about users without admin rights installing programs?

  • Thread starter Thread starter Puppy Breath
  • Start date Start date
P

Puppy Breath

Are you sure about that? Don't you have some kind of role-based access
control through Active Directory or something, where you can control things
more precisely? You just let everyone download anything and everything they
want in an organization that large? Seems like it would be an administrative
nightmare. I mean, it’s none of my beeswax. I've just never heard of such a
thing.

Anyway, you wouldn't have to give them admin rights just to let them install
programs. Go into Local Security Policy and set the option to prompt for
elevation on program installs to Disabled. (It's enabled by default).
Standard users can then install programs without elevation prompts or
administrative passwords.

You have to log into an administrative account first. Standard users can't
elevate to get there. Once you're in an admin account click Start, type sec
and click Local Security Policy.
 
You' may be kiddin' me. And if not, no offense. But I can't wait to tell the
network and security admins at Lockheed-Martin about this. They'll have
nightmares about it for weeks - heh heh.
 
After setting "User Account Control: Detect application installations and
prompt for elevation." to Disabled in Local Security Policy, I was able to
install from a local folder, a CD, and a couplr (but not all) Web sites from
my standard user account without being prompted for admin password.

I still got prompted for elevation when trying to download and install Opera
and QuickTime. Not sure why. Could be an Internet Explorer thing. Not sure.

Also while in my Standard account a typed up a doc in Word 2007. During save
I navigated the C:\ root, created a folder there, and saved to that folder.
No problem, not prompts for elevation.

Hope that helps. Obviously you'll have to look into it some more. But it's a
start.
 
We have over 100,000 employees and for the most part we have had to give them
all local admin rights on their computers so that they could install their
own software and run programs that traditionally needed admin rights for
updates as well. What i am wondering is if we could now get around this with
the new implementation of the UAC in Vista?
 
Bill

The best practices recommendation for that many users would be to have them
all use Standard User accounts. If they try to install a program, or any
other process that needs administrative rights, they will be prompted to
enter the name of an administrative account and password to continue. They
should not be using an administrative account for day to day work.

I'm assuming that these 100,000 users don't have carte blanche to install
any software that they wish to, without some in place procedure to obtain
permission from a network IT manager.
 
Unfortunately I am sure about that. I am one of the Global admins. I'd tell
you the company name but I'm not sure that would be a wise move on my part.
Let me just say that we are one of the top 3 in the Oil and Gas industry
worldwide. Problem is that our 100,000's of field workers spend 3/4 of their
time out of our reach in very remote locations. We tried with Power User
accounts in the past and it was a nightmare. They have to be able to install
programs in the field when they fail and some of our in house software
requires write permission to the root drive. As you have already guessed
this is an administrative nightmare, but field users need this flexability or
each of them potentially can lose hundreds of thousands of dollars a day if
they are down. So they need install rights as well as being able to write to
a folder in the root?
Are you sure that standard users can still do this with disabling the prompt
for installs for a standard user? This is something of what we are after
with Vista? Problem is I only have 4 months before the rollout to get this
sorted out or things will remain as they are. Thanks:)
 
Unfortunately the way things are they do have carte blanche and I'm sure you
know well why we need this to change. The reason it's this way I described
in my reply to the other fellow. Our field users are often in remote
locations and we only see them maybe once a month. They have to be able to
install software in the field in the event of a software unrecoverable
failure and for our in house apps which write to the root of the drive?
These guys work jobs daily that are worth 100's of thousands of dollars and
up. They can't be blocked from making software changes or we would lose a
rediculous amount of money. One caveat there would be that these guys are
great with an oil well....but terrible as far as computer skills go. It's a
real problem for us and we were hoping our Vista release in a few months
might help change this old problem finally?
 
I haven't actually tried it in the RTM release, but I'm reasonably sure. Do
you have a copy of Vista there so you can test for yourself? Check on that
root folder access too.

I'll test both when I can get to it. But there are plenty of people here who
either already know for sure, or can try it out.

The remote locations explains a lot. But I won't mention that to the
Lockheed guys. These guys have to worry about government Secret, Top Secret,
and higher sensitivity labels, and as such are duly paranoid about every bit
that flows across the network. So you can imagine how the thought of 100,000
users with admin rights would give them nightmares ;-)
 
Yes, we have some very strong group policies in place to be sure. Just not
with regard to installing software. Our SMS servers keep track of all users
software and the desktop team removes that which we don't want, but they are
still able to install their own software and of course they do. It is a
nightmare but so far we have been unable to get around this. Allot of it has
to do with our own in house software and the way it is designed. Users need
to have admin rights because it alters system folders.
I will test this out on Monday to see how it works out. Thank you for your
time:)
 
Tough situation!

The only way I can see to make this work and still retain at least some of
the security that Vista provides would be to teach these users how to
temporarily override the User Account Control when there are no other
options.

However, if they have been using a previous version of Windows and still
maintaining security, I don't know of a reason why they can't just use an
elevated administrator account to work with.

You mentioned some in house apps. Are these apps located on the corporate
network or are they connected to the corporate network when they are using
their systems?
 
Yes I do. I've been using Vista for about 6 months now. I hated it for the
first few days but now I'm sold and I wouldn't go back to XP. I would try it
now but I need to set up a standard user test account. Obviously it would
not work with my account being a global admin and I don't want to install all
the crap in house software I need to test on my pristing machine:) I will
post my findings on monday as well. Your advice sounds like a very good
place to start.
As for the admin rights they are only local admins so the damage they can do
is at least minimized. Our group policies keep them away from any sensitive
data although I know it is still a potential security problem.
I hear you about the nightmare. You're absolutely right. Cheers,
Bill
 
It is tough. It would be nice to teach these guys but that would be an even
worse nightmare I think. These guys for the most part are roughnecks to the
core. They know their jobs inside and out but learning something new is just
not something they will be happy with. Most would just skip that and call
desktop when they hit a snag. Old dog and new tricks kind of thing... Just
out of curiosity what did you have in mind with regards to over riding the
UAC. We do have some global accounts set up on each machine for this option
with local admin rights already?

We are somewhat used to having them use local admin rights but as you guys
already pointed out they install all kinds of garbage and about 60% of our
help desk calls are the result of users making system changes that they
should not have made or instaled software we don't support. It would be nice
to not allow them install software that they require and not that which they
use for personal reasons.

The in house apps connect to the corporate network via satellite links.
Problem is that we can't block all the other sites on the net that users try
to access. Many we do, but you can't get them all. The updates for our in
house apps install to system folders and without admin rights they have
traditionally not been able to complete this. Cheers,
Bill
 
Yes that does help allot. Thanks a bunch! I will post the results I get and
I will try and find why our internal apps require admin rights as well.
Seems it's the same sort of thing as the quick time thing you mentioned but
we'll see. Thanks again:)
Bill
 
Bill

<Just out of curiosity what did you have in mind with regards to over riding
the
<UAC. We do have some global accounts set up on each machine for this
option
<with local admin rights already?

Well, you can temporarily override UAC by elevating the current, logged on
administrator to full privileges. This will last until the next
log-off/log-on or reboot. Here's how.

You can use the following procedure to temporarily disable UAC. (User
Account Control)

Warning: using this procedure will make the system more vulnerable.

1. Right click the Taskbar and select Task Manager from the menu.
2. Click the "Show Processes from All Users" button at the bottom of the
window. This will put the Task Manager in Elevated Mode.
3. Locate the "Explorer.exe" process. Right click this process and select
"End Process" from the menu. This will kill the Shell.
4. In the Task Manager, select File / New Task. Type Explorer.exe and
click OK. (Notice the "This task will be created with Administrative
privileges" message) This will restart the shell.

Everything you do in this mode will run with the elevated administrator
privileges.

When you are finished, simply log off and log back on with your normal
account or reboot.

Another way is to enable the built-in administrator account. (This account
is disabled by default) Again this is not recommended.

Go to Start and type cmd right click cmd.exe and select Run as
Administrator.

Type the following command.

net user administrator /active:yes (Note the spaces and colon)

Press Enter.

This command will enable the built-in administrator account on the Welcome
screen when the pc is rebooted.
 
Back
Top