Just wanted to pick your guys brain... We are just in the planning phases of upgrading to Win7 in a 10k node environment.

One huge change we will be making if FINALLY limiting local admin rights to only staff that needs it. Currently we have some limited machines with non-admin accounts, most machines users still have local admin rights.

The brings the question about dealing with apps that require Admin rights to run (in various levels). While we know they will be pretty limited, with 1000 apps the issue is going to come up often enough to have a standard practice on dealing with them, either with SCCM or packaging.

What do you do in your environment with apps that require admin rights to run????



Situations that we know about:

App Requires Admin rights to launch/run.

Solution: Either change rights on the app directory, or create shortcut that will launch as admin automatically (Using task scheduler) Though concerns about security are there, most apps I do not worry about, but it still is a security thread to have folders in program files available for edits etc.

App Requires Admin rights for first launch only.

Solution: Have SCCM launch app after installation, though this posses a problem with apps that for some reason require admin rights to launch once per user (just saw this with Oracle Single Sign-on Manager). In this case we could allow the app to always open as admin using the above shortcut method but this is a SSO app and concern that it will always have admin rights access (and all user passwords) is a pretty big concern.

Another solution would be to push app via SCCM to every user... but then the packaging issue comes up that I HATE installing apps per user, much rather use per machine. Then the packaging hurtles of creating per user shortcuts on a per machine install....
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

0
In the software package you can specify to run with admin rights on the same page as where you choose whether to run only when user is logged on or whether or not they are logged on.

Other than that, give Authenticated users right to ONLY that folder on the C Drive. We make all our staff and students Power Users, which stops them from installing software and havent run into too many issues.
Answered 03/20/2012 by: cjgrasty
White Belt

Please log in to comment
0
We tackled the "app needs local admin rights to run" situation by modifying the ACL with ICACLS.exe and giving local non-admin users permissions to the installation directory in our install.vbs file.
Answered 03/20/2012 by: CMJohnson
White Belt

Please log in to comment
0
If the applications are Windows 7 compatible, then most of them do not require admin privileges to run, because whenever Windows 7 compatible applications need to write any data then it will try to write in %appdata% folder, which is user specific and user has write access to. Also there is C:\Program Data folder which is accessible to all users and users have write access to it. Applications use this as well.
If you want to give permissions in your application, then I would suggest you to go through this link:
http://msiworld.blogspot.com.au/2008/11/different-ways-of-giving-permissions-in.html
Answered 03/21/2012 by: piyushnasa
Red Belt

Please log in to comment
Answer this question or Comment on this question for clarity