On Thu, Apr 2, 2009 at 8:56 AM, <[email protected]> wrote: > Note that this would not be an actual person using the desktop systems but > rather would be a "user" scripted in an install procedure. This user would > then be disabled once the installs are completed.
Does the software have to be installed as a particular user for some reason? If so, what's the reason? I'll second Carl Houseman's suggestion of using a computer start-up script for this. The start-up script runs under the privileges of the machine account[1]. The machine account has full system privileges to the local computer, and is also a domain account, so it can access network resources if granted permission. We've got some applications which can't be installed via MSI -- only via an EXE installer. But the installer has command-line switches for an unattended install. So we make a batch file which calls the installer, and add that batch file as a start-up script in a GPO. We restrict the "Apply Group Policy" permission on that GPO to a security group, and then put machine accounts in the group. The actual installer is kept on a network share that's granted read permission for everyone, so machine accounts can read it. [1] Every domain member gets a machine account, which is basically just a user account. For domain FOO and computer BAR, the account would be "FOO\BAR$". -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
