How to configure non-admin accounts to install updates of non-microsoft applications using Active Directory?
How to configure non-admin users to allow them to install updates for Java and Adobe Acrobat Reader (or any other application which may need such privileges) without needing for administrator password on Windows 7. Updates for Microsoft products install without problems.
This can be Active Directory (Windows 2003) solution, or computer based (employable through GPO or login script).
Edit:
Just to add some information. I know Secunia offers Secunia CSI
that integrates with WSUS and allows other software updates deployed thru it. But it's pay software which is something I would like to avoid.
Also giving an admin/power-user rights is not something i want to have since then it opens up additional security holes.
Solution 1:
Package the updates as MSI with your favourite packager (if they're not already in a suitable MSI format) and deploy them using Active Directory's built-in deployer. This will not require any administrative rights on the clients. It can become tedious though, there's where patch management and software distribution suites come into play.
Also as a side note, Power User is basically the same as Administrator when it comes to security, so it's not really any better than Administrator.
Solution 2:
I set their systems to be managed in AD and then I just right click the machine name, click on manage, and then temporarily change their permissions. I give them 2-4 hours to do what they need to, and then I set it back.
You can set up group policy and apply it to a new OU and put their computers in there. The only problem is that I am unable to do so with Windows 7 users. I manually have to touch the local gp on their machines. I put it as part of my build checklist or change the gp when I am working on their system.
Apparently, I will be able to set it up for the W7 machines when replacing my DC with Windows 2008 R2.
My two cents.