Re: Install Apps rights?

Tech-Archive recommends: Fix windows errors by optimizing your registry

If I make the company a member of the ADMINISTRATORS group would this
suffice? I just want to keep them out of the AD stuff.

We are a contracted network management company and many of our clients
run business management software from their single server
environments. In the past we have done the software installations but
increasingly the software vendors (these are big companies that manage
just their product) need to do updates and that's what the client
wants (they pay an annual maintenance fee for this service by the
vendor)

It's not something we're going to be able to change for the company. I
just want to keep vendors out of the AD structure. I was hoping there
was a Microsoft solution to this.

-JS-


No specific permissions nor rights are actually REQUIRED for
installing software -- although some applications may require
certain permissions (maybe rights too) to modify registry keys
or write files in certain directories.

"Jacques Schett" <homeless@xxxxxxxx> wrote in message
news:t98o53haop9cjdm26dpailkaf322hmbki3@xxxxxxxxxx
I have a vendor that needs access periodiically to install software
and/or service pack updates for their software. Since this is a domain
controller I don't want them to be able to change user accounts, etc.

The vendor should NOT be allowed to do this on a DC (or really
any other machine) -- the vendor should make the updates available
TO YOU for installation.

Or provide an updater as many (even inexpensive products do) so that
YOU are in control of the update process but it can continue automatically
as your discretion.

Is there an account type (i.e. Administrators, Domain Controller
Operators, etc) that I should use that willl let them install apps but
not have ANY access to Active Directory settings?

Yes, a regular User account but then you would also have to give
them the ability to logon locally which even your normal domain users
do not have by default.

This is a Windows Server 2003 network.

The vendor is asking for something unreasonable. It is a bad idea.

First ask the vendor what permissions (and or rights) are required for
the software to be installed.

Some apps (WinZip) require NOTHING special except being able
to logon and write to files.

Some "apps" are actually services or drivers and require administrative
privileges to do the install or update.
.

Relevant Pages

  • Re: Samsung release laptops with solid state drives...
    ... One which doesn't bring with it the security concerns and the maintenance intensity of Windows. ... I am constantly installing updates. ... Hardware break/fix was done by a vendor, ...
    (comp.sys.mac.advocacy)
  • Re: Install Apps rights?
    ... You manage OTHER peoples networks and you intend to let a "vendor" ... Why aren't these things done with some form of automatic updates? ... controller I don't want them to be able to change user accounts, ... privileges to do the install or update. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Installing XP Pro Tablet Edition and restricting users?
    ... One can be logged on as the "Administrator" or logged on ... install Windows Updates. ... You can configure Automatic Updates by using Group Policy ... a member of the "Administrators Group", ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Cannot run updates/hot fixes
    ... The user trying to install the update needs to be a member of the local ... administrators group of which the domain admins group is which is probably why it ... to configure the domain clients for Windows Updates. ... > updates will run is if we use a domain admins account to run the update. ...
    (microsoft.public.win2000.security)
  • No Updates are successful
    ... I am running MS Vista Ultimate. ... About 2 weeks ago ALL updates of any kind, ... from any vendor, including MS have failed to install. ...
    (microsoft.public.win2000.security)