Hello wizards, A pretty simple question, to which I fear not just a straight forward answer ... On my project we are in the process of creating our Windows7 image and it's security baseline for a rollout to +15000 clients. To tackle non compliancy on the clients (virusses, malware, installed software, ...) we do not want to grant any end user local admin permissions anymore. Of course, sometimes a user (developer mostly) will need to install a tool locally. So my question: how can I give a user permission to install a software, without giving him local admin rights on Windows7. Also "run as administrator" is not possible, since the user will not have access to this daily cycled password. Unfortunately, we do not have an infrastructure in place YET that can support a virtual dedicated environment for development, so on short term, that is not an option. Thanks in advance for any/all input.

Hi, By default, software installation requires the administrative privilege, if you install the software under a standard user account, you need to provide the password and the administrator account for credential prompts. To allow the standard user to install a software, maybe you could deploy this software through Group Policy. Please refer to: How to use Group Policy to remotely install software in Windows Server 2003 and in Windows Server 2008 Best Regards DalePlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

For that number of clients, I would suggest using the Software Distribution capabilities of SCCM. Regards, Salvador Manaois III C|EH MCSE MCSA MCTS MCITP(x4) ---------------------------------------------------------------------------- Bytes & Badz: http://badzmanaois.blogspot.com My Passion: http://www.flickr.com/photos/badzmanaois My Scripting Blog: http://sgwindowsgroup.org/blogs/badz

The following is a recommendation we received: " ..staff require the ability to manually install applications on an ad-hoc basis. " By enabling the Group Policy setting Always install with elevated privileges , Windows Installer installs all programs using system permissions instead of the credentials of the currently logged in user. This enables users to install applications without their accounts being members of the local Administrators group and without the use of the local Administrator account. Recommendation Knowledgeable users can exploit this setting to permanently grant themselves elevated privileges, however this is also the case with the current arrangements. If this setting is permanently enabled, malware can exploit the ability to make changes in the system context.