none
Allowing a standard user to install programs

    Question

  • I am my own administrator for Windows 10 at home. I am responsible for three computers. I have the built-in Admin account enabled for all three. Is there a way to allow standard users to install and update programs without having to switch to the Admin account. I could make my normal logon be the admin but then Windows will not allow me to do certain tasks like open Edge or some other mundane things I tinker around with on a normal. If I had known about these issues before upgrading to 10, I never would have done it, but now I'm deep in with no chance of going back to windows 7 I might as well try and figure this one out.

    At my job, the Admin has given us (Mechanics) the ability to install stuff needed for our jobs so I know it's possible. He just isn't that forthcoming with the info on how it was done.

    Saturday, October 29, 2016 5:02 PM

Answers

  • Hi
     
    Am 29.10.2016 um 19:02 schrieb Tinker0000:
    > [...] Is there a way to allow standard users to install and update
    > programs without having to switch to the Admin account.
     
    No, because it´s depending on the software, WHERE you need write
    permissions.
     
    - you can extract a zip in .\Documents and run a program in a user
    context. Is this Softwareinstallation?
     
    - sometime the installer does not use MSI as a technic and you can
    change the .\Programfiles folder to .\Documents, where a user can write
     
    - but sometime, the installers is directly recognized and needs elevation
     
    - sometime, the software integrates a services
     
    - or a driver
     
    ... No, it is not possible. Softwareinstallation is a Admin Task.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Sunday, October 30, 2016 8:49 AM
  • Hi

    You can install Access Director. It's a freeware program the allows a non-admin user, to get elevated rights as a local admin for 2 minutes, within these 2 minutes the user would be able to install software or other tasks that require administrative priviledges

    http://nolightpeople.com/page/access-director-for-windows

    When the 2 minutes has passed, the user is automitically "demoted" to a regular non-admin user

    Sunday, October 30, 2016 6:38 PM

All replies

  • Hi
     
    Am 29.10.2016 um 19:02 schrieb Tinker0000:
    > [...] Is there a way to allow standard users to install and update
    > programs without having to switch to the Admin account.
     
    No, because it´s depending on the software, WHERE you need write
    permissions.
     
    - you can extract a zip in .\Documents and run a program in a user
    context. Is this Softwareinstallation?
     
    - sometime the installer does not use MSI as a technic and you can
    change the .\Programfiles folder to .\Documents, where a user can write
     
    - but sometime, the installers is directly recognized and needs elevation
     
    - sometime, the software integrates a services
     
    - or a driver
     
    ... No, it is not possible. Softwareinstallation is a Admin Task.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Sunday, October 30, 2016 8:49 AM
  • Hi

    You can install Access Director. It's a freeware program the allows a non-admin user, to get elevated rights as a local admin for 2 minutes, within these 2 minutes the user would be able to install software or other tasks that require administrative priviledges

    http://nolightpeople.com/page/access-director-for-windows

    When the 2 minutes has passed, the user is automitically "demoted" to a regular non-admin user

    Sunday, October 30, 2016 6:38 PM
  • Hi,
     
    Am 30.10.2016 um 19:38 schrieb Kasper Johansen:
    > You can install Access Director.
     
    Where is the benefit and difference compared to UAC?
     
    It elevates the user account? Or does is provide a "runas" scenario?
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Sunday, October 30, 2016 7:36 PM
  • Hi

    Access Director adds the user to the local administrators group for 2 minutes. During these 2 minutes it makes use of UAC and prompts for a username and password when elevated priviledges are needed.

    When the 2 minutes are up, the user is removed from the local administrators group.

    Sunday, October 30, 2016 8:03 PM
  • Hi,

    As mentioned above, if you want a standard user to install software, the account need local administrator permission.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, October 31, 2016 3:03 AM
    Moderator
  • Hi,
     
    Am 30.10.2016 um 21:03 schrieb Kasper Johansen:
    > Access Director adds the user to the local administrators group for 2
    > minutes. During these 2 minutes it makes use of UAC and prompts for a
    > username and password when elevated priviledges are needed.
    > When the 2 minutes are up, the user is removed from the local
    > administrators group.
     
    ok, thanks for explanation, so the benefit is the 2 minute timerange,
    when opening an elevated CMD, it will be downgraded in 2 minutes.
     
    Interesting. Thanks.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Monday, October 31, 2016 10:46 AM
  • Hi

    No, everything opened with elevated rights will continue to run with elevated rights until terminated.

    Monday, October 31, 2016 10:53 AM
  • Am 31.10.2016 um 11:53 schrieb Kasper Johansen:
    > No, everything opened with elevated rights will continue to run with
    > elevated rights until terminated.
     
    Sorry, I do not get the benefit.
     
    UAC:
    The User is member of Administrators group. The user runs all programs
    with userrights. Only, when elevates, he get the access token with
    Adminrights. He can use this elevation to do all things he want, until
    termination.
    To get elevated rights, I can configure UAC to "click ok" on secure
    desktop, or type in cfredentials again on secure desktop to have more
    security, instead of auto-elevation or prompt directly on desktop.
     
    Acces director:
    It adds the users to Admins for the next 2 minutes. It starts the
    program with adminrights until termination. The result to me is the same.
    I get elevation at time I need it. That can be provided by both technics.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Monday, October 31, 2016 12:09 PM
  • Hi

    The benefit from my point of view is that you are only a member of the local administrators group when you need local admin rights.

    Access Director does not start the program with admin rights. Access Director uses UAC to elevate the users priviledges, the user would then have to type in the username and password in the UAC prompt.

    In my opinion it is more secure to logon on as user that is not a member of the local admins group at all and then use Access Director when I need to do some administrative tasks.

    Monday, October 31, 2016 12:18 PM
  • Hi,
     
    Am 31.10.2016 um 13:18 schrieb Kasper Johansen:
    > The benefit from my point of view is that you are only a member of
    > the local administrators group when you need local admin rights.
     
    Same does UAC. UAC creates two accesstokens at login time. One with SID
    of Administrators group, one without. The elevation changes between them.
     
    > [...] the user would then have to type in the username and password
    > in the UAC prompt.
     
    So does UAC:
    User Account Control: Behavior of the elevation prompt for
    administrators in Admin Approval Mode
    -> "Prompt for credentials on the secure desktop"
     
    We should ask the developer :-)
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Monday, October 31, 2016 1:40 PM
  • With MSI packages, an admin can advertise and publish them so they can be installed by mere-mortals without the need for admin rights.

    Windows Installer Advertisement

    Regards,

    Tuesday, November 01, 2016 2:20 PM