Most small businesses provide their PC users with full administrative rights to their individual workstations. Like most things this ends up being a blessing and a curse at the same time. With administrative rights, users can take care of more tasks on their own, such as installing software.
The down side is that they can also install Games, utilities or other software that might be harmful. Admin rights also allow users to make changes to their machine setup that you may not wish to allow. There are plenty of articles that discuss the pros and cons of giving users administrative rights to their own machines so I won’t get into detail on that issue here.
It’s worth noting that the Microsoft’s default setting is to _not_ provide users with administrative rights to their machines. I have learned that many of Microsoft’s default settings are very well thought out and while it is often necessary to change default settings I usually learn the hard way later on that there was a good reason for the default value.
Denying users full administrative rights to their PC
If you work for a larger company, there is a good chance that the typical user does not have full adminstrative rights to their PC. A lot of extra work goes into the planning and careful organization that is required to deny users admin access to their systems. Denying users admin access to their machines is easy enough but if you aren’t careful you might end up creating alot of extra work for yourself by locking down your machines. If users can’t install a program they need to do their job - they are going to call you for “helpâ€? more often.
To compound the problem, installing software for a user can be a hassle especially since you will normally need to login to the user’s station with a user-id that is different than the user’s to install the software on his system. I presume that you probably don’t know all password for the user accounts on your system. We all know that installing software on a station with a user-id different than the person that plans to actually use the software can cause unexpected twists.
I could go back and forth with the pros and cons on this for a while. Generally I think denying admin rights to your typical workstation users is a good idea if your company has the IT staffing available to implement the idea correctly. If you work for a small to medium sized office your firm probably doesn’t have the staffing required to deny admin access to your users, at least not without creating alot of disruption for your users.
Most of our clients are small to medium sized businesses. I have been looking for a sensible way to better secure workstations for our clients for a while. Sort of a “middle of the road” approach. I recently came across a utility that helps provide a half-way solution that many sys-admins might find helpful. Think of smaller and medium sized companies that may not have a carefully pre-planned workstation configuration or the time to cook-up “transform files” for MS-Word and other similar items.
Here’s the idea…
- A user without admin access to their own machine calls you to report that he cannot install a piece of software. You tell the user that the systems are setup that way on purpose. The next question is what the user would like to install? Is it an authorized type of software? If it is not an authorized program then the sysadmin can refuse to install the program - end of the issue.
If the program is an authorized type of software, you can then launch the install for the user using a great utility called PSExec from sysinternals.com. PSExec makes this possible by allowing a remote person to launch software on a remote workstation. This isn’t exactly a new idea, Unix systems have supported the same type of functionality for many years.
PSExec allows the sysadmin to launch a software install using his higher level priviledges. The sysadmin need only launch the installation program - from there the user can continue the process from their own screen. I like the approach of launching an install then turning it over to the user. Starting an installation remotely can often save the sysadmin a physical visit to the workstation just to install a routine piece of software.
- If you approve of what the user wants to install - use Sysinternals psexec to launch the install process for the user
Psexec -i \targetsystem
\targetsystemc$
documents and settings
usernamedesktopsetup.exe- You didn’t have to get up out of your chair
- The user was able to perform the time consuming part of the installation on their own - all you did was launch the install - without taking over the user’s desktop (no significant disruption to the user)
- The program was installed into the user’s profile without requiring you to reset their password
I find this approach most helpful for installing “one off” programs that are business related but are not worth writing RIS scripts for GPO based deployment.
Chris