Giving standard user access right to do window and anti virus update for standalone windows 7 PC
Hi, I had 5 PC installed with windwos 7 prof. each had an admin account and 2 standard user account. Each PC is totally standalone with NO connection to any domain or network or internet access. Each PC UAC is set to the highest to prevent user from installation of any software or making any changes to the system file. Each PC control Panel had being disable in the gpedit.msc prohibit access to control panel. ** Can someone advice me how is it possible to allow the user to do ONLY windows update and anti virus with the used of thumbdrive when they don't have the right to do other thing that will mess up the system like installation of software or changing system setting etc.. where all the update package .msu and for anti virus is a .exe (Mcafee anti virus) or any other mean of window & anti virus update. Thanks in advance Soong
May 24th, 2012 10:40pm

I would suggest a simple workaround: Create the batch file that contains all update procedures and that takes update files from USB. Create scheduled task that will start at night. In addition to this create simple task with script that contains one line shutdown -s -f -t 0 . In BIOS set the wake up at night before the first task is scheduled to run. The second scheduled task starts at reasonable time after the first task. You can even schedule the antivirus to do a full check at night. The scheduled tasks are running either as administrator or as SYSTEM. You can add an verbose envelope into your scheduled windows task the redirect output to log file. Every output is concatenated. Another task can erase or compress and save files say every first day of month. Parameter f in shutdown script is very important in the case, when you set policy in such a way, that users cannot shutdown computer(s) when any removable medium is in computer (USB, diskette, CD/DVD) Regards Milos
Free Windows Admin Tool Kit Click here and download it now
May 25th, 2012 3:40am

hi milos, firstly thanks for the reply. I do like to check with you, does it mean that i had to create a batch file and a scheduled task (e.g. every month once)using an administrator or system account first? (is this done as an initial setup? ) then e.g. (normal user account)every month before the task start i edit the batch file base on the new update requirement and save it? and one last time i do like to check is do i need to do special setting or command on the batch file created e.g. like administrator right kind of thing.? (sorry for this "stupid" question as I not very good at scripting, I'm Googling on how to write this batch file.) Soong
May 27th, 2012 9:35pm

Hi, Milos Puchtas idea is good, I think the thumb drive letter is changeable and the patches are different every time, so the batch file should be modified frequently. Youd better redirect to Script Center forum for further assistance. Script Center http://social.technet.microsoft.com/Forums/en-US/category/scriptingIvan-Liu TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
May 28th, 2012 4:11am

1. The batch file need to be prepared one times as well as scheduled task as recurrent one. 2. Unless the user leave the dvd in drive, the same disk is assigned to USB. See the article on reserved drive letter here http://www.petri.co.il/control-usb-drive-letter-assignment-in-windows.htm 3. When users are isolated and does not work with removable media, chances are that you need not do updates very often. Otherwise you should do the updates on daily schedule because of antivirus updates. 4. For scheduled task use the least priviledged "user" rights that do the task. 5. Preparation of updates on another computer does not interfere with target computer. Use KB and/or Microsoft Catalog http://catalog.update.microsoft.com to extract needed updates Regards Milos
May 28th, 2012 7:48am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics