Educause Security Discussion mailing list archives

Re: software installation

From: "Brian K. Dore'" <bkd () LOUISIANA EDU>
Date: Fri, 12 Mar 2004 14:14:28 -0600

I strongly recommend that you use separate accounts for general use and
administration. For general use we use domain user accounts and configure
them with permissions to domain servers, printers, etc. When someone has a
legitimate need to install software or maintain their own computer we create
a local user account on that machine that is a member of the local power
users (or sometimes administrator) groups. Those users can then use "run
as" or log in using their "maintenance" account when they need. Since
their local maintenance account doesn't have access to domain resources,
doesn't have their personal settings, e-mail, bookmarks, etc. it discourages
them from using it for anything other than system maintenance.

A great deal of software will only need write access to the Program Files
directory and the HKLM registry keys to install, so often the Power Users
group is all that most people need for their maintenance accounts. Software
that creates users or installs services like A/V programs, web servers,
personal firewalls, etc. usually require full administrative rights to
install, but in a domain environment you probably don't want them installing
things like this on their own.

Brian Dore
Office of Information Systems
University of Louisiana at Lafayette

We have made a very recent move towards implementing Active Directory and
have fairly effectively restricted what users can do on GC&SU clients. We
are now being bombarded by a vocal minority who feel that they have a bona
fide need to install software on their machine. Up to now we have been
unable to find a way to allow users to install their own software (i.e. test
banks, trial software, user-developed software) without administrative
rights. I am sure that some of you have encountered this as well and I'm
hoping that you have found a solution. Any assistance that you may provide
will certainly be appreciated.

Chad McDonald

Director of Campus Computer Support Services

Georgia College & State University

Milledgeville, Ga. 31061

Phone 478.445.4473

Fax 478.445.1202

********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/cg/.

Current thread:

software installation Chad McDonald (Mar 11)
- <Possible follow-ups>
- Re: software installation Michelle Mueller (Mar 11)
- Re: software installation Boles, Jeffrey B. (Mar 11)
- Re: software installation Brian K. Dore' (Mar 12)