Is there a way to allow users to install a specific program without opening full admin rights?

1

We have an automated builder that creates a "setup.exe" installer file which can then be downloaded by users in our organisation for QA testing. They download the file via a browser from a "review/test" website which is accessible only from inside our network.

The problem is that we have updated our AD server and group policies since the last program release, and these users had their local administration rights revoked.

Is it possible to add an exception for a specific installer? Please bear in mind, this installer will be rebuilt several times and we don't want to have to create a sepcific exception for each new test release.

HorusKol

Posted 2012-11-29T23:30:21.583

Reputation: 248

Can the program actually be ran without installing it? It sounds like you should have specific hardware setup where users would actally test installing it after you were done with a build. Furthermore its entirely possible to install an application without admin rights if it doesn't require admin right to be installed. If it does then its required, and while you can create exceptions so your users can install it, thats not a good way to test it. Why don't you just provide just the files to these users, and they can, update the program by hand ( without installing it ). – Ramhound – 2012-11-29T23:45:09.677

These QA users are highly non-technical, and we ideally would like them to have as simple an install as possible. There are no admin rights required to run the program once installed - in fact, there isn't even a registry setting involved. It's just Windows ACL requires admin privileges for any setup.exe type installer. – HorusKol – 2012-11-30T03:45:42.903

Answers

1

Can't you have an MSI?

http://support.microsoft.com/kb/816102#method3

Start the Active Directory Users and Computers snap-in.

To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

In the console tree, right-click your domain, and then click Properties.

Click the Group Policy tab, select the policy that you want, and then click Edit.

Under Computer Configuration, expand Software Settings.

Right-click Software installation, point to New, and then click Package.

In the Open dialog box, type the full Universal Naming Convention (UNC) path of the shared installer package that you want. For example, \file server\share\file name.msi.

Make sure that you use the UNC path of the shared installer package.

Click Open. Click Assigned, and then click OK. The package is listed in the right-pane of the Group Policy window.

Close the Group Policy snap-in, click OK, and then close the Active Directory Users and Computers snap-in.

When the client computer starts, the managed software package is automatically installed.

Another option is:

  1. Create a an user with privileges on the machines.
  2. Install CPAU

  3. Run CPAU with the -enc and -jobs switches (and the admin user) to encrypt the file

    "cpau -u domain\pcadmin -p password -ex "setup.exe" -enc -file install.job" - creates job file called install.job to run setup.exe as domain\pcadmin.

  4. Run cpau with -dec -file switches to run setup.exe as saved in the previous step.

    cpau -dec -file install.job -lwp

Luiz Angelo

Posted 2012-11-29T23:30:21.583

Reputation: 1 297

How would I go about keeping the MSI up-to-date and making multiple versions available for download/testing? – HorusKol – 2012-11-30T03:46:28.677

Sorry, can't help you there. I don't know how MSI works. Have you read the link? I think you would have a different entry/file for every version. But I can't be sure. – Luiz Angelo – 2012-11-30T04:11:24.457

@HorusKol - The simple way would be to update a single version until each version is released. Once you do it once your follow-up question would answer itself. – Ramhound – 2012-11-30T09:15:19.103

Asked: 2012-11-29T23:30:21.583

Viewed: 12 824 times

Active: 2012-11-30T01:58:55.523