Q. How can I let non-administrators install software on their machines?

A. Changes in the way Windows Vista (and more so with Windows 7) were designed compared to earlier versions have led many organizations to stop letting their users be local administrators. It just isn't necessary for your users to be administrators, and having all your users as local administrators of their machines increases the risk of malware and instability on the machine.

One frequent request is to allow non-administrators to install software on their machines. However, in many ways this goes against having users with limited privileges, because installing software is one of the key reasons computers become unstable and subjected to malware.

The best way to let users install corporate software is to use Group Policy, System Center Configuration Manager, or Microsoft Application Virtualization, which can deploy software as a trusted install. Another option is to use UAC for an administrator to provide over-the-shoulder elevation to install the software.

You can configure the system to always install with elevated permissions using the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated registry value (it can also be set under HKEY_CURRENT_USER), but this isn't recommended because you incur extra risks if application installs run as system, with the access to system areas that permission brings. See this Microsoft site for more detail on this setting.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.