All of our domain users have admin rights on every machine (excluding servers) in our organization.

Recently we've started batting around the idea of removing that access but then we have a situation pop up.

A new program installs itself the first time a user opens a document through it.

If we had the install files we'd be able to script it or automate it somehow, but in this case it comes through the internet on a case by case basis.

Without all users having admin rights, and without the domain admins having to sign on to every machine for this install to occur, how do you folks handle situations like this?

Answer Summary:
0 Comments   [ - ] Hide Comments


Please log in to comment

Answer this question or Comment on this question for clarity



We do on our 2nd net the following strategy:
there is a bunch of mandatory software which every user needs.

This is installed by default via MI.

For all the other software we use the software library.
If a user is needing add. software we create a MI/FS for that.

you can also create an software item to make the user admin temp. if he really needs this for one time.
But _NEVER_EVER_ give everyone admin rights even to their own PC forever!

Answered 08/21/2013 by: Nico_K
Red Belt

  • I guess the roadblock for me is finding all the switches and things we would need for our programs to be able to be installed automatically. We have alot of programs that have no entries on ITninja sadly.

    So if a person doesn't have admin rights to their machine wouldn't that stop the software library from being able to install things under their login?
Please log in to comment

We utilize the user portal. I'm fortunate enough where the users have to request software if it's not already packaged. We package it, add a new item in the user portal, and restrict by user label/machine label.

With SSO coming in 5.5 this process for the users should be even easier. They will not need to login a 2nd time.

Answered 08/20/2013 by: dugullett
Red Belt

  • I'm assuming by "package" you mean script it or automate it right? Or do you actually use an honest to goodness packaging program? We have enough problems with our 400 users, I can't imagine what it would be like with as many as you have.
    • Yes automate it whether it's msi or cmd file. It's not as bad as it sounds. Job security.

      We do have those one offs where a certain department will buy some random printer (even though we're supposed to have standards). For those I just upload the exe to Kace, and let the users walk through the setup. No point in packaging items like that. Since we're a university we have about 28,000+ users in our Kbox. The process hasn't failed yet.
      • Oh you're a school? I didn't notice that in your profile. I just assumed you were a business of some kind.
      • Hospital/University. We currently have 227 items in our software library. We don't really push software unless it's going to 1000+ machines.

        For the most part we have some random medical app that goes on 20ish machines. We script it, and make it available to that user group (LDAP label). That way on the user end they only see what they need to see, and not a lot of clutter.
  • Cool. Thanks for all the help and info.
    • One more thing. If you do start going this route you may want to vote on this. We're currently using an exe created with AutoIT that lets users know when an install is finished. This would help though.

  • If I could bend your ear for a few more minutes...We always seem to have different results across our systems. For instance if we're installing something on all 400 machines, 30 of them won't do it.
    Then the next time it'll be a different 30. It's not always 30 I'm just using that for an example.

    Do you have to create multiple packages for different system models/scenarios?
    • Are you talking about software pushes (MIs)? So you're pushing multiple MIs and some machines get it on one check in, but will not get the other set until next check in?
  • Some don't get it at all. They check in just fine but they never actually run the install.
    I wish I had a better example for you but right now we're not trying to figure any mass installs out.
    I don't use managed installs very often, usually scripting is where I spend my time.
    • I usually use MIs for software pushes. I save scripts for those little changes, and apps that need to be ran as a specific user. I guess it would depend on you verify, success, and remediation steps.

      If you are using "offline scripts" pushing software from what I heard it's not actually recommended. I was in a class last year at the conference where that was being discussed.
  • You were at the Konference? So was I.
    • Yeah that advanced topics class they had was good. Lot's of good info. Are you using offline scripts as installs? From what they said in that class Kace uses what's called Konductor tasks. Using Online scripts utilizes these Konductor tasks which basically "conduct" the tasks in the Kbox. Offline tasks do not, and if they have dependencies there's no conducting when the software gets copied down and ran.

      I would do your next install as a MI. See if that changes things.
  • Yes I usually try offline first then switch to online if that doesn't work. Will do. Thanks again.
    • Found a link that should explain the Konductor a little more. pg 7

  • With 227 items in your software library are you running into storage issues? We have a physical Kbox 1000 and we are using a out 88% of the storage between patches, installs, and scripts. Are people Running the vm or physical box? We only have 886 clients, mostly macs running 10.6-10.8 and windows 7 64 bits
    • No storage issues at all. We're using patching as well. We have a physical box with 428 GB still available. We're not using the service desk piece, but I can't imagine that would take up that much more room. We have about 20,000 clients with a mix of PC, Mac, and Linux.

      Are you downloading all patches, or just your patch labels? I know that made a huge difference for me when I changed that.
  • My main drive is 217gb and I have 22gb free. I have 6.2k patches of which 1.7k is active. The rest are disabled or inactive. Under patch subscription I have the first four checkboxes checked; e.g. Security, application, non- security, and application. I also have a label for just critical patches.

    Curios about the hard drive is a 217gb normal?
    • I can't answer that one. Mine is 530gb.

      Under patch subscription settings, under "Download Patches from labels" I have all of my labels selected. This way I'm only downloading what I need. My space used for my patches is 23.58 GB.
      • So for the patches are you saying you don't check off the first four checkboxes and just use labels instead?
      • We purchased our unit 4.2011. Not sure if when we purchased it makes a difference in regards to hard drives used.
      • I believe ours was purchased in early 2010 so it's very possible the hard drive size is based on time.
    • My hard drive appears to be about that size as well. I have 28000 patches and only using 8 gigs for them. Our box doesn't seem to have any space issues right now.
      • Ok perhaps we are doing something wrong when it comes to patching and labels. Can you describe what you are doing?
      • Honestly everything I know about patching I learned from Ron Colson who works at KACE. Fantastic guy who is very open to talking to anyone who will listen. ron_colson@kace.com is his email.
  • Under patch download options I have it set to all subscribed patches and to delete unused patches after 2 days
    • I posted a pic of my setup. Take a look and let me know if you have questions.
  • AFCUjstrick, thank you so much for the kind words. Jbr32, I'm here and willing to answer any questions you've got, especially about Patching (my favorite subject). First question from me: Are you upgraded to 5.4 SP1 (server AND agent)? Second question: Have you ever heard of KKEs (www.kace.com/kke)?

    I've recently done a KKE series called Patching Week. I recommend you look them up and watch them. Should tell you everything you need to learn the basics. r2

    Ron Colson
    KACE Koach
  • Ron - thanks for the offer! Yes I am running 5.4 SP1 (server and agent) and have heard of KKEs. I am going to watch the series on patching week to see if we can re-tune our patching. If I run into issues I will certainly reach out to you. Thanks again!
Please log in to comment

Do some research Standard Operating Environments (SOE). I'm managing about 500 desktops and laptops . When I came to the company there wasn't any great deal of control around the desktop environment which meant we had 30-50% success rate in deploying applications.

You really need to get to the point that you have a consistent and predictable environment so that teh production deployment opccurs the same way that you test it.

We restricted admin access to the smallest number of people and used Microsoft System Center Configuration Manager to do managed unattended deployments of both Windows and applications. I can now do deployments with 99%+ success rates.

Most applications have either command line switches to install the application or are MSI packages so they are usually pretty easy to deploy; now and then I have to turn to Powershell.

It takes some effort to convince people to change from having admin access and doing their own thing but the result is you can deploy applications faster and more consistently than you probably are now.

Answered 08/20/2013 by: keyrage
White Belt

Please log in to comment

Sorry about the new answer. I think it's easier to just post a pic. I'm doing software installers as well. Be careful when doing this.

Answered 08/21/2013 by: dugullett
Red Belt

Please log in to comment

"Everybodies an admin" is always a nightmare. Sure it speeds up users installing on demained, but like any other place I have every worked that have done the same, it actually creates more support calls and requires more time to discover issues. Like, "Why is this app missing a DLL or repairing every time its run, O, your running a Gaming Server from your pc, that explains it." Not to mention, if you ever get audited by a software vendor because you have 30 unlicensed copies of Acrobat...

I would say, that even if you are only able to run the Vendor's install with Unattended commandline parameters, and distribute via AD, you would have alot more control. Plus if they were advertised MSI's, the file association could trigger an install because they tried to run a certain file type. The fun part will be when you take the rights away.. That is when you discover what kinda crap your users had on their pcs. (post updates when you do, I'm sure you will have some entertaining stories)

Answered 08/20/2013 by: ekgcorp
Tenth Degree Black Belt

Please log in to comment