We have a number of agent procedures that need to be run as the logged on user with Administrator rights (for the installation period). We can't install them with an administrator logon as they require installation into the user profile to work
Our users don't have administrator priveleges and we've tried using the Kaseya step "Give current user admin rights" whereby you can specify the number of minutes the user has admin rights to get the application installed under the user account.
We haven't been able to get it working and Kaseya supports response is that Windows 7 64 bit doesn't like user rights being changed on the fly. Surely there must be a way around this?
How do you install applications (such as iTunes, flash updates etc) that need to be installed in the user profile when you don't give users administrator priveleges and the simplest method of doing so temporarily with Kaseya doesn't work with Windows 7 64 bit?
When we try to run the procedure, nothing happens. If we run the procedure as local admin there is no problem
Any help appreciated!
What happens if you grant the user temp admin rights from Kaseya, but then try to run the install manually? Do you get errors? Is there a log file?
Unfortunately due to limitations imposed by Microsoft this step will actually need a subsequent reboot in order to take effect. I'll be updating the step to include this information and end-user logout prompt in the future.
You could contact Microsoft to see if there is a way to get around this, I have yet to hear of one though.
I also haven't run into issues with Flash updates needing to be installed on a per-user basis. I haven't tried doing a push install of iTunes but being such a widely used application I would have to think there is a way to get it to install properly for 'all users' of a machine instead of just the currently logged on user ? I don't recall hearing about it only supporting the current user.
Itunes can be installed to all users, but the first time it is run by the real user it will do a reconfigure, this should not require admin rights
As it's a dirty dirty install I extract each of the MSI's out and install the components individually using msiexec /i xxx.msi /qb
Interesting issue. I've not tried this much myself as most users under my system have admin rights, but I have one suggestion:
I am not sure exactly what the built in agent procedure step to give local admin rights DOES, but the following shell commands should work:
net localgroup Administrators /Add DOMAIN\username
net localgroup Administrators /Delete DOMAIN\username
Obviously there are other variables or shell commands that will give you the currently logged in DOMAIN\username component so the script can be dynamic. I just ran this against my Win 7 x64 machine (as the system account in the procedure) and added another domain user as a local admin to my machine, which worked immediately. I was also able to add my current account to a different security group.
Could be worth investigating this step in your install script?
Thanks everyone, I'll get back to you on how we travel with this
Remember....if you use net localgroup command....they need to logoff and logon in order for group security tokens to be refreshed. Automating this is not practical.
We use either 'use credential' script command....or install as the System account. depending on what needs to be done.
this works for flash, reader, shockwave java etc. Sorry..we refuse to deploy any apple software as its not business related....so I haven't tried. Perhaps check out appdeploy.com for some tips?