Announcement

Collapse
No announcement yet.

Software Installation and CD Writing

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Software Installation and CD Writing

    Hi,

    I am having some issues with win2k3 domain.

    I want user to be able to install the software & write cd's how can i do that using group policy.

    I know i can add users into the local admin group but this is not the solution so i am looking for something using group policy.

    thanks

    Best.

  • #2
    Re: Software Installation and CD Writing

    Originally posted by imdabest View Post
    I know i can add users into the local admin group but this is not the solution so i am looking for something using group policy.
    As for users installing software, there are only one way that I am aware of to allow this without assigning local admin rights to users. Through GPOs, you could assign complex permissions to users' file systems based on exactly what registry keys and folders the software package needs to have access to and then revoke those permissions after the software installation. That is complexity beyond measure and it would probably cause less headaches to just let the users have local admin privileges.

    Users can be "users" and still install software using other methods though. The first is to to assign software to the user's computers via Group Policy. This restricts you to using only MSI software packages which not all software titles have. Of course, you can make your own MSIs, but that's an added layer of complexity and cost.

    Next, you could use some kind of IT management suite such as SCCM 2007, LanDesk, etc. that is agent based and can install software without the local user being an admin. If I'm remembering my SMS 2003 correctly, users can see a list of the software packages that are available to them and select which ones to install and the SMS/SCCM agent account does the installing. That's a big expense as well as adding more complexity than you may want at the moment, but if this need is pressing enough (and you can get enough training) it can be quite an elegant solution.

    In short, unless I'm missing something obvious (or obscure...) it is very difficult (if not impossible) to allow users to install software without them being local admins.
    Last edited by Nonapeptide; 21st March 2009, 16:50.
    Wesley David
    LinkedIn | Careers 2.0
    -------------------------------
    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
    Vendor Neutral Certifications: CWNA
    Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
    Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

    Comment


    • #3
      Re: Software Installation and CD Writing

      It is possible to create your own MSI cheaply, I believe with no cost, by using 'wininstallle'. I believe that MSIs when assigned or published can run with elevated priveleges, so the user does not need to be a local administrator.

      Should the user need to be a local administrator to use the program once installed, it is best to grant them 'modify' NTFS permission for a group the relevant users belong to and use a CACLS script via a GPO to make changes in bulk or of course, make sure the permissions are set when creating your MSI.

      Comment


      • #4
        Re: Software Installation and CD Writing

        Originally posted by Virtual View Post
        It is possible to create your own MSI cheaply, I believe with no cost, by using 'wininstallle'.
        Neat! I'll have to take a look at that!

        Originally posted by Virtual View Post
        I believe that MSIs when assigned or published can run with elevated priveleges, so the user does not need to be a local administrator.
        My understanding of group policy software installation was that the only way you could install software without elevating users' permissions was to assign it to computer objects.
        Wesley David
        LinkedIn | Careers 2.0
        -------------------------------
        Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
        Vendor Neutral Certifications: CWNA
        Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
        Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

        Comment

        Working...
        X