How can I grant install rights for certain applications

[JeffGP]

My pc community is all windows 7 and I have set all users with 'user' status to the machine. When Adobe or Java want to update it requires me to go to the specific machine and install the update. I certainly can use 'switch user' but I would rather allow the user to make the update. Is there a way to do this or should it be done another way.

Thank you.

[meanoldman]

I've been looking for a good solution to this as well. Since all of my client computers are on an Active Directory network I am trying to use GPOs to deploy the updates with mixed results. Adobe Reader seems to deploy alright, but sometimes Java will act like it was deployed but somehow winds up mangled.

As a side step, I have also tried using an ADMX that I found that sets Java to not try to Autoupdate. It doesn't really address the issue of updating, but it keeps the end users off my back since they no longer see the prompt that updates are available.

[trekker]

You can set registry entries that will stop each app from prompting the user to update. But, that doesn't solve the problem of actually updating the application. The short answer is that someone with Admin rights will have to install the updates. You can do the updates with Group Policy, but as the PP has said, there are some issues with that. How many machines are you talking about? If it is only a handful, doing it manually is annoying, but will do the job. If you've got a lot of machines, it is probably time to look into management software like SCCM.

[JeffGP]

Well it is a small number 25-30 machines. However, there are quite a few laptops and they are not always onsite. Seems like this would be a bigger problem unless updating is just turned off.

Thank you

[meanoldman]

Same situation for me too. I have 30 some odd computers, but most are notebooks and most of those travel pretty regularly. Disabling the auto updating works for now so at least the users don't get the nag every morning that updates are available. With XP at least you could set users as power users (maybe not too wise) and they could install Java updates.

[trekker]

I highly recommend that you keep the third-party apps updated. There's quite a bit of malware out there that attacks vulnerabilities in old versions of Java and Flash.

You might want to look into Windows Intune. You can probably break even on the cost if you use their antivirus and get the lowest version of Windows on new PC's and use their license to upgrade.

[meanoldman]

I highly recommend that you keep the third-party apps updated. There's quite a bit of malware out there that attacks vulnerabilities in old versions of Java and Flash.

I agree with you completely. Trouble is I don't trust most of my users enough to grant them admin rights with an alternate user account. I have been bitten too many times by this. A recent example - I issued a new computer to the president of our company and told him about an alternate user he could use judiciously/sparingly if ever he needed to install an update that required elevated privileges. I told him by no means should he ever log on as that user. So what does he do? Logs on as that user all the time...

[JeffGP]

Yes, the old catch 22. It is too bad active directory and/or winodows doesn't make a gateway that all third party applications go through when loaded on a machine or device. It would be easy to grant access for the application to the gateway. It was done when we moved away from ini files to registry entries. Maybe the registry could have an entry that can only come from a gp to allow 3rd party applications. oh wait that is where I started.

[trekker]

Another possibility is Privilege Guard from Avecto. Jeremy had a webinar recently where it was shown off. It has the ability to give granular admin rights to users.

[meanoldman]

Interesting. I didn't see any pricing information. Any idea what their price structure looks like?