5

How to configure non-admin users to allow them to install updates for Java and Adobe Acrobat Reader (or any other application which may need such privileges) without needing for administrator password on Windows 7. Updates for Microsoft products install without problems.

This can be Active Directory (Windows 2003) solution, or computer based (employable through GPO or login script).

Edit: Just to add some information. I know Secunia offers Secunia CSI that integrates with WSUS and allows other software updates deployed thru it. But it's pay software which is something I would like to avoid.

Also giving an admin/power-user rights is not something i want to have since then it opens up additional security holes.

MadBoy
  • 3,703
  • 13
  • 61
  • 93

3 Answers3

5

Package the updates as MSI with your favourite packager (if they're not already in a suitable MSI format) and deploy them using Active Directory's built-in deployer. This will not require any administrative rights on the clients. It can become tedious though, there's where patch management and software distribution suites come into play.

Also as a side note, Power User is basically the same as Administrator when it comes to security, so it's not really any better than Administrator.

Oskar Duveborn
  • 10,740
  • 3
  • 32
  • 48
  • +1 for MSI/GPO software deployment. However I must take issue with "Power User is basically the same as Administrator". I'd personally turn that round and say 'Power User is basically the same as a standard user', which it is, because the only difference is that a power user has modify access to a few areas of the file system and registry that standard users normally only have read access to. Administrator has way more rights that a power user. Most software can be installed with power user rights though, with exception to anything that attempts to alter or create services. – Bryan Apr 26 '10 at 06:48
  • Thanks ^^ Well, most local elevation exploits works fine as Power User, that's why I'm bundling it in the "no go" zone. It might be true though that it prevents "normal" users from changing too much stuff, I wouldn't know, but installing software is definitely a scary part that easily lead to a compromised system in my opinion. – Oskar Duveborn Apr 26 '10 at 07:02
1

I set their systems to be managed in AD and then I just right click the machine name, click on manage, and then temporarily change their permissions. I give them 2-4 hours to do what they need to, and then I set it back.

You can set up group policy and apply it to a new OU and put their computers in there. The only problem is that I am unable to do so with Windows 7 users. I manually have to touch the local gp on their machines. I put it as part of my build checklist or change the gp when I am working on their system.

Apparently, I will be able to set it up for the W7 machines when replacing my DC with Windows 2008 R2.

My two cents.

Jamie Petragallo
  • 11
  • 1
  • It's a nice idea but it also means I will have to trust them which makes it a bit of pain :-) – MadBoy May 20 '11 at 09:04
0

Well, you really do need to give the person doing this admin rights on each local PC. You might get by with power user rights (depending on the software that needs updating), but it's unlikely.

Here is how I would approach this...

Create user account(s) on your domain for the people that are going to do this work, create a group called something like 'Local Admin Rights', add all the new accounts to the group.

Using Active Directory Users and Computers, create a policy on the computers' containers, and implement a restricted groups policy to force the domain group 'Local Admin Rights' to be a member of each computers 'Administrators' group. - take care to place the policy so that it only affects the computers you are interested in (i.e. take care to avoid this server taking effect on your servers).

Bryan
  • 7,538
  • 15
  • 68
  • 92
  • Well it's not what I look for. I used to have all people admins on their computers and it was working fine but they installed some stuff i didn't wanted, and did some unwanted things. So i would prefer to keep them simple users with ability to install updates to software I specify. I do know about Secunia offering an add-on to WSUS but it's pay solution. – MadBoy Apr 25 '10 at 18:09
  • Ah okay. I somehow got the impression you wanted tech staff to be able to install software on all desktop PCs. We deploy almost all our software (and updates) via the method Oskar describes. – Bryan Apr 26 '10 at 06:41