Announcement

Collapse
No announcement yet.

Servers & Win 7 privileges ???

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Servers & Win 7 privileges ???

    Okay . . . I don't think I have any hair left . . .

    We set up an satellite branch with 20 Users using Windows 7. I implied an GPO to locking down the users but there are certain programs that are driving me crazy

    --- Adobe Acrobat will not update until Admin credentials are entered.
    --- Java (Which I hate but many users go to gov't site) Needs Admin credentials to update

    It kills me to remote in just to update these programs.

    Anyone ? script/batch file ? GPO setting I missed ? Its just for updates I need this. HELP

  • #2
    Re: Servers & Win 7 privileges ???

    What you might do is install them using Group Policy. Using MSI packages it's straight-forward, and you use the full package each time. And each new version would be installed in the same policy, marked as an update to the previous one. The old one is uninstalled and the new one installed.

    You can get a re-distribution license from Adobe by simply requesting it. you fill a short questionaire and they send you an email which makes it legal for you to distribute their product. I think there may be something along the same lines for Java, but am not 100% certain on that one.

    If either or both are not available as MSI packages to install, then create a BAT file to do a command-line install for each package, and assign that BAT file in the policy. This is how we do this where I work.

    Since the users aren't involved at all, permissions don't come into it. the only drawback is that you have to prepare the updates to install. But at least you're not tied up with updating each PC in turn. There are settings in Java to disable update checking, and I think also for Adobe, so if those are set when they're installed, the users don't even get a prompt for an available update.
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      Re: Servers & Win 7 privileges ???

      I agree, this is a PITA!

      I automatically give all our staff admin priviledges on their PC's so they can install updates to acrobat, reader, java, install programs from scratch, install drivers etc.

      The number of updates that are released for Java alone still make centrally installing it via a GPO a PITA. If I had the patience and the time to do it I probably would.
      A recent poll suggests that 6 out of 7 dwarfs are not happy

      Comment


      • #4
        Re: Servers & Win 7 privileges ???

        Originally posted by Blood View Post
        I agree, this is a PITA!

        I automatically give all our staff admin priviledges on their PC's so they can install torrentz, malware, games....
        Fixed it for you
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Servers & Win 7 privileges ???

          Originally posted by Ossian View Post
          Fixed it for you
          Luckily, I don't work in an environment like that, nor with people who have such a crass attitude to computing. Security software is in place that monitors for those types of products. I understand my approach is not for everyone, but I'm lucky enough to work with people who work *with* me, not against me.
          A recent poll suggests that 6 out of 7 dwarfs are not happy

          Comment


          • #6
            Re: Servers & Win 7 privileges ???

            I have to say you are incredibly lucky then -- my experience has invariably been that, given the chance to do something they shouldn't, users will try to do it (e.g. entire iTunes collection in redirected profile folders , or installing "dodgy" copies of AutoCAD because they didn't want to bother their manager)

            What is your secret?
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Servers & Win 7 privileges ???

              haha - the network is small enough that I can easily monitor what goes on. I've been working with some of the people for over 20 years, all the staff who work for our organisation are there because they want to be - they are a dedicated bunch, and are mature, responsible and highly educated people.

              There are times when the odd thing goes wrong, but the staff inform me immediately when they see something 'out of character'.

              Like I said, I'm lucky

              If I had to work somewhere else I would adopt a completely different approach and lock everything down.
              A recent poll suggests that 6 out of 7 dwarfs are not happy

              Comment


              • #8
                Re: Servers & Win 7 privileges ???

                If you've discovered some means of maintaining that sort of 'adult' behavior from your users, please let the rest of us know what you put in their food to do it!!

                I can't trust anyone in our area to do the minimum we as IT ask of them, yet each & every one of them expects us to prioritize their issue/question/self-made crisis as the most important, to the exclusion of all else. But I hear the same complaints from anyone I know in other IT depts.

                Oh, to be in your shoes!
                *RicklesP*
                MSCA (2003/XP), Security+, CCNA

                ** Remember: credit where credit is due, and reputation points as appropriate **

                Comment


                • #9
                  Re: Servers & Win 7 privileges ???

                  How about disabling automatic updates for those two abominations?

                  Comment


                  • #10
                    Re: Servers & Win 7 privileges ???

                    [rant]

                    This is something that I get quite annoyed about.

                    In our environment staff use different applications depending on their job. Sometimes they may need to install applications that are specialised and then update them as required. They may need to attach devices and install drivers.

                    We don't have a standard desktop that can be rolled out to every user.

                    Our security software includes application control features that list browser plugins, torrent software, proxies, games etc etc. I use this to allow/deny different types of applications. It also includes behavioural monitoring as well as the standard old-fashioned signature database for known malware and a firewall that is configured to block by default and which I update as required. USB devices, CD/DVD's etc are not allowed to autostart, web filtering is employed, and the movement of data between our network and removable devices is logged.

                    I trust the security software to do its job. If an application is installed that is not allowed to run a desktop alert is displayed informing the person that the application/installation has been blocked and that they should contact the admin if they want to run it. This works great as new installations of, for example, Java include the Ask Toolbar and some staff don't watch the install screens and just click next, next next without unchecking the option to uninstall it. An alert is then displayed and the toolbar is prevented from running. I can see all these alerts and see what the firewall is blocking so can act upon that info.

                    My point? They see the alert and they know that software is being pro-actively monitored. This helps to engender a positive attitude towards being responsible when installing software. Most of the time they ask me if they can install a particular piece of software - I research it, and then allow it if it's OK. This applies to things like, for example Tom-Tom GPS apps that they use to update their car's navigation devices so they have the most up-to-date maps for their journey to a particular meeting etc. Or, the team that undertake geophysical survey work may need to install a particular piece of analysis software, the GPS surveying team also, the finds staff who use digital microscopes.

                    If these people were unable to install the software required I would spend much of my time running around the office providing my credentials so they could install the software, and again each time they were updated - what a nightmare.

                    In my view, computers are there to be fully exploited by the staff. Allowing them to use them in the way that suits them, and which allows them to personally control and customise their software environment is a positive thing.

                    The security software and the GPO's are designed to mitigate against the threat of malware infestation or other abuse. I also teach staff about PC security. I offer free support to all the staff for their home devices and have had to de-gunk several machines. However, they learn from that and carry that experience over to their work place.

                    The onus is upon the staff to use their PC's responsibly. This is also laid out in the AUP. They know they can ask me for assistance/advice at any time.

                    Luckily, I work in a small network so all this is possible. I understand that for those admins who work in larger environments this is not possible - I think that application white-lists are the way forward - if it is not on the list it is not allowed. Give staff the ability to use their PC's positively. Preventing them from installing software chains them to an inert uninteresting device and contributes to lower moral in the workplace.

                    We need more intelligent security software that works towards allowing the user to use their machine rather than crippling it by trying to stop the unknown and monitoring every piece of software that is running as well as the OS system processes.

                    [/rant]
                    A recent poll suggests that 6 out of 7 dwarfs are not happy

                    Comment

                    Working...
                    X