I just started working for a small-medium size company doing IT support. Maybe 150 or less users.
Right now every user has administrative rights to their own machine. This allows them to install updates or whatever else they would like to.
I'm tired of getting on user's machines that are bloated with crap they put on themselves. So my first thought would be to take away administrative rights to their computer. This would also have other advantages such as preventing a lot of drive-by malware on the web etc.
The problem arises that users are unable to install updates. (Even though I find most ignore these anyway)
How do large companies handle software updates on all client machines?
EDIT: Windows environment. Most servers are Windows Server 2003 Enterprise. Clients are all Windows. Win XP, Vista, and 7.
Best Answer
Windows Server Update Services (WSUS) provides the server-side component to handle update deployment. Its provided by Microsoft as a no-cost add-on to Windows Server 2003 and up.
Computers (client PCs, servers, etc) are typically directed to the WSUS server to receive updates by way of Group Policy settings (that can also be done through simple registry manipulation, too). The Windows Update client software is configurable to allow the client to automatically download and install updates on a schedule, or to download and prompt for installation, etc. The client software can force the PC to reboot, or may optionally defer reboot if a user remains logged-on. There are a variety of options.
For third-party software you can create updates to distribute via WSUS by using the Sysmtem Center Updates Publisher as part of the Microsoft System Center Configuration Manager product. (There are some other tools that will allow you to publish non-Microsoft updates to WSUS, too-- I have no experience with them and can't recommend / comment on them. There's some talk about them in a comment to this Server Fault answer.)
I typically install software to client computers via Group Policy, so deploying updates typically involves rolling new packages that way. You can see more about that strategy in this Server Fault answer.
BTW: You're doing the right thing re: getting rid of Administrator rights for users. You'll see a dramatic improvement in PC reliability, and indirectly you'll be improving security. Having a network with client computers having restricted Administrator rights is a very nice place to be. At the very least, malware will be restricted to damaging the profile of an individual user, which makes cleanup as easy as restoring a copy of a pre-infection roaming profile from backup.