Q

What is the best way to deploy updates without manually resetting permissions?

We are running W2K servers with WinXP Pro clients. All users (with a few exceptions) are not allowed Administrator (or even Power User) level permissions on their local machines due to policy abuse.

We frequently need to install application patches/updates, OS patches/updates, new fonts, or new applications to many or all machines. This just doesn't work as it sometimes takes a few days for each round due to scheduling conflicts. Example: today several people needed to connect to a Microsoft Webinar and needed the Webinar client installed -- three minutes before the Webinar was to begin.

Although some of the items can be installed using "Run As" (Administrator), not all can and that still requires hands-on access to each machine which is time intensive. We are a smaller shop than many, but we are frequently running into similar problems since we have to either log the user out and log in as Admin on each system to do the install or we have to give the user Admin permissions on each machine, do the install, then remove the permissions. Neither method is efficient and leaves room for error (forgetting to remove the Admin level permissions).

What is the best way to deploy such updates/installations/system changes from a Windows 2000 Server (or a XP Client w/domain admin privileges) without having to visit each machine manually or set/reset local system permissions?
There are a couple of ways to do this. One is to use Microsoft Systems Management Server in an administrative context to deploy the applications or patches in question. Another possibility, which is a little riskier, is to use the Windows Installer system policy "Always install with elevated privileges," although this will only work for apps that use .MSI packages or Windows Installer technology. Similarly, setting the policy "Enable user to use media source while elevated" allows users without administrator rights to install programs from a CD, but this is also risky. Using SMS may be the best choice here.

This was first published in December 2003

Dig deeper on Microsoft Windows 2000 Server Administration

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close