Gorup Policy Help Needed.

[ray]

Hi,

All of our machines have Bloomberg software installed and
they have automatic updates that need to be installed but
we do not want to give our users local admin or domain
admin rights. How could we use the Group Policy setup to
allow users permissions to the registry but only for that
and nothing else.

Any help would be appreciated.

Cheers

Ray

 

[Cary Shultz [A.D. MVP]]

Here is a rather tedious and involved way to do this.

Go to http://www.sysinternals.com and grab both regmon and sysmon. Then, go
to one of the workstations on install both of them.

Now, log on as the regular user account object and attempt to install the
updates to your Bloomberg software. It will fail, naturally. You would
then need to look at the output of regmon and sysmon to see where it failed
( it will give you the registry keys ). You could then possibly use GPO to
change the permissions to those specific registry keys.

BTW - the process as written here is probably not the exact process. It has
been a bit since I have used the sysinternals tools ( great tools, by the
way ). Hopefully you get the jist.

HTH,

Cary

 

[Ray]

Hi Cary,

Is there a better way of doing this rather than giving
each user admin rights.

Thanks

Ray

 

[Cary Shultz [A.D. MVP]]

Ray,

Other than logging on to each computer as the local Admin or with an Account
that is a member of the local Admins group, not that I can think. I suppose
that the updates are in a simply .exe file extension. Meaning, that they
are not in an .msi file extension. You could possibly use a workstation to
create an .msi file ( possibly with making use of the WinInstall Lite
software that is located on the WIN2000 Server CD ) and then use Group
Policy to deploy this - if it will work for updates?

You could use a Restricted Group GPO to temporarily make the 'Domain Users'
a member of the local Administrators group ( and please do not forget to
also make the Domain Admins group as, by default, using this GPO will flush
all of the user account objects and group account objects from your targeted
group - in this case the local Administrators account ). But this is not
always a good idea. Once this update has been installed by everyone you
would have to remove that GPO and replace it with another ( in this simply
making the Domain Admins group a member of the local Administrators
group.... ).

Have you tried this with a user that is a member of the Power Users group?
You can install some software when you are a member of this local Group.
With -some- being the key word.

Naturally there is cloning ( such as Ghost or RipPREP ) but that is not
really an option that you will want to pursue in this case....

There is a lot of software out there that has the requirement for the user
account object being used for the installation to have local Administrator
rights. I really wish that the people who write software would stop doing
that! Now, I am no software developer so I am not sure how realistic this
wish is. So, please do not flame me for this thought.

HTH,

Cary