computer account and application management strategy

Discussion in 'Microsoft Windows 2000 Setup' started by ILiya, Jan 25, 2005.

  1. ILiya

    ILiya Guest

    As a best practice, it is often recommended to run workstation as a regular
    user for security reasons.
    The problem I see is however with application installation process. Most of
    applications keep their settings in the registry, which can be grouped into
    per-computer and per-user settings. They are stored in HKCU and HKLM
    registry branches respectively.
    In order to install an application the setup program must be run with
    Administrator account privileges, probably using runas command prompt
    utility to impersonate the user without having to completely log-off.
    The setup program will write HKLM registry settings correctly however the
    user part HKCU will be screwed up because registry has its own HKCU zone for
    each defined user, so when the setup program will write the current user
    registry settings, it will only see Administrator HKCU and not the one I use
    when running workstation. This will lead to an odd application behavior or
    even cause application malfunctioning.

    For example, when I decided to add a new newsgroup server to Outlook
    Express, I forgot to run it as Administrator and made the operation as a
    regular user (no warnings or low access messages were displayed), this
    resulted to all the newsgroups folders were showing absolutely nothing
    despite the fact they were full of postings. I could only view the newsgroup
    folders in OE under Administrator account.
    So, I had to runas Administrator the OE, configure all the settings, runas
    Administrator regedit applet, export all the OE settings from HKCU and then,
    manually import them as a user into my HKCU to reflect OE configuration in
    my domain.

    So the reason I wrote this post is I see neither runas nor logging in as
    Administrator to be not a very good way to install applications. As far as I
    see temporary for application installation period raising user privileges
    to be the best installation approach. Maybe there is the uility like runas
    which can temporary raise the privileges living all the user associations
    alone.

    I'd like to see the other views and opinions on the subject.

    Thanks
     
    ILiya, Jan 25, 2005
    #1
    1. Advertisements

  2. I have found most Windows Certified programs work around this problems. If
    you intend to run all programs as users but install applications as
    administrator, you can run same install again after it is already installed
    as administrator. This way it will see that the program is already installed
    by administrator and it will make necessary registry changes for the user
    that is trying to install the application now. I have done this couple of
    times and it works. It may not work all the time with all the applications
    but I believe most Windows aware applications should be able to do what I
    described.

    Another way (if the question relates to larges userbase and you are an
    admin) is to use GPO and publish the application. That way the application
    will be available in add/remove programs and users can install the
    applications that they need without administrator intervention.

    Hope this helps.

    Thanks,
    Bhargav




    "ILiya" <> wrote in message
    news:...
    > As a best practice, it is often recommended to run workstation as a
    > regular
    > user for security reasons.
    > The problem I see is however with application installation process. Most
    > of
    > applications keep their settings in the registry, which can be grouped
    > into
    > per-computer and per-user settings. They are stored in HKCU and HKLM
    > registry branches respectively.
    > In order to install an application the setup program must be run with
    > Administrator account privileges, probably using runas command prompt
    > utility to impersonate the user without having to completely log-off.
    > The setup program will write HKLM registry settings correctly however the
    > user part HKCU will be screwed up because registry has its own HKCU zone
    > for
    > each defined user, so when the setup program will write the current user
    > registry settings, it will only see Administrator HKCU and not the one I
    > use
    > when running workstation. This will lead to an odd application behavior or
    > even cause application malfunctioning.
    >
    > For example, when I decided to add a new newsgroup server to Outlook
    > Express, I forgot to run it as Administrator and made the operation as a
    > regular user (no warnings or low access messages were displayed), this
    > resulted to all the newsgroups folders were showing absolutely nothing
    > despite the fact they were full of postings. I could only view the
    > newsgroup
    > folders in OE under Administrator account.
    > So, I had to runas Administrator the OE, configure all the settings, runas
    > Administrator regedit applet, export all the OE settings from HKCU and
    > then,
    > manually import them as a user into my HKCU to reflect OE configuration in
    > my domain.
    >
    > So the reason I wrote this post is I see neither runas nor logging in as
    > Administrator to be not a very good way to install applications. As far as
    > I
    > see temporary for application installation period raising user privileges
    > to be the best installation approach. Maybe there is the uility like runas
    > which can temporary raise the privileges living all the user associations
    > alone.
    >
    > I'd like to see the other views and opinions on the subject.
    >
    > Thanks
    >
    >
     
    Bhargav Shukla, Jan 25, 2005
    #2
    1. Advertisements

  3. ILiya

    ILiya Guest

    Thank you for you kind feedback Shukla,
    Would you please shed some more light on the GPO issue. I'm interested.

    "Bhargav Shukla" <> wrote in message
    news:...
    > I have found most Windows Certified programs work around this problems. If
    > you intend to run all programs as users but install applications as
    > administrator, you can run same install again after it is already

    installed
    > as administrator. This way it will see that the program is already

    installed
    > by administrator and it will make necessary registry changes for the user
    > that is trying to install the application now. I have done this couple of
    > times and it works. It may not work all the time with all the applications
    > but I believe most Windows aware applications should be able to do what I
    > described.
    >
    > Another way (if the question relates to larges userbase and you are an
    > admin) is to use GPO and publish the application. That way the application
    > will be available in add/remove programs and users can install the
    > applications that they need without administrator intervention.
    >
    > Hope this helps.
    >
    > Thanks,
    > Bhargav
    >
    >
    >
    >
    > "ILiya" <> wrote in message
    > news:...
    > > As a best practice, it is often recommended to run workstation as a
    > > regular
    > > user for security reasons.
    > > The problem I see is however with application installation process. Most
    > > of
    > > applications keep their settings in the registry, which can be grouped
    > > into
    > > per-computer and per-user settings. They are stored in HKCU and HKLM
    > > registry branches respectively.
    > > In order to install an application the setup program must be run with
    > > Administrator account privileges, probably using runas command prompt
    > > utility to impersonate the user without having to completely log-off.
    > > The setup program will write HKLM registry settings correctly however

    the
    > > user part HKCU will be screwed up because registry has its own HKCU zone
    > > for
    > > each defined user, so when the setup program will write the current user
    > > registry settings, it will only see Administrator HKCU and not the one I
    > > use
    > > when running workstation. This will lead to an odd application behavior

    or
    > > even cause application malfunctioning.
    > >
    > > For example, when I decided to add a new newsgroup server to Outlook
    > > Express, I forgot to run it as Administrator and made the operation as a
    > > regular user (no warnings or low access messages were displayed), this
    > > resulted to all the newsgroups folders were showing absolutely nothing
    > > despite the fact they were full of postings. I could only view the
    > > newsgroup
    > > folders in OE under Administrator account.
    > > So, I had to runas Administrator the OE, configure all the settings,

    runas
    > > Administrator regedit applet, export all the OE settings from HKCU and
    > > then,
    > > manually import them as a user into my HKCU to reflect OE configuration

    in
    > > my domain.
    > >
    > > So the reason I wrote this post is I see neither runas nor logging in as
    > > Administrator to be not a very good way to install applications. As far

    as
    > > I
    > > see temporary for application installation period raising user

    privileges
    > > to be the best installation approach. Maybe there is the uility like

    runas
    > > which can temporary raise the privileges living all the user

    associations
    > > alone.
    > >
    > > I'd like to see the other views and opinions on the subject.
    > >
    > > Thanks
    > >
    > >

    >
    >
     
    ILiya, Jan 26, 2005
    #3
  4. There are two ways you can use GPO's. You can assign software or you can
    publish the software. You can assign/publish it to computer or you can
    assign/publish it to user. Assign software when you want it installed on
    every machine or to every user in scope of GPO. Publish software when you
    want it available to computers/users in scope of GPO but not install it
    until needed.

    When you use GPO to roll out software (I'm assuming you are an Active
    Directory environment, GPO is not for workgroup environment) it can do many
    things alongwith software deployment. What you want to use GPO for is upto
    each administrator's requirements (or that of company's to meet their
    goals).

    It would be too much to post on how to use GPO and how to assign/publish
    software here. I would post some useful links. Hope that helps.

    http://www.microsoft.com/windowsserver2003/technologies/management/grouppolicy/default.mspx
    (the link is from Windows 2003 but it can be used as general guidelines).

    Thanks,
    Bhargav



    "ILiya" <> wrote in message
    news:...
    > Thank you for you kind feedback Shukla,
    > Would you please shed some more light on the GPO issue. I'm interested.
    >
    > "Bhargav Shukla" <> wrote in message
    > news:...
    >> I have found most Windows Certified programs work around this problems.
    >> If
    >> you intend to run all programs as users but install applications as
    >> administrator, you can run same install again after it is already

    > installed
    >> as administrator. This way it will see that the program is already

    > installed
    >> by administrator and it will make necessary registry changes for the user
    >> that is trying to install the application now. I have done this couple of
    >> times and it works. It may not work all the time with all the
    >> applications
    >> but I believe most Windows aware applications should be able to do what I
    >> described.
    >>
    >> Another way (if the question relates to larges userbase and you are an
    >> admin) is to use GPO and publish the application. That way the
    >> application
    >> will be available in add/remove programs and users can install the
    >> applications that they need without administrator intervention.
    >>
    >> Hope this helps.
    >>
    >> Thanks,
    >> Bhargav
    >>
    >>
    >>
    >>
    >> "ILiya" <> wrote in message
    >> news:...
    >> > As a best practice, it is often recommended to run workstation as a
    >> > regular
    >> > user for security reasons.
    >> > The problem I see is however with application installation process.
    >> > Most
    >> > of
    >> > applications keep their settings in the registry, which can be grouped
    >> > into
    >> > per-computer and per-user settings. They are stored in HKCU and HKLM
    >> > registry branches respectively.
    >> > In order to install an application the setup program must be run with
    >> > Administrator account privileges, probably using runas command prompt
    >> > utility to impersonate the user without having to completely log-off.
    >> > The setup program will write HKLM registry settings correctly however

    > the
    >> > user part HKCU will be screwed up because registry has its own HKCU
    >> > zone
    >> > for
    >> > each defined user, so when the setup program will write the current
    >> > user
    >> > registry settings, it will only see Administrator HKCU and not the one
    >> > I
    >> > use
    >> > when running workstation. This will lead to an odd application behavior

    > or
    >> > even cause application malfunctioning.
    >> >
    >> > For example, when I decided to add a new newsgroup server to Outlook
    >> > Express, I forgot to run it as Administrator and made the operation as
    >> > a
    >> > regular user (no warnings or low access messages were displayed), this
    >> > resulted to all the newsgroups folders were showing absolutely nothing
    >> > despite the fact they were full of postings. I could only view the
    >> > newsgroup
    >> > folders in OE under Administrator account.
    >> > So, I had to runas Administrator the OE, configure all the settings,

    > runas
    >> > Administrator regedit applet, export all the OE settings from HKCU and
    >> > then,
    >> > manually import them as a user into my HKCU to reflect OE configuration

    > in
    >> > my domain.
    >> >
    >> > So the reason I wrote this post is I see neither runas nor logging in
    >> > as
    >> > Administrator to be not a very good way to install applications. As far

    > as
    >> > I
    >> > see temporary for application installation period raising user

    > privileges
    >> > to be the best installation approach. Maybe there is the uility like

    > runas
    >> > which can temporary raise the privileges living all the user

    > associations
    >> > alone.
    >> >
    >> > I'd like to see the other views and opinions on the subject.
    >> >
    >> > Thanks
    >> >
    >> >

    >>
    >>

    >
    >
     
    Bhargav Shukla, Jan 26, 2005
    #4
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Howard Kaikow

    Which is best padefile strategy?

    Howard Kaikow, Oct 1, 2003, in forum: Microsoft Windows 2000 Setup
    Replies:
    0
    Views:
    484
    Howard Kaikow
    Oct 1, 2003
  2. pt
    Replies:
    0
    Views:
    2,163
  3. Guest

    computer management

    Guest, Oct 12, 2004, in forum: Microsoft Windows 2000 Setup
    Replies:
    1
    Views:
    283
    Bjorn Landemoo
    Oct 12, 2004
  4. Guest
    Replies:
    1
    Views:
    162
    philo
    Feb 12, 2005
  5. InOverMyHead

    Strategy for doing a Restore-able OS install ??

    InOverMyHead, Feb 10, 2008, in forum: Microsoft Windows 2000 Setup
    Replies:
    5
    Views:
    327
Loading...

Share This Page