In most corporate IT environments users are not given Administrative Privileges on their work computers. This can lead to frustration on the part of the IT by having the need to run around and enter administrative credentials for users so that they can update certain software packages. While there are solutions for software deployment, like publishing applications in Programs and Features, or going as far as using a larger scale system like SCCM. These deployment methods can often be complicated to configure, and just as cumbersome as physically going to someone's desk and entering the admin credentials.
There is another solution that can be implemented, via GPO or at the time of image creation which can "trick" applications into thinking that users are actually administrators, therefore allowing them to update software on their own, w/o needing to involve IT staffers. Which is simply giving users "admin rights" to specific folders and registry keys.
In this post I'll explain how this can be down with Skype via a GPO.
You will be creating a GPO (Group Policy Object) to modify a Folder's (and sub-folders and file's) Security settings:
Create the new GPO and edit its properties and navigate here:
Computer Configuration > Windows Settings > Security Settings > File System
Right-click, and select add file, and then browse to the folder whose security setting's you want to modify
Select the folder and click OK
A security dialog box will appear, modify the security settings as desired.
Select "Replace existing permissions on all subfolders and files with inheritable permissions" (usually the case), and click OK
Your new Security entry should now display in the GP Dialog Box:
Why is this important?
In a sense what we have done here is given the Authenticated Users group full read/write access to this folder. Many times this is enough to "trick" the application into thinking that the normal user is actually an administrator. Therefore they will be able to update this certain application on their own without needing IT support intervention.
Note: (Not in the case of Skype), but some applications will have registry entries in HKLM>Software. In this case you may need to modify the ACL on the Registry Key for that application in order for it to "believe" that the user has administrative privileges on the machine.
So let's apply the GPO to some machines in a Test OU...
Before:
Let's run gpupdate /force
After:
Let's look at an individual file's security properties inside of the Skype for Desktop Folder:
We see that the security settings have "trickled down" to sub-folders and files. Users should now able to Update Skype without needing Admin Credentials or the assistance of the IT Support staff.
No comments:
Post a Comment