Windows – How to allow program updates without prompting UAC

group-policymsiuacwindowswindows-installer

We have about 15-20 users who have this software installed.

We have UAC enabled through GPO as you should, which means the software prompts for admin approval if a standard user trys to install it. Thats fine, they can call the help desk to have the software installed.

My problem is, our help desk is being bombarded every day because users can't update the software and there are updates almost every day which is prompting UAC.

Using procmon.exe to find out where it was trying to write to, I then created a GPO to allow file permission access to the program files folder for this particular software, including the program data folder, but it still prompts for admin approval. It seems as though that the software is using msiexec.exe to run a .msp patch file.

The only "ACCESS DENIED"s I can still see in procmon is things like this:

What can I possibly do to stop this software from prompting UAC with admin password credentials aside from disabling UAC?

Best Answer

Unfortunately this problem of inconvenience is not easily solved, as you're really talking about misbehaving software -- not meant for the enterprise environment where workstations are locked down. You will need to choose software that can run without aggressively applying patches, then you can manage the schedule and push them out yourself after having signed them. This is why systems administrators avoid consumer-grade software that tries to update often.

Related Solutions

Windows – How important is it to install on the program files folder

Technically: Yes.

Logically: No

Business wise: I know a lot of companies that would throw you out based on obvious quality issues. Even if you do not certify for windows, you should not blatantly violate common sense and guidelines.

I personally would return the software as faulty and bill you for every minute we spent with it - due to gross neglect.

Someone on your end obviously messed up and never read how to program windows. Happy fixing ;)

So, at the end: It is going to cost you. ESPECIALLY in a CMS area - highly competitive.

Windows – How to convert a elevated command prompt to a regular command prompt

Sysinternals to the rescue! There is an option added some time ago to run a command as a limited user.

    Usage: psexec [\\computer[,computer2[,...] | @file][-u user [-p psswd]][-n s][-l][-s|-e][-x][-i [session]][-c [-f|-v]][-w directory][-d][-<priority>][-a n,n,... ] cmd [arguments]


-d  Don't wait for application to terminate. Only use this option for non-interactive applications.
-e  Does not load the specified account's profile.
-f  Copy the specified program to the remote system even if the file already exists on the remote system.
-i  Run the program so that it interacts with the desktop of the specified session on the remote system. If no session is specified the process runs in the console session.
-l  Run process as limited user (strips the Administrators group and allows only privileges assigned to the Users group). On Windows Vista the process runs with Low Integrity.

Specifically I'm recommending running

psexec -i -d -l "your command here"

This will run the command interactively, (so you can see the results) detached, (so the command line returns immediately -- not strictly necessary), and as a limited user.

Best Answer

Related Solutions

Windows – How important is it to install on the program files folder

Windows – How to convert a elevated command prompt to a regular command prompt

Related Topic