Elevated Privileges for programs - best GPO utility?

C

cyclone3d

[H]F Junkie
Joined
Aug 16, 2004
Messages
16,302
I've been doing some research trying to find out what the most cost effective way to deploy elevated privileges through GPO for certain programs, updaters, driver installs, etc. is.

I am looking for opinions from people who have actually set this type of thing up. Any pros/cons of certain packages will be very helpful.

Any pricing information for these will be helpful as well since almost all of them require you to make actual contact with the sales department to get pricing.. a VERY lame and underhanded thing to do. How do I know that they aren't just pulling a number out of their rear to see how high they can charge people?

I only found one so far that actually lists the price on their web page.

So far these are the things I have come up with that may do the job.

1. PowerBroker Desktop : http://www.beyondtrust.com/PBWD-Eval/
They have a "free" version.. but it may just be an Eval version - no pricing on their web site.

2. Script Logic Privilege Authority : http://www.scriptlogic.com/products/privilegeauthority/
They have a "cummunity" edition which is free but is missing features that the "Pro version has - $12 per seat for the "Pro" version. The "Pro" version can also be evaluated for 30 days.

3. Nanosoft Viewfinity : http://www.chinananosoft.com/manage/Privilege.html
No pricing on their web site.

4. Avecto Privilege Guard : http://www.avecto.com/
No pricing on their web site. I actually talked to a sales rep and found that it costs $30 per computer + $7 something per computer as a maintenence fee. That pricing is per year. They also make you jump through a whole bunch of hoops in order to even be able to try out their software... required webinar included.
 
So what does everybody else do when they have programs that require admin priviliges to run or install?

Do you just find what registry keys and folders the programs need access to and give users full permissions to them? That is kinda the bad way to do it, especially if you have users who know just enough to screw things up all the time. Plus you have to make special policies for every program that is like this, and it seems like it won't work in some cases.

Things where I work that need admin priviliges to run and/or update:
Solidworks
Flash
Java
Autocad - older version
 
i would think you just need to set a program limitation in your GPO, 3rd party programs shouldnt be needed.

i myself am looking into this same thing as some things require admin right, but i dont want to give full local admin rights.


http://technet.microsoft.com/en-us/library/cc737858(WS.10).aspx

http://support.microsoft.com/kb/259459

not sure if these are useful
http://community.spiceworks.com/topic/101478-software-restrictions-in-group-policy

User Configuration\Policies\Windows Settings\Security Settings\Software Restriction Policies, you have two useful options.

Security Levels - Allows you to set access levels at a general level for all software based on users access rights.

Additional Rules - Specify access levels for specific software. This will allow you to give any individual program that needs elevated rights the option to run unrestricted, even if you've restricted the user in Security Levels as above.
Click to expand...
 
I handle all the installations myself. I use wpkg to do them, although this requires that the software in question be scriptable.

There is no good way of doing this I'm afraid. But I will say this; no way in hell do my users get anything more than limited user rights on their local workstations.
 
MrGuvernment said:
i would think you just need to set a program limitation in your GPO, 3rd party programs shouldnt be needed.

i myself am looking into this same thing as some things require admin right, but i dont want to give full local admin rights.


http://technet.microsoft.com/en-us/library/cc737858(WS.10).aspx

http://support.microsoft.com/kb/259459

not sure if these are useful
http://community.spiceworks.com/topic/101478-software-restrictions-in-group-policy
Click to expand...

Only problem is, is that you CANNOT elevate rights past the user's access rights. You only have the options of:
1. "disallowed" - software will not run
2. "basic" - software will run with non-admin rights even if the person is an admin
3. "unrestricted" - software will run at the user's rights level
 
XOR != OR said:
I handle all the installations myself. I use wpkg to do them, although this requires that the software in question be scriptable.

There is no good way of doing this I'm afraid. But I will say this; no way in hell do my users get anything more than limited user rights on their local workstations.
Click to expand...

For installations this might work at the smaller locations, but for corporatewide it is not feasable.

We can push stuff out via group policy, and in hopefully the not too distant future we will be using Landesk for the software pushes.

But program access rights is a whole other can of worms as you cannot elevate certain programs through the regular group policy.

I am probably going to use ninite to update adobe reader, adobe flash, and Java, but that still requires admin privileges to run. It makes it a bit easier since I only have to worry about one program having elevated rights instead of 3 just to install updates for those.
http://ninite.com/

Solidworks and Autocad on the other hand will not work properly unless they are run with elevated rights. Because of this there are a few workstations that the primary user still has to have admin rights. It may be "fixable" by gving the user's full access to certain folders and registry keys, but I really do not want to go that route as it leaves the whole system less secure.
 
Flash and Java makes packages that you can download and just push via group policy that don't require admin rights. It's not the normal package, you need to look for the network redistributable one.
 
cyclone3d said:
For installations this might work at the smaller locations, but for corporatewide it is not feasable.
Click to expand...
I have used it in a corporation of about 20,000 folks, works fine.

With WPKG, I scripted the install, tested tested tested then did the push. No issues. That's one admin handling the software load out for ~10,000 workstations, btw.

I would have preferred something like landesk, certainly, but wpkg will work fine assuming you understand it's limitations.
 
StarTrek4U said:
Flash and Java makes packages that you can download and just push via group policy that don't require admin rights. It's not the normal package, you need to look for the network redistributable one.
Click to expand...

I know this, but then I have to manually download the new package every single time they release an update. With Flash having almost daily updates lately that is going to get kind of ridiculous.

edit: ninite always downloads and installs the latest version
 
Last edited:
XOR != OR said:
I have used it in a corporation of about 20,000 folks, works fine.

With WPKG, I scripted the install, tested tested tested then did the push. No issues. That's one admin handling the software load out for ~10,000 workstations, btw.

I would have preferred something like landesk, certainly, but wpkg will work fine assuming you understand it's limitations.
Click to expand...

I don't have access to a lot of the software that the other locations use, some of which I wouldn't be able to even test because corporate will only allow it to be installed on users workstations who are in certain groups... Yep, IT person locked out of being able to install/test software.. nice.

The installing of software is not my main concern anyway, it is with having to deal with programs that require elevated privileges to run.
 
cyclone3d said:
The installing of software is not my main concern anyway, it is with having to deal with programs that require elevated privileges to run.
Click to expand...
Ah. Well, for that I've just provided the necessary registry/file access via GPOs.
 
You must log in or register to reply here.
Back
Top