Allowing users to install software (admin, software restriction policies)
Hi all,We are about to roll out windows 7 and have run into a snag with software installations. Users have a domain account in user context which they use to log on to their systems. Every once in a while a user needs to install business related software, having them send that software in to IT to have it packaged and added to SCCM is usually not an option as they need the software "right away". We didn't want to make users admin on their own machine so we thought it might be possible to use a domain account (with local admin privileges) with a constantly changing password to install software when prompted for credentials. So far this works great but the users can also use this account to change system settings, add themselves to local admin group, etc. I've tried to counter this with software restriction policies (dissalow everything except msiexec.exe) but the SRP doesn't apply when using runas for some reason. Even a simple rule like allow everything and dissalow cmd.exe will not prevent cmd from starting when using runas.Is there a way to make SRP work when the policy is applied to an account only used for runas?Is there a smarter way to allow users to install software (after having called to our servicedesk to obtain a password/code/etc) while staying plain vanilla user?Thanks for any advice,Cheers, Michiel
March 10th, 2010 1:45pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics