10 it is called Windows Assessment and Deployment Kit (ADK)
JohnBusiness Consultant (Owner)Commented:
I have software that may need UAC OK'd two, maybe 3 times. I think that software will not work (as provided to me) the way you describe. I am not suggesting all software is like this - just some.
Shaun VermaakTechnical SpecialistCommented:
All software can be made to work without admin rights unless it is designed to do system administration tasks.
Applications that do not work in user mode is considered to have LUA Bugs.
Scott CSenior EngineerAuthor Commented: confirmed what I already knew and suspected.

Creating the .msi packages is an ok idea, but we'd be forever making these when the data changes on the website.  That is something else we'd have to monitor.
Shaun VermaakTechnical SpecialistCommented:
Please provide which specific software on you want to install without admin rights.

If the package just contains data which is copied to a specific location, a new installer can be build to copy this data to a user location such as AppData and create the shortcuts
Scott CSenior EngineerAuthor Commented:
Thanks.  I thought I had closed this question.
JohnBusiness Consultant (Owner)Commented:
Thanks for following up - appreciated!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.