Allow users to install software on thier desktops without being a Local Admin

Scott C
Scott C used Ask the Experts™
on
Does anybody know of a way to allow users to install software on their machines without being a Local Admin?

This is kind of a unique situation where our users have the potential to be able to "install" hundreds of .exe and .msi files.  The "install" programs are essentially contain data and this data is copied to a specific location during the install.

Installing via GPO or SCCM isn't an option as there are potentially 100's of programs that can be installed.

Below is the link for the software and all of the programs that can be installed just so you have an idea what I'm talking about.

http://us.krohne.com/en/dlc/software/

At this point I can only see granting local admin rights, but wanted to see if anybody had any creative solution.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Business Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
Installing via GPO or SCCM isn't an option   So that leaves out Beyond Trust and the like tools that do this via GPO settings. And I agree with your observation.

I can only see granting local admin rights   This is not something you should do. The impending damage is worse than you might first think. We do not let our clients install software. We manage the times we can assist them.
you could create msi packages for eacch of them then publish them and allow users to install via add/remove programs, but yes that would be a lot of work, but a once time job only.
Scott CSenior Engineer

Author

Commented:
John, I totally agree.  We don't want to grant rights as you said the potential damage is exactly what we're afraid of.

I was hoping to find something like allowing installation of programs from a particular publisher or something like that.  

I just don't see a good way of doing this outside of the "bad" way or else they contact us when they need another app installed.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
You can build click-once installers which installs into user's AppData such as Chrome when you install it without administrators rights.

Click-once installers can also be signed with a Code-signing Certificate
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Chrome is a bit different. Lots of software must write to the registry and so need real admin permissions to install.
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
Not correct. All registry setting are visualized in modern OS to allow it to write to HKLM without actually doing it. Anybody can that their code and build a Click-once application
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I will have to look at my software because I have software that will not do that.

So it may be correct for you but not for me.
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
For those you can use ACT (application compatibility toolkit) to write shims for it. For Windows 10 it is called Windows Assessment and Deployment Kit (ADK)
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I have software that may need UAC OK'd two, maybe 3 times. I think that software will not work (as provided to me) the way you describe. I am not suggesting all software is like this - just some.
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
All software can be made to work without admin rights unless it is designed to do system administration tasks.
Applications that do not work in user mode is considered to have LUA Bugs.
Scott CSenior Engineer

Author

Commented:
Thanks...you confirmed what I already knew and suspected.

Creating the .msi packages is an ok idea, but we'd be forever making these when the data changes on the website.  That is something else we'd have to monitor.
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
Please provide which specific software on http://us.krohne.com/en/dlc/software/ you want to install without admin rights.

If the package just contains data which is copied to a specific location, a new installer can be build to copy this data to a user location such as AppData and create the shortcuts
Scott CSenior Engineer

Author

Commented:
Thanks.  I thought I had closed this question.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Thanks for following up - appreciated!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial