about users without admin rights installing programs?
Posted by admin on Apr 24th, 2007
We have over 100,000 employees and for the most part we have had to give them all local admin rights on their computers so that they could install their own software and run programs that traditionally needed admin rights for updates as well. What i am wondering is if we could now get around this with the new implementation of the UAC in Vista?
Apr 26th, 2007 at 02:45 am
Are you sure about that? Don't you have some kind of rolebased access control through Active Directory or something, where you can control things more precisely? You just let everyone download anything and everything they want in an organization that large? Seems like it would be an administrative nightmare. I mean, it’s none of my beeswax. I've just never heard of such a thing.Anyway, you wouldn't have to give them admin rights just to let them install programs. Go into Local Security Policy and set the option to prompt for elevation on program installs to Disabled. (It's enabled by default). Standard users can then install programs without elevation prompts or administrative passwords.You have to log into an administrative account first. Standard users can't elevate to get there. Once you're in an admin account click Start, type sec and click Local Security Policy. "Bill Bray" <Bill Bray@discussions.microsoft.com>
Apr 30th, 2007 at 12:41 pm
You' may be kiddin' me. And if not, no offense. But I can't wait to tell the network and security admins at LockheedMartin about this. They'll have nightmares about it for weeks heh heh. "Bill Bray" <Bill Bray@discussions.microsoft.com>
May 2nd, 2007 at 11:10 pm
After setting "User Account Control: Detect application installations and prompt for elevation." to Disabled in Local Security Policy, I was able to install from a local folder, a CD, and a couplr (but not all) Web sites from my standard user account without being prompted for admin password.I still got prompted for elevation when trying to download and install Opera and QuickTime. Not sure why. Could be an Internet Explorer thing. Not sure.Also while in my Standard account a typed up a doc in Word 2007. During save I navigated the C:\ root, created a folder there, and saved to that folder. No problem, not prompts for elevation.Hope that helps. Obviously you'll have to look into it some more. But it's a start. "Bill Bray"
May 3rd, 2007 at 02:34 pm
BillThe best practices recommendation for that many users would be to have them all use Standard User accounts. If they try to install a program, or any other process that needs administrative rights, they will be prompted to enter the name of an administrative account and password to continue. They should not be using an administrative account for day to day work.I'm assuming that these 100,000 users don't have carte blanche to install any software that they wish to, without some in place procedure to obtain permission from a network IT manager. Ronnie Vernon Microsoft MVP Windows Shell/User "Bill Bray" <Bill Bray@discussions.microsoft.com>
May 7th, 2007 at 03:12 am
Unfortunately I am sure about that. I am one of the Global admins. I'd tell you the company name but I'm not sure that would be a wise move on my part. Let me just say that we are one of the top 3 in the Oil and Gas industry worldwide. Problem is that our 100,000's of field workers spend 3/4 of their time out of our reach in very remote locations. We tried with Power User accounts in the past and it was a nightmare. They have to be able to install programs in the field when they fail and some of our in house software requires write permission to the root drive. As you have already guessed this is an administrative nightmare, but field users need this flexability or each of them potentially can lose hundreds of thousands of dollars a day if they are down. So they need install rights as well as being able to write to a folder in the root? Are you sure that standard users can still do this with disabling the prompt for installs for a standard user? This is something of what we are after with Vista? Problem is I only have 4 months before the rollout to get this sorted out or things will remain as they are. Thanks:)"Puppy Breath" wrote:
May 9th, 2007 at 05:53 pm
Unfortunately the way things are they do have carte blanche and I'm sure you know well why we need this to change. The reason it's this way I described in my reply to the other fellow. Our field users are often in remote locations and we only see them maybe once a month. They have to be able to install software in the field in the event of a software unrecoverable failure and for our in house apps which write to the root of the drive? These guys work jobs daily that are worth 100's of thousands of dollars and up. They can't be blocked from making software changes or we would lose a rediculous amount of money. One caveat there would be that these guys are great with an oil well....but terrible as far as computer skills go. It's a real problem for us and we were hoping our Vista release in a few months might help change this old problem finally?"Ronnie Vernon MVP" wrote:
May 11th, 2007 at 01:51 am
I haven't actually tried it in the RTM release, but I'm reasonably sure. Do you have a copy of Vista there so you can test for yourself? Check on that root folder access too.I'll test both when I can get to it. But there are plenty of people here who either already know for sure, or can try it out.The remote locations explains a lot. But I won't mention that to the Lockheed guys. These guys have to worry about government Secret, Top Secret, and higher sensitivity labels, and as such are duly paranoid about every bit that flows across the network. So you can imagine how the thought of 100,000 users with admin rights would give them nightmares ;) "Bill Bray"
May 13th, 2007 at 08:58 am
Yes, we have some very strong group policies in place to be sure. Just not with regard to installing software. Our SMS servers keep track of all users software and the desktop team removes that which we don't want, but they are still able to install their own software and of course they do. It is a nightmare but so far we have been unable to get around this. Allot of it has to do with our own in house software and the way it is designed. Users need to have admin rights because it alters system folders. I will test this out on Monday to see how it works out. Thank you for your time:)"Puppy Breath" wrote:
May 17th, 2007 at 08:53 pm
Tough situation!The only way I can see to make this work and still retain at least some of the security that Vista provides would be to teach these users how to temporarily override the User Account Control when there are no other options.However, if they have been using a previous version of Windows and still maintaining security, I don't know of a reason why they can't just use an elevated administrator account to work with.You mentioned some in house apps. Are these apps located on the corporate network or are they connected to the corporate network when they are using their systems? Ronnie Vernon Microsoft MVP Windows Shell/User "Bill Bray"
May 23rd, 2007 at 04:21 am
Yes I do. I've been using Vista for about 6 months now. I hated it for the first few days but now I'm sold and I wouldn't go back to XP. I would try it now but I need to set up a standard user test account. Obviously it would not work with my account being a global admin and I don't want to install all the crap in house software I need to test on my pristing machine:) I will post my findings on monday as well. Your advice sounds like a very good place to start. As for the admin rights they are only local admins so the damage they can do is at least minimized. Our group policies keep them away from any sensitive data although I know it is still a potential security problem. I hear you about the nightmare. You're absolutely right. Cheers, Bill"Puppy Breath" wrote:
May 25th, 2007 at 03:21 pm
It is tough. It would be nice to teach these guys but that would be an even worse nightmare I think. These guys for the most part are roughnecks to the core. They know their jobs inside and out but learning something new is just not something they will be happy with. Most would just skip that and call desktop when they hit a snag. Old dog and new tricks kind of thing... Just out of curiosity what did you have in mind with regards to over riding the UAC. We do have some global accounts set up on each machine for this option with local admin rights already?We are somewhat used to having them use local admin rights but as you guys already pointed out they install all kinds of garbage and about 60% of our help desk calls are the result of users making system changes that they should not have made or instaled software we don't support. It would be nice to not allow them install software that they require and not that which they use for personal reasons.The in house apps connect to the corporate network via satellite links. Problem is that we can't block all the other sites on the net that users try to access. Many we do, but you can't get them all. The updates for our in house apps install to system folders and without admin rights they have traditionally not been able to complete this. Cheers, Bill "Ronnie Vernon MVP" wrote:
May 27th, 2007 at 08:52 pm
Yes that does help allot. Thanks a bunch! I will post the results I get and I will try and find why our internal apps require admin rights as well. Seems it's the same sort of thing as the quick time thing you mentioned but we'll see. Thanks again:) Bill"Puppy Breath" wrote:
Jun 1st, 2007 at 02:03 am
Bill<Just out of curiosity what did you have in mind with regards to over riding the <UAC. We do have some global accounts set up on each machine for this option <with local admin rights already?Well, you can temporarily override UAC by elevating the current, logged on administrator to full privileges. This will last until the next logoff/logon or reboot. Here's how.You can use the following procedure to temporarily disable UAC. (User Account Control)Warning: using this procedure will make the system more vulnerable.1. Right click the Taskbar and select Task Manager from the menu. 2. Click the "Show Processes from All Users" button at the bottom of the window. This will put the Task Manager in Elevated Mode. 3. Locate the "Explorer.exe" process. Right click this process and select "End Process" from the menu. This will kill the Shell. 4. In the Task Manager, select File / New Task. Type Explorer.exe and click OK. (Notice the "This task will be created with Administrative privileges" message) This will restart the shell.Everything you do in this mode will run with the elevated administrator privileges.When you are finished, simply log off and log back on with your normal account or reboot.Another way is to enable the builtin administrator account. (This account is disabled by default) Again this is not recommended.Go to Start and type cmd right click cmd.exe and select Run as Administrator.Type the following command.net user administrator /active:yes (Note the spaces and colon)Press Enter.This command will enable the builtin administrator account on the Welcome screen when the pc is rebooted. Ronnie Vernon Microsoft MVP Windows Shell/User "Bill Bray"