Re: Installing Software without being Local Admin?

This may not be possible if they have to reinstall the software all the time. The normal way to do this is to monitor the program and see what registry keys and files the program modifies then change the permissions on those items so that the user has modify permissions. The problem you may run into is that uninstalling then reinstalling may reset the permissions. Here are a couple of programs that will help with seeing what registry keys and files the program uses.

http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx

http://www.microsoft.com/technet/sysinternals/FileAndDisk/Filemon.mspx

http://www.microsoft.com/technet/sysinternals/utilities/regmon.mspx

http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx

If they are running this ill behaved program on laptops you are about to hit a roadblock that probably can't be overcome. Laptops with XP are becoming hard to find. There will come a time where you will only be able to find laptops with Vista. If the program is this ill behaved it is very likely it won't work at all in Vista.

--
Kerry Brown
Microsoft MVP - Shell/User
http://www.vistahelp.ca


"Ben" <benb@xxxxxxxxxxxxxxxx> wrote in message news:umM3uZdzHHA.1208@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

Some of you may remember back in June I posted a topic entitled 'Network Computer Games on Business Machines' which detailed the problem we were having with some of our users installing software & games on their machines, as they were local admins (against my recommendations). A number of people posted replies, including PA Bear, Malke, Aaron etc with advice, and recommendations including presenting the directors with a risk analysis. Well I went on holiday the following week, and while there wrote up a fairly long, detailed risk analysis, which I gave to our directors when I returned.

Surprisingly they actually accepted and agreed with the risk analysis, and decided to back me in removing all users from the local admins group!

This was going well on most of our users workstations, with little or no side effects. I decided to use VM workstation for our developers who needed to install/uninstall development software, allowing them to be local admins on their virtual system, but not the base system. Then we came to our business analysis/modelers. They use a piece of business modelling software that is quite flaky, and they have to keep installing/uninstalling and applying fix packs to get it to work, all this means they need admin rights. Also this software seems to require a minimum of 1 & 1/2GB ram to run, 2GB to run smoothly. These business modellers all have Dell laptops, as they are mobile consultants, which have a max 2GB ram installed. I tried setting these guys up with VM workstation, as local admins so they could install/uninstall, and assigning all but 256mb of the systems ram to the image however the modeller software ran so painfully slow, that users could type a sentence and practically make a cup of tea before it would show up on the screen.

Personally I don't think this software is fit for purpose due to the bugs and crashes users have experienced, and the fact it requires nearly 2GB of ram to run smoothly isn't practical for use on laptops, so I think we should be looking at another product. However, the software is from one of our business partners, and this means we have to use it. So I need to find someway of allowing users to install fix packs/re-install the software, without giving them full local admin access. I don't think virtualisation is going to work because of the memory problems.

One solution I guess would be to setup a generic local admin user on all business modeller machines, and get people to use the RUNAS command when executing the install, however I think this maybe a little complex and confuse some of our users, and it also risks letting those that do understand it, install other software, or get access to areas, such as control panel>user accounts or system, when we don't want them too!

Is there any other way we can allow users to just install specific software, without being local admins, or giving them access to a local admin account? How do other companies deal with issues such as this, or does this seem like a fairly unique situation?

Any advice, recommendations much appreciated!

Ben


.

Relevant Pages

  • Installing Software without being Local Admin?
    ... Computer Games on Business Machines' which detailed the problem we were ... as they were local admins. ... someway of allowing users to install fix packs/re-install the software, ...
    (microsoft.public.security)
  • Re: Installing Software without being Local Admin?
    ... Some of you may remember back in June I posted a topic entitled 'Network Computer Games on Business Machines' which detailed the problem we were having with some of our users installing software & games on their machines, as they were local admins. ... So I need to find someway of allowing users to install fix packs/re-install the software, without giving them full local admin access. ...
    (microsoft.public.security)
  • Upgrade to XP
    ... I bought 2 used laptops from a small business. ... Will XP install over 2000? ...
    (microsoft.public.win2000.applications)
  • Re: Issue Installing R2 CD on Existing install
    ... I assume that this is combind with the failed R2 install as it was working ... <title Windows Small Business Server Setup ...
    (microsoft.public.windows.server.sbs)
  • RE: "companyweb" not working since Windows Server 2003 Sp2 installed
    ... If the issue is urgent to your business, it is recommended that you contact ... Microsoft Customer Support Services via telephone so that a dedicated ... Support Professional can assist you recover the server in a more efficient ... sub-components are selected to INSTALL. ...
    (microsoft.public.windows.server.sbs)