Windows 7 local administrator
Hello wizards,
A pretty simple question, to which I fear not just a straight forward answer ...
On my project we are in the process of creating our Windows7 image and it's security baseline for a rollout to +15000 clients. To tackle non compliancy on the clients (virusses, malware, installed software, ...) we do not want to grant any end user
local admin permissions anymore. Of course, sometimes a user (developer mostly) will need to install a tool locally.
So my question: how can I give a user permission to install a software, without giving him local admin rights on Windows7. Also "run as administrator" is not possible, since the user will not have access to this daily cycled password.
Unfortunately, we do not have an infrastructure in place YET that can support a virtual dedicated environment for development, so on short term, that is not an option.
Thanks in advance for any/all input.
July 19th, 2010 5:15pm
Hi,
By default, software installation requires the administrative privilege, if you install the software under a standard user account, you need to provide the password
and the administrator account for credential prompts. To allow the standard user to install a software, maybe you
could deploy this software through Group Policy. Please refer to:
How to use Group Policy to remotely install software in Windows Server 2003 and in Windows
Server 2008
Best Regards
DalePlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
July 22nd, 2010 12:07pm
For that number of clients, I would suggest using the Software Distribution capabilities of SCCM.
Regards,
Salvador Manaois III
C|EH MCSE MCSA MCTS MCITP(x4)
----------------------------------------------------------------------------
Bytes & Badz:
http://badzmanaois.blogspot.com
My Passion:
http://www.flickr.com/photos/badzmanaois
My Scripting Blog: http://sgwindowsgroup.org/blogs/badz
July 22nd, 2010 12:33pm
The following is a recommendation we received:
" ..staff require the ability to manually install applications on an ad-hoc basis. "
By enabling the Group Policy setting Always install with elevated privileges , Windows Installer installs all programs using system permissions instead of the credentials of the currently logged in user. This enables
users to install applications without their accounts being members of the local Administrators group and without the use of the local Administrator account.
Recommendation
Knowledgeable users can exploit this setting to permanently grant themselves elevated privileges, however this is also the case with the current arrangements. If this setting is permanently enabled, malware can exploit the ability
to make changes in the system context.
Free Windows Admin Tool Kit Click here and download it now
August 13th, 2010 5:25am