Does anyone have an elegant way to allow standard users on windows 7 to update Adobe flash, acrobat reader, and Java. Right now, most of my windows 7 users were laptops and I gave them all local admin rights. I have also turned off UAC on some computers. I am looking for a way to push out a script or something to allow an entire domain of windows 7 computers to allow those updates to run. Prepackaging and pushing them out is out of the question, I have too many networks I manage to be dealing with any manual crap.
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Adobe flash, acrobat reader, and Java updater rights
- Thread starter awesomo
- Start date
MrGuvernment
Fully [H]
- Joined
- Aug 3, 2004
- Messages
- 21,823
you could change the process they update to a admin account to run for just those.
if your on a domain you can use a GPO to allow access to them to run,
why is pushing them out out of the questions, again, use GPO and such to push out updates and programs..
if your on a domain you can use a GPO to allow access to them to run,
why is pushing them out out of the questions, again, use GPO and such to push out updates and programs..
As far as I know, there is no way in group policy to specify certain programs to run with admin rights, that last thing I read from Microsoft said I would require a privileged manager by a third party. What GPO are you referring to?
Pushing is out of the question. I am not manually logging into a potential few dozen networks (when everyone upgrades to 7 eventually), uploading package files, and pushing them out every time any one of those apps update.
MrGuvernment
Fully [H]
- Joined
- Aug 3, 2004
- Messages
- 21,823
Manually ya, it is a pain. i was thinking if the updates can be pushed out via GPO if they have an MSI installer variant.
So far, it looks like the smaller offices will get local admin rights, and the bigger offices will pay for patching software. If I or anyone stumbles across an automatic, safer (and cheaper) way to do this, post it. Shame on Microsoft, this is a huge problem. And shame on Adobe and Oracle for making their software so popular that it is on every pc, then not giving a shit about how easy it is to update.
Captain Colonoscopy
2[H]4U
- Joined
- Feb 19, 2004
- Messages
- 3,861
Pretty sure you can find .msi versions of reader and java. Then all you have to do is make a software deployment GPO and tell it to upgrade or replace the currently installed version.
This is a very round about idea but if you have a lot of systems that are used by a variety of people or if they don't have a lot of personal preferences you could deploy images on a nightly or weekly basis. Then you would remake one image and deploy it to the rest of the machines. There are other benefits from this as well, keeps systems consistent but it depends how much users use and change their individual system.
A lot of schools use Faronics DeepFreeze on lab and multi user systems, which goes one step further and keeps the system from writing any changes to the hard drive, hence the freeze/thaw nomenclature. Someone could erase half your files and install ten video games and when you reboot everything is back to where you started. Problems with malware become virtually non-existent. Really reminds you of The IT Crowd's "Hello IT, did you try turning it off and on again?"
Like I said, very round about, but I thought I'd throw it out there.
A lot of schools use Faronics DeepFreeze on lab and multi user systems, which goes one step further and keeps the system from writing any changes to the hard drive, hence the freeze/thaw nomenclature. Someone could erase half your files and install ten video games and when you reboot everything is back to where you started. Problems with malware become virtually non-existent. Really reminds you of The IT Crowd's "Hello IT, did you try turning it off and on again?"
Like I said, very round about, but I thought I'd throw it out there.
Still floats around the premise that you have one network with many of the same computers. As opposed to many networks with many different computers. And remaking an image for each kind of pc every week would be a great way to keep everything under wraps.
SJConsultant
2[H]4U
- Joined
- Jan 14, 2004
- Messages
- 3,599
Closest "ready made" solution you are going to find is to use an RMM tool like Kaseya and couple that with Ninite.
The Kaseya agent on the end users computer runs under the "SYSTEM" account and thus a script writtent to run the Ninite tool will, in effect, have full permission to install or update any software that Ninite is programmed to deploy (including Flash, Reader, Java, etc)
The Kaseya agent on the end users computer runs under the "SYSTEM" account and thus a script writtent to run the Ninite tool will, in effect, have full permission to install or update any software that Ninite is programmed to deploy (including Flash, Reader, Java, etc)
farscapesg1
2[H]4U
- Joined
- Aug 4, 2004
- Messages
- 2,648
Well, depending on the size of your network and the design, you could look into MS Configuration Manager 2007. You can package and deploy almost anything, as well as update MS patches..
Now, that would still require pushing some sort of package to execute the install on, but you gave me an idea. I will post back in a few days when I get a chance to try it out.
Yeah but the install for flash is so small it's no big deal. I do a couple hundred at once and it's a breeze with flash, java takes a little longer because of it's size.
Everyone seems to be missing the point, does anyone read beyond the title in forums anymore? My issue isn't managing an update for a single network. It is multiple companies, multiple networks, all different kinds of pc's. All of which I am not on full time as IT staff. I automate everything I can to reduce the number of trouble tickets so I can get on with bigger and better things than running around doing stupid shit like updates.
Then have the script download the freaking file from the adobe ftp site first and run it, no reason to get all dicky about it when people are offering suggestions
Last edited:
I am not being a dick. I am just pissed getting the same answer over and over especially when I said in post one manually is out of the question. I would love a script to download it and push it which is why I made this thread, I do not have any idea how to automate downloading it, packaging it and pushing it, it is by no means simple.
SJConsultant
2[H]4U
- Joined
- Jan 14, 2004
- Messages
- 3,599
Not everyone missed the point.
We do MSP work and have solved the very issue your talking about through the use of Kaseya and building our own "autoupdate" script. Our script runs weekly updating Flash, Reader, Java, Shockwave, etc.
Rather than building your own script, you can simply use Kaseya (or another RMM tool like Labtech) with Ninite (as I pointed out earlier) to do the work for you.
If you don't want to be bothered with users calling you about updates, Ninite can turn off the autoupdate features of Reader, Java and Flash.
With the exception of you, I have already noted your solution and am referring to "almost" everyone giving me the same answer. Your solution is generally out of reach at smaller companies because they never will put up the money for patch management systems.
chockomonkey
[H]F Junkie
- Joined
- Oct 11, 2003
- Messages
- 8,328
boy i wish i could find a free RMM, because this sounds like a sexy fix, but the price of this stuff is not justified for 15 computers....
i hope you find an elegant solution... i don't have the volume you do, but even i get annoyed by the weekly emails from people saying that their flash needs an update... and i'm still having to do manual installs.
YeOldeStonecat
[H]F Junkie
- Joined
- Jul 19, 2004
- Messages
- 11,330
You can sign up for an account with Adobe (free) where you can download the full package in MSI format....I've been doing that with Adobe products. And similar with Java.
bigdogchris
Fully [H]
- Joined
- Feb 19, 2008
- Messages
- 18,708
I see there is a registry entry you can push out to turn the updater off, but what about disabling the updater service?
These companies seem to ignore Enterprise needs.
*edit* Figured it out. Just shooting out a registry change that delete's the Java updater from the run at start list.
These companies seem to ignore Enterprise needs.
*edit* Figured it out. Just shooting out a registry change that delete's the Java updater from the run at start list.
Last edited:
I thought I'd come back and update this thread because I finally found an amazing hand's off solution that works reliably.
Ninite Pro
Ever since they added support to look up domain computers, it has worked PERFECTLY. And with the command line switches, it is completely automated.
Ninite Pro
Ever since they added support to look up domain computers, it has worked PERFECTLY. And with the command line switches, it is completely automated.
bigdogchris
Fully [H]
- Joined
- Feb 19, 2008
- Messages
- 18,708
Java has really improved their support. The latest version of Java does not even install the updater stuff if you go through the MSI alone.
Is that particularly wise in your opinion?
The reason they are constantly patching their (shitty) software is because of exploits being, wait for it, exploited.
The amount of work to keep this stuff updated sucks, but IMHO, is necessary.
bigdogchris
Fully [H]
- Joined
- Feb 19, 2008
- Messages
- 18,708
Depending on your environment, yes. I don't make everyone in my environment Administrators, so they can't update anyways. Not having the update component removes the annoying "prompt to update but can't" that limited users get. This way, I am in control of the update process which as an admin is my job.
chockomonkey
[H]F Junkie
- Joined
- Oct 11, 2003
- Messages
- 8,328
The prices on Ninite pro are pretty steep imo. Sure it saves time, but for my one network I can't see paying that much.
I can't find it at the moment, but i remember seeing a post somewhere about writing a script to launch a regular ninite updater and passing it credentials.
I can't find it at the moment, but i remember seeing a post somewhere about writing a script to launch a regular ninite updater and passing it credentials.
If $20 a month is steep for 100 computers, I'd change work establishments.
For what they charge for 1000 computers, I charge for under 2 hours of my time.
Mackintire
2[H]4U
- Joined
- Jun 28, 2004
- Messages
- 2,985
Turning UAC off is a horrible idea for 90%+ of all users....mostly because that one change disables IE protected mode. So unless you intend to remove IE from all those machines that you turned UAC off on....you just effectively turned on drive by downloading. Enjoy your malware via IE ala XP style.
Solutions like nitenite pro, Microsoft Systems Center work well. For flexibility and extra WSUS management we choose to use batchpatch http://batchpatch.com/
Solutions like nitenite pro, Microsoft Systems Center work well. For flexibility and extra WSUS management we choose to use batchpatch http://batchpatch.com/