In the rare instance where we have an app that needs admin rights to install but must also add keys for the logged in user, we use Privilege Guard from Avecto (now, Privilege Guard is a component of the DefendPoint suite, but it was standalone when we bought it).
I will tell SCCM to install the app as logged in user, and I will create a rule in Privilege Guard / DefendPoint to elevate the app's installer. The result is that the installer gets access to right to both HKCU and HKLM Kenneth Merenda From: [email protected] [mailto:[email protected]] On Behalf Of Beardsley, James Sent: Tuesday, July 28, 2015 11:40 AM To: [email protected] Subject: [mssms] Removing admin rights for users I remember reading some of you saying your users do not have admin rights. We are about to start down that road and one of the concerns I have is for application deployment. Most apps can be installed as an administrator so those aren't of any concern but we have several small accounting apps that write to the user profile when installed and I'm wondering how others have handled apps like these. When something is installed as an administrator (which is the local system account, right?), does that still allow licensing info or other files to be written to the users' %appdata%, %localappdata%, or to HKCU? Have you run into any issues deploying software while users are not local admin? Its yet to be determined what rights we'll be giving them (power user vs standard user). I'd be interested in how you have your users set up and how that affects app deployment. Thanks, James Beardsley | Firm Technology Group Dixon Hughes Goodman LLP [cid:8644FC49-D5C9-45AE-B387-04FAFC0CC7A5]<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.dhgllp.com_&d=BQMFAg&c=r_B2dqKkHczsuXPCSs5DOw&r=krYjy-Xm1tps1F_nkG9sNKQIT3ZPFrUh3rvr18goJ2E&m=_ivuRstzb1EyP9mtrJUIzes84oNfFX-M8Pm1obP7qRc&s=WTk6atXOEM3HGGPH6KrFU5YCeMSTQ-wtwD7nGsMs8UY&e=> ________________________________ Confidentiality Notice: This e-mail is intended only for the addressee named above. It contains information that is privileged, confidential or otherwise protected from use and disclosure. If you are not the intended recipient, you are hereby notified that any review, disclosure, copying, or dissemination of this transmission, or taking of any action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please reply to the sender listed above immediately and permanently delete this message from your inbox. Thank you for your cooperation.
