Policy to restrict installs

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have set up a group policy for our call centre and want to restrict them
from doing anything on the pc’s. I have set up our proxy so they can only get
into one website and then download files that needs to be installed for them
to test. I don’t want to give them full admin rights on the pc but they need
to install only these 3 files on a daily basis.

Is there any way for me to allow them to install these files without giving
them admin rights? I have done the, Always install with elevated privileges,
on User and Computer Configuration but that is still not working.

Is there maybe a place where I can say they can only install these files and
then give the filenames or will I have to give them Local Admin rights on the
PC? Or is there a way to make them power users on the local machine?
 
MittonE said:
I have set up a group policy for our call centre and want to restrict them
from doing anything on the pc's. I have set up our proxy so they can only get
into one website and then download files that needs to be installed for them
to test. I don't want to give them full admin rights on the pc but they need
to install only these 3 files on a daily basis.

Is there any way for me to allow them to install these files without giving
them admin rights? I have done the, Always install with elevated privileges,
on User and Computer Configuration but that is still not working.
Click to expand...

Sure -- of course it depends on what you mean by "install".

Contrary to fairly common misperception, software installation in
general does NOT require any sort of Admin privileges.

In the extreme, modifying certain registry keys, adding files to the
system folder, or installing services and drivers obviously DO
require admin privileges.
Is there maybe a place where I can say they can only install these files and
then give the filenames or will I have to give them Local Admin rights on the
PC? Or is there a way to make them power users on the local machine?
Click to expand...

Give them the PERMISSIONS to save the files to an area
where the default permissions include those you wish them
to have (e.g., Full Control from the parent directory for child
files.)

If you need more, you must be more specific for us to try to
figure a solution.
[/QUOTE]
 
what I mean by "install" is, its a small (5MB) file that they double click.
It then starts to install but gives a message that they need admin rights to
install the file.

The thing is just that it's not a problem to save the file, they save it on
the network where they have full permissions. They have to install the file
to its default location and that’s where the problem is, full permissions
anywhere on the c drive.


Herb Martin said:
Sure -- of course it depends on what you mean by "install".

Contrary to fairly common misperception, software installation in
general does NOT require any sort of Admin privileges.

In the extreme, modifying certain registry keys, adding files to the
system folder, or installing services and drivers obviously DO
require admin privileges.


Give them the PERMISSIONS to save the files to an area
where the default permissions include those you wish them
to have (e.g., Full Control from the parent directory for child
files.)

If you need more, you must be more specific for us to try to
figure a solution.
Click to expand...
[/QUOTE]
 
You need to know what the installation is doing. If the installation
requires admin privileges you can:
- Give the users Modify permissions to where the installation takes place,
if this is practical/safe. For example, if the installation only installs
files in the installation directory in c:\program files, you can just give
rights there. But this is not going to work if the program wites to the
HKLM\Software registry, or the System Folder
- Or use Group Policy to Assign the software and install with elevated
privileges, if the software is optional
- Or use Group Policy to Publish the software to the computer
- Or use SMS.
If you want to automate installations in any way (i.e not have someone with
local admin privileges go and do it) my view is you need:
* A packager like Wise or WinInstall so you can see what the installation
does, and if necessary package it or customise it.
* Group Policy or SMS
Anthony



MittonE said:
what I mean by "install" is, its a small (5MB) file that they double click.
It then starts to install but gives a message that they need admin rights to
install the file.

The thing is just that it's not a problem to save the file, they save it on
the network where they have full permissions. They have to install the file
to its default location and that's where the problem is, full permissions
anywhere on the c drive.
Click to expand...
[/QUOTE]
 
Anthony Yates said:
You need to know what the installation is doing. If the installation
requires admin privileges you can:
- Give the users Modify permissions to where the installation takes place,
if this is practical/safe. For example, if the installation only installs
files in the installation directory in c:\program files, you can just give
rights there. But this is not going to work if the program wites to the
HKLM\Software registry, or the System Folder
- Or use Group Policy to Assign the software and install with elevated
privileges, if the software is optional
Click to expand...

While this is a good item to include in the list it is unlikely to
be practical for his request to "install something daily" -- doing
it with a GPO would require a new package definition daily and
would only work when the computer booted (probably.)
- Or use Group Policy to Publish the software to the computer
Click to expand...

Won't work if the user cannot install the software since Published
software is installed under the user's account (who selects it from
add-remove programs) and because of the daily package issue
indicated above.
- Or use SMS.
Click to expand...

Probably similar issues as those with the GPO packages.

Once "installed" such packages will not install again, unless
an update package is created (daily????).
If you want to automate installations in any way (i.e not have someone with
local admin privileges go and do it) my view is you need:
* A packager like Wise or WinInstall so you can see what the installation
does, and if necessary package it or customise it.
* Group Policy or SMS
Anthony
Click to expand...

The above is the best advice -- he must know what the "installatoin"
is doing and describe that to us if we are to find a (daily) solution.
 
MittonE said:
what I mean by "install" is, its a small (5MB) file that they double click.
It then starts to install but gives a message that they need admin rights to
install the file.

The thing is just that it's not a problem to save the file, they save it on
the network where they have full permissions. They have to install the file
to its default location and that's where the problem is, full permissions
anywhere on the c drive.
Click to expand...

You are going to have to describe precisely what "install" means
in this case.

Generally, it's going to be copying files to some location and
changing certain registry keys.

You might need one of the file and/or regwatch utilities (like
those freely available at http://www.sysinternals.com/ to
monitor the installation (while an admin does it) and give
you the details.

There are also such utilities in some of the Install packaging
programs.

Once you know the actual requirements you can either arrange
the privileges needed or decide they are unacceptable etc.

[/QUOTE][/QUOTE]
 
Back
Top