about users without admin rights installing programs?

Are you sure about that? Don't you have some kind of role-based access
control through Active Directory or something, where you can control things
more precisely? You just let everyone download anything and everything they
want in an organization that large? Seems like it would be an administrative
nightmare. I mean, it’s none of my beeswax. I've just never heard of such a
thing.

Anyway, you wouldn't have to give them admin rights just to let them install
programs. Go into Local Security Policy and set the option to prompt for
elevation on program installs to Disabled. (It's enabled by default).
Standard users can then install programs without elevation prompts or
administrative passwords.

You have to log into an administrative account first. Standard users can't
elevate to get there. Once you're in an admin account click Start, type sec
and click Local Security Policy.


"Bill Bray" <Bill > wrote in message
news:5C07E0DD-2ED5-470C-936C-...
> We have over 100,000 employees and for the most part we have had to give
> them
> all local admin rights on their computers so that they could install their
> own software and run programs that traditionally needed admin rights for
> updates as well. What i am wondering is if we could now get around this
> with
> the new implementation of the UAC in Vista?

You' may be kiddin' me. And if not, no offense. But I can't wait to tell the
network and security admins at Lockheed-Martin about this. They'll have
nightmares about it for weeks - heh heh.


"Bill Bray" <Bill > wrote in message
news:5C07E0DD-2ED5-470C-936C-...
> We have over 100,000 employees and for the most part we have had to give
> them
> all local admin rights on their computers so that they could install their
> own software and run programs that traditionally needed admin rights for
> updates as well. What i am wondering is if we could now get around this
> with
> the new implementation of the UAC in Vista?

After setting "User Account Control: Detect application installations and
prompt for elevation." to Disabled in Local Security Policy, I was able to
install from a local folder, a CD, and a couplr (but not all) Web sites from
my standard user account without being prompted for admin password.

I still got prompted for elevation when trying to download and install Opera
and QuickTime. Not sure why. Could be an Internet Explorer thing. Not sure.

Also while in my Standard account a typed up a doc in Word 2007. During save
I navigated the C:\ root, created a folder there, and saved to that folder.
No problem, not prompts for elevation.

Hope that helps. Obviously you'll have to look into it some more. But it's a
start.




"Bill Bray" <> wrote in message
news:67499C37-24E1-4317-A654-...
> It is tough. It would be nice to teach these guys but that would be an
> even
> worse nightmare I think. These guys for the most part are roughnecks to
> the
> core. They know their jobs inside and out but learning something new is
> just
> not something they will be happy with. Most would just skip that and call
> desktop when they hit a snag. Old dog and new tricks kind of thing...
> Just
> out of curiosity what did you have in mind with regards to over riding the
> UAC. We do have some global accounts set up on each machine for this
> option
> with local admin rights already?
>
> We are somewhat used to having them use local admin rights but as you guys
> already pointed out they install all kinds of garbage and about 60% of our
> help desk calls are the result of users making system changes that they
> should not have made or instaled software we don't support. It would be
> nice
> to not allow them install software that they require and not that which
> they
> use for personal reasons.
>
> The in house apps connect to the corporate network via satellite links.
> Problem is that we can't block all the other sites on the net that users
> try
> to access. Many we do, but you can't get them all. The updates for our
> in
> house apps install to system folders and without admin rights they have
> traditionally not been able to complete this. Cheers,
> Bill
>
>
> "Ronnie Vernon MVP" wrote:
>
>> Tough situation!
>>
>> The only way I can see to make this work and still retain at least some
>> of
>> the security that Vista provides would be to teach these users how to
>> temporarily override the User Account Control when there are no other
>> options.
>>
>> However, if they have been using a previous version of Windows and still
>> maintaining security, I don't know of a reason why they can't just use an
>> elevated administrator account to work with.
>>
>> You mentioned some in house apps. Are these apps located on the corporate
>> network or are they connected to the corporate network when they are
>> using
>> their systems?
>>
>> --
>>
>> Ronnie Vernon
>> Microsoft MVP
>> Windows Shell/User
>>
>>
>> "Bill Bray" <> wrote in message
>> news:08A93E29-4AB0-4537-BF5F-...
>> > Unfortunately the way things are they do have carte blanche and I'm
>> > sure
>> > you
>> > know well why we need this to change. The reason it's this way I
>> > described
>> > in my reply to the other fellow. Our field users are often in remote
>> > locations and we only see them maybe once a month. They have to be
>> > able
>> > to
>> > install software in the field in the event of a software unrecoverable
>> > failure and for our in house apps which write to the root of the drive?
>> > These guys work jobs daily that are worth 100's of thousands of dollars
>> > and
>> > up. They can't be blocked from making software changes or we would
>> > lose a
>> > rediculous amount of money. One caveat there would be that these guys
>> > are
>> > great with an oil well....but terrible as far as computer skills go.
>> > It's
>> > a
>> > real problem for us and we were hoping our Vista release in a few
>> > months
>> > might help change this old problem finally?
>> >
>> > "Ronnie Vernon MVP" wrote:
>> >
>> >> Bill
>> >>
>> >> The best practices recommendation for that many users would be to have
>> >> them
>> >> all use Standard User accounts. If they try to install a program, or
>> >> any
>> >> other process that needs administrative rights, they will be prompted
>> >> to
>> >> enter the name of an administrative account and password to continue.
>> >> They
>> >> should not be using an administrative account for day to day work.
>> >>
>> >> I'm assuming that these 100,000 users don't have carte blanche to
>> >> install
>> >> any software that they wish to, without some in place procedure to
>> >> obtain
>> >> permission from a network IT manager.
>> >>
>> >> --
>> >>
>> >> Ronnie Vernon
>> >> Microsoft MVP
>> >> Windows Shell/User
>> >>
>> >>
>> >> "Bill Bray" <Bill > wrote in message
>> >> news:5C07E0DD-2ED5-470C-936C-...
>> >> > We have over 100,000 employees and for the most part we have had to
>> >> > give
>> >> > them
>> >> > all local admin rights on their computers so that they could install
>> >> > their
>> >> > own software and run programs that traditionally needed admin rights
>> >> > for
>> >> > updates as well. What i am wondering is if we could now get around
>> >> > this
>> >> > with
>> >> > the new implementation of the UAC in Vista?
>> >>
>>

We have over 100,000 employees and for the most part we have had to give them
all local admin rights on their computers so that they could install their
own software and run programs that traditionally needed admin rights for
updates as well. What i am wondering is if we could now get around this with
the new implementation of the UAC in Vista?

Bill

The best practices recommendation for that many users would be to have them
all use Standard User accounts. If they try to install a program, or any
other process that needs administrative rights, they will be prompted to
enter the name of an administrative account and password to continue. They
should not be using an administrative account for day to day work.

I'm assuming that these 100,000 users don't have carte blanche to install
any software that they wish to, without some in place procedure to obtain
permission from a network IT manager.

--

Ronnie Vernon
Microsoft MVP
Windows Shell/User


"Bill Bray" <Bill > wrote in message
news:5C07E0DD-2ED5-470C-936C-...
> We have over 100,000 employees and for the most part we have had to give
> them
> all local admin rights on their computers so that they could install their
> own software and run programs that traditionally needed admin rights for
> updates as well. What i am wondering is if we could now get around this
> with
> the new implementation of the UAC in Vista?

Unfortunately I am sure about that. I am one of the Global admins. I'd tell
you the company name but I'm not sure that would be a wise move on my part.
Let me just say that we are one of the top 3 in the Oil and Gas industry
worldwide. Problem is that our 100,000's of field workers spend 3/4 of their
time out of our reach in very remote locations. We tried with Power User
accounts in the past and it was a nightmare. They have to be able to install
programs in the field when they fail and some of our in house software
requires write permission to the root drive. As you have already guessed
this is an administrative nightmare, but field users need this flexability or
each of them potentially can lose hundreds of thousands of dollars a day if
they are down. So they need install rights as well as being able to write to
a folder in the root?
Are you sure that standard users can still do this with disabling the prompt
for installs for a standard user? This is something of what we are after
with Vista? Problem is I only have 4 months before the rollout to get this
sorted out or things will remain as they are. Thanks

"Puppy Breath" wrote:

> Are you sure about that? Don't you have some kind of role-based access
> control through Active Directory or something, where you can control things
> more precisely? You just let everyone download anything and everything they
> want in an organization that large? Seems like it would be an administrative
> nightmare. I mean, it’s none of my beeswax. I've just never heard of such a
> thing.
>
> Anyway, you wouldn't have to give them admin rights just to let them install
> programs. Go into Local Security Policy and set the option to prompt for
> elevation on program installs to Disabled. (It's enabled by default).
> Standard users can then install programs without elevation prompts or
> administrative passwords.
>
> You have to log into an administrative account first. Standard users can't
> elevate to get there. Once you're in an admin account click Start, type sec
> and click Local Security Policy.
>
>
> "Bill Bray" <Bill > wrote in message
> news:5C07E0DD-2ED5-470C-936C-...
> > We have over 100,000 employees and for the most part we have had to give
> > them
> > all local admin rights on their computers so that they could install their
> > own software and run programs that traditionally needed admin rights for
> > updates as well. What i am wondering is if we could now get around this
> > with
> > the new implementation of the UAC in Vista?
>

Unfortunately the way things are they do have carte blanche and I'm sure you
know well why we need this to change. The reason it's this way I described
in my reply to the other fellow. Our field users are often in remote
locations and we only see them maybe once a month. They have to be able to
install software in the field in the event of a software unrecoverable
failure and for our in house apps which write to the root of the drive?
These guys work jobs daily that are worth 100's of thousands of dollars and
up. They can't be blocked from making software changes or we would lose a
rediculous amount of money. One caveat there would be that these guys are
great with an oil well....but terrible as far as computer skills go. It's a
real problem for us and we were hoping our Vista release in a few months
might help change this old problem finally?

"Ronnie Vernon MVP" wrote:

> Bill
>
> The best practices recommendation for that many users would be to have them
> all use Standard User accounts. If they try to install a program, or any
> other process that needs administrative rights, they will be prompted to
> enter the name of an administrative account and password to continue. They
> should not be using an administrative account for day to day work.
>
> I'm assuming that these 100,000 users don't have carte blanche to install
> any software that they wish to, without some in place procedure to obtain
> permission from a network IT manager.
>
> --
>
> Ronnie Vernon
> Microsoft MVP
> Windows Shell/User
>
>
> "Bill Bray" <Bill > wrote in message
> news:5C07E0DD-2ED5-470C-936C-...
> > We have over 100,000 employees and for the most part we have had to give
> > them
> > all local admin rights on their computers so that they could install their
> > own software and run programs that traditionally needed admin rights for
> > updates as well. What i am wondering is if we could now get around this
> > with
> > the new implementation of the UAC in Vista?
>

I haven't actually tried it in the RTM release, but I'm reasonably sure. Do
you have a copy of Vista there so you can test for yourself? Check on that
root folder access too.

I'll test both when I can get to it. But there are plenty of people here who
either already know for sure, or can try it out.

The remote locations explains a lot. But I won't mention that to the
Lockheed guys. These guys have to worry about government Secret, Top Secret,
and higher sensitivity labels, and as such are duly paranoid about every bit
that flows across the network. So you can imagine how the thought of 100,000
users with admin rights would give them nightmares ;-)


"Bill Bray" <> wrote in message
newsDE76C51-9CCD-4822-859F-...
> Unfortunately I am sure about that. I am one of the Global admins. I'd
> tell
> you the company name but I'm not sure that would be a wise move on my
> part.
> Let me just say that we are one of the top 3 in the Oil and Gas industry
> worldwide. Problem is that our 100,000's of field workers spend 3/4 of
> their
> time out of our reach in very remote locations. We tried with Power User
> accounts in the past and it was a nightmare. They have to be able to
> install
> programs in the field when they fail and some of our in house software
> requires write permission to the root drive. As you have already guessed
> this is an administrative nightmare, but field users need this flexability
> or
> each of them potentially can lose hundreds of thousands of dollars a day
> if
> they are down. So they need install rights as well as being able to write
> to
> a folder in the root?
> Are you sure that standard users can still do this with disabling the
> prompt
> for installs for a standard user? This is something of what we are after
> with Vista? Problem is I only have 4 months before the rollout to get
> this
> sorted out or things will remain as they are. Thanks
>
> "Puppy Breath" wrote:
>
>> Are you sure about that? Don't you have some kind of role-based access
>> control through Active Directory or something, where you can control
>> things
>> more precisely? You just let everyone download anything and everything
>> they
>> want in an organization that large? Seems like it would be an
>> administrative
>> nightmare. I mean, it's none of my beeswax. I've just never heard of such
>> a
>> thing.
>>
>> Anyway, you wouldn't have to give them admin rights just to let them
>> install
>> programs. Go into Local Security Policy and set the option to prompt for
>> elevation on program installs to Disabled. (It's enabled by default).
>> Standard users can then install programs without elevation prompts or
>> administrative passwords.
>>
>> You have to log into an administrative account first. Standard users
>> can't
>> elevate to get there. Once you're in an admin account click Start, type
>> sec
>> and click Local Security Policy.
>>
>>
>> "Bill Bray" <Bill > wrote in message
>> news:5C07E0DD-2ED5-470C-936C-...
>> > We have over 100,000 employees and for the most part we have had to
>> > give
>> > them
>> > all local admin rights on their computers so that they could install
>> > their
>> > own software and run programs that traditionally needed admin rights
>> > for
>> > updates as well. What i am wondering is if we could now get around
>> > this
>> > with
>> > the new implementation of the UAC in Vista?
>>

Yes, we have some very strong group policies in place to be sure. Just not
with regard to installing software. Our SMS servers keep track of all users
software and the desktop team removes that which we don't want, but they are
still able to install their own software and of course they do. It is a
nightmare but so far we have been unable to get around this. Allot of it has
to do with our own in house software and the way it is designed. Users need
to have admin rights because it alters system folders.
I will test this out on Monday to see how it works out. Thank you for your
time

"Puppy Breath" wrote:

> Are you sure about that? Don't you have some kind of role-based access
> control through Active Directory or something, where you can control things
> more precisely? You just let everyone download anything and everything they
> want in an organization that large? Seems like it would be an administrative
> nightmare. I mean, it’s none of my beeswax. I've just never heard of such a
> thing.
>
> Anyway, you wouldn't have to give them admin rights just to let them install
> programs. Go into Local Security Policy and set the option to prompt for
> elevation on program installs to Disabled. (It's enabled by default).
> Standard users can then install programs without elevation prompts or
> administrative passwords.
>
> You have to log into an administrative account first. Standard users can't
> elevate to get there. Once you're in an admin account click Start, type sec
> and click Local Security Policy.
>
>
> "Bill Bray" <Bill > wrote in message
> news:5C07E0DD-2ED5-470C-936C-...
> > We have over 100,000 employees and for the most part we have had to give
> > them
> > all local admin rights on their computers so that they could install their
> > own software and run programs that traditionally needed admin rights for
> > updates as well. What i am wondering is if we could now get around this
> > with
> > the new implementation of the UAC in Vista?
>

Tough situation!

The only way I can see to make this work and still retain at least some of
the security that Vista provides would be to teach these users how to
temporarily override the User Account Control when there are no other
options.

However, if they have been using a previous version of Windows and still
maintaining security, I don't know of a reason why they can't just use an
elevated administrator account to work with.

You mentioned some in house apps. Are these apps located on the corporate
network or are they connected to the corporate network when they are using
their systems?

--

Ronnie Vernon
Microsoft MVP
Windows Shell/User


"Bill Bray" <> wrote in message
news:08A93E29-4AB0-4537-BF5F-...
> Unfortunately the way things are they do have carte blanche and I'm sure
> you
> know well why we need this to change. The reason it's this way I
> described
> in my reply to the other fellow. Our field users are often in remote
> locations and we only see them maybe once a month. They have to be able
> to
> install software in the field in the event of a software unrecoverable
> failure and for our in house apps which write to the root of the drive?
> These guys work jobs daily that are worth 100's of thousands of dollars
> and
> up. They can't be blocked from making software changes or we would lose a
> rediculous amount of money. One caveat there would be that these guys are
> great with an oil well....but terrible as far as computer skills go. It's
> a
> real problem for us and we were hoping our Vista release in a few months
> might help change this old problem finally?
>
> "Ronnie Vernon MVP" wrote:
>
>> Bill
>>
>> The best practices recommendation for that many users would be to have
>> them
>> all use Standard User accounts. If they try to install a program, or any
>> other process that needs administrative rights, they will be prompted to
>> enter the name of an administrative account and password to continue.
>> They
>> should not be using an administrative account for day to day work.
>>
>> I'm assuming that these 100,000 users don't have carte blanche to install
>> any software that they wish to, without some in place procedure to obtain
>> permission from a network IT manager.
>>
>> --
>>
>> Ronnie Vernon
>> Microsoft MVP
>> Windows Shell/User
>>
>>
>> "Bill Bray" <Bill > wrote in message
>> news:5C07E0DD-2ED5-470C-936C-...
>> > We have over 100,000 employees and for the most part we have had to
>> > give
>> > them
>> > all local admin rights on their computers so that they could install
>> > their
>> > own software and run programs that traditionally needed admin rights
>> > for
>> > updates as well. What i am wondering is if we could now get around
>> > this
>> > with
>> > the new implementation of the UAC in Vista?
>>