As a best practice, it is often recommended to run workstation as a regular
user for security reasons.
The problem I see is however with application installation process. Most of
applications keep their settings in the registry, which can be grouped into
per-computer and per-user settings. They are stored in HKCU and HKLM
registry branches respectively.
In order to install an application the setup program must be run with
Administrator account privileges, probably using runas command prompt
utility to impersonate the user without having to completely log-off.
The setup program will write HKLM registry settings correctly however the
user part HKCU will be screwed up because registry has its own HKCU zone for
each defined user, so when the setup program will write the current user
registry settings, it will only see Administrator HKCU and not the one I use
when running workstation. This will lead to an odd application behavior or
even cause application malfunctioning.

For example, when I decided to add a new newsgroup server to Outlook
Express, I forgot to run it as Administrator and made the operation as a
regular user (no warnings or low access messages were displayed), this
resulted to all the newsgroups folders were showing absolutely nothing
despite the fact they were full of postings. I could only view the newsgroup
folders in OE under Administrator account.
So, I had to runas Administrator the OE, configure all the settings, runas
Administrator regedit applet, export all the OE settings from HKCU and then,
manually import them as a user into my HKCU to reflect OE configuration in
my domain.

So the reason I wrote this post is I see neither runas nor logging in as
Administrator to be not a very good way to install applications. As far as I
see temporary for application installation period raising user privileges
to be the best installation approach. Maybe there is the uility like runas
which can temporary raise the privileges living all the user associations
alone.

I'd like to see the other views and opinions on the subject.

Thanks

I have found most Windows Certified programs work around this problems. If
you intend to run all programs as users but install applications as
administrator, you can run same install again after it is already installed
as administrator. This way it will see that the program is already installed
by administrator and it will make necessary registry changes for the user
that is trying to install the application now. I have done this couple of
times and it works. It may not work all the time with all the applications
but I believe most Windows aware applications should be able to do what I
described.

Another way (if the question relates to larges userbase and you are an
admin) is to use GPO and publish the application. That way the application
will be available in add/remove programs and users can install the
applications that they need without administrator intervention.

Hope this helps.

Thanks,
Bhargav




"ILiya" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> As a best practice, it is often recommended to run workstation as a
> regular
> user for security reasons.
> The problem I see is however with application installation process. Most
> of
> applications keep their settings in the registry, which can be grouped
> into
> per-computer and per-user settings. They are stored in HKCU and HKLM
> registry branches respectively.
> In order to install an application the setup program must be run with
> Administrator account privileges, probably using runas command prompt
> utility to impersonate the user without having to completely log-off.
> The setup program will write HKLM registry settings correctly however the
> user part HKCU will be screwed up because registry has its own HKCU zone
> for
> each defined user, so when the setup program will write the current user
> registry settings, it will only see Administrator HKCU and not the one I
> use
> when running workstation. This will lead to an odd application behavior or
> even cause application malfunctioning.
>
> For example, when I decided to add a new newsgroup server to Outlook
> Express, I forgot to run it as Administrator and made the operation as a
> regular user (no warnings or low access messages were displayed), this
> resulted to all the newsgroups folders were showing absolutely nothing
> despite the fact they were full of postings. I could only view the
> newsgroup
> folders in OE under Administrator account.
> So, I had to runas Administrator the OE, configure all the settings, runas
> Administrator regedit applet, export all the OE settings from HKCU and
> then,
> manually import them as a user into my HKCU to reflect OE configuration in
> my domain.
>
> So the reason I wrote this post is I see neither runas nor logging in as
> Administrator to be not a very good way to install applications. As far as
> I
> see temporary for application installation period raising user privileges
> to be the best installation approach. Maybe there is the uility like runas
> which can temporary raise the privileges living all the user associations
> alone.
>
> I'd like to see the other views and opinions on the subject.
>
> Thanks
>
>

Thank you for you kind feedback Shukla,
Would you please shed some more light on the GPO issue. I'm interested.

"Bhargav Shukla" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I have found most Windows Certified programs work around this problems. If
> you intend to run all programs as users but install applications as
> administrator, you can run same install again after it is already
installed
> as administrator. This way it will see that the program is already
installed
> by administrator and it will make necessary registry changes for the user
> that is trying to install the application now. I have done this couple of
> times and it works. It may not work all the time with all the applications
> but I believe most Windows aware applications should be able to do what I
> described.
>
> Another way (if the question relates to larges userbase and you are an
> admin) is to use GPO and publish the application. That way the application
> will be available in add/remove programs and users can install the
> applications that they need without administrator intervention.
>
> Hope this helps.
>
> Thanks,
> Bhargav
>
>
>
>
> "ILiya" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > As a best practice, it is often recommended to run workstation as a
> > regular
> > user for security reasons.
> > The problem I see is however with application installation process. Most
> > of
> > applications keep their settings in the registry, which can be grouped
> > into
> > per-computer and per-user settings. They are stored in HKCU and HKLM
> > registry branches respectively.
> > In order to install an application the setup program must be run with
> > Administrator account privileges, probably using runas command prompt
> > utility to impersonate the user without having to completely log-off.
> > The setup program will write HKLM registry settings correctly however
the
> > user part HKCU will be screwed up because registry has its own HKCU zone
> > for
> > each defined user, so when the setup program will write the current user
> > registry settings, it will only see Administrator HKCU and not the one I
> > use
> > when running workstation. This will lead to an odd application behavior
or
> > even cause application malfunctioning.
> >
> > For example, when I decided to add a new newsgroup server to Outlook
> > Express, I forgot to run it as Administrator and made the operation as a
> > regular user (no warnings or low access messages were displayed), this
> > resulted to all the newsgroups folders were showing absolutely nothing
> > despite the fact they were full of postings. I could only view the
> > newsgroup
> > folders in OE under Administrator account.
> > So, I had to runas Administrator the OE, configure all the settings,
runas
> > Administrator regedit applet, export all the OE settings from HKCU and
> > then,
> > manually import them as a user into my HKCU to reflect OE configuration
in
> > my domain.
> >
> > So the reason I wrote this post is I see neither runas nor logging in as
> > Administrator to be not a very good way to install applications. As far
as
> > I
> > see temporary for application installation period raising user
privileges
> > to be the best installation approach. Maybe there is the uility like
runas
> > which can temporary raise the privileges living all the user
associations
> > alone.
> >
> > I'd like to see the other views and opinions on the subject.
> >
> > Thanks
> >
> >
>
>

There are two ways you can use GPO's. You can assign software or you can
publish the software. You can assign/publish it to computer or you can
assign/publish it to user. Assign software when you want it installed on
every machine or to every user in scope of GPO. Publish software when you
want it available to computers/users in scope of GPO but not install it
until needed.

When you use GPO to roll out software (I'm assuming you are an Active
Directory environment, GPO is not for workgroup environment) it can do many
things alongwith software deployment. What you want to use GPO for is upto
each administrator's requirements (or that of company's to meet their
goals).

It would be too much to post on how to use GPO and how to assign/publish
software here. I would post some useful links. Hope that helps.

http://www.microsoft.com/windowsserv...y/default.mspx
(the link is from Windows 2003 but it can be used as general guidelines).

Thanks,
Bhargav



"ILiya" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thank you for you kind feedback Shukla,
> Would you please shed some more light on the GPO issue. I'm interested.
>
> "Bhargav Shukla" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> I have found most Windows Certified programs work around this problems.
>> If
>> you intend to run all programs as users but install applications as
>> administrator, you can run same install again after it is already
> installed
>> as administrator. This way it will see that the program is already
> installed
>> by administrator and it will make necessary registry changes for the user
>> that is trying to install the application now. I have done this couple of
>> times and it works. It may not work all the time with all the
>> applications
>> but I believe most Windows aware applications should be able to do what I
>> described.
>>
>> Another way (if the question relates to larges userbase and you are an
>> admin) is to use GPO and publish the application. That way the
>> application
>> will be available in add/remove programs and users can install the
>> applications that they need without administrator intervention.
>>
>> Hope this helps.
>>
>> Thanks,
>> Bhargav
>>
>>
>>
>>
>> "ILiya" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> > As a best practice, it is often recommended to run workstation as a
>> > regular
>> > user for security reasons.
>> > The problem I see is however with application installation process.
>> > Most
>> > of
>> > applications keep their settings in the registry, which can be grouped
>> > into
>> > per-computer and per-user settings. They are stored in HKCU and HKLM
>> > registry branches respectively.
>> > In order to install an application the setup program must be run with
>> > Administrator account privileges, probably using runas command prompt
>> > utility to impersonate the user without having to completely log-off.
>> > The setup program will write HKLM registry settings correctly however
> the
>> > user part HKCU will be screwed up because registry has its own HKCU
>> > zone
>> > for
>> > each defined user, so when the setup program will write the current
>> > user
>> > registry settings, it will only see Administrator HKCU and not the one
>> > I
>> > use
>> > when running workstation. This will lead to an odd application behavior
> or
>> > even cause application malfunctioning.
>> >
>> > For example, when I decided to add a new newsgroup server to Outlook
>> > Express, I forgot to run it as Administrator and made the operation as
>> > a
>> > regular user (no warnings or low access messages were displayed), this
>> > resulted to all the newsgroups folders were showing absolutely nothing
>> > despite the fact they were full of postings. I could only view the
>> > newsgroup
>> > folders in OE under Administrator account.
>> > So, I had to runas Administrator the OE, configure all the settings,
> runas
>> > Administrator regedit applet, export all the OE settings from HKCU and
>> > then,
>> > manually import them as a user into my HKCU to reflect OE configuration
> in
>> > my domain.
>> >
>> > So the reason I wrote this post is I see neither runas nor logging in
>> > as
>> > Administrator to be not a very good way to install applications. As far
> as
>> > I
>> > see temporary for application installation period raising user
> privileges
>> > to be the best installation approach. Maybe there is the uility like
> runas
>> > which can temporary raise the privileges living all the user
> associations
>> > alone.
>> >
>> > I'd like to see the other views and opinions on the subject.
>> >
>> > Thanks
>> >
>> >
>>
>>
>
>