Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Installations on WinNT/2K

1 view
Skip to first unread message

Derek Paterson

unread,
Nov 21, 2001, 6:58:13 AM11/21/01
to
I am looking into how software is installed on NT/2K on networks where the
user of the PC does not have admin rights on the local machine.

How do companies writing software get updates (eg virus updates/ OS patches)
to install on these networked PCs without the requirement that an IT person
is available to install every update/patch that appears. Where virus
software may need to be patched every other week how is this possible?

Is it possible to change the permissions of keys on Registry HKLocal Machine
that means the current user has update rights to it. The problem with
putting registry keys for the software into HKCurrentUser is that after the
IT person (logged in as Administrator) has installed and configured a piece
of software this is all lost when the user logs on as he does not have these
keys in his HKCU registry.

Is the answer to continue to use ini files???

Any info/help appreciated.

Derek

Ken Hagan

unread,
Nov 22, 2001, 5:49:11 AM11/22/01
to

<derek.p...@removethisbit.ukonline.co.uk> wrote...

> I am looking into how software is installed on NT/2K on networks where the
> user of the PC does not have admin rights on the local machine.
>
> How do companies writing software get updates (eg virus updates/ OS
patches)
> to install on these networked PCs without the requirement that an IT
person
> is available to install every update/patch that appears. Where virus
> software may need to be patched every other week how is this possible?

Anti-virus software probably already includes some portions that
run as a service, and so they can perform updates, regardless of
who is logged in. For ordinary software, it just isn't possible.

> Is it possible to change the permissions of keys on Registry HKLocal
Machine
> that means the current user has update rights to it.

Yes, but it is an obvious weakening of the computer's security.

> The problem with putting registry keys for the software into
> HKCurrentUser is that after the IT person (logged in as Administrator) has
installed and configured a piece
> of software this is all lost when the user logs on as he does not have
these
> keys in his HKCU registry.

Indeed. Rather more to the point, if the software includes COM
components, then (under NT4 at least) you simply have to register
them under HKLM.

> Is the answer to continue to use ini files???

No, since these are subject to the same limitations. If they live
in the user's app-data directory then they are per-user, and if
they live in C:\WINDOWS (ick!) then they are no better than having
modifiable parts of HKLM.

On the other hand, MS do now recommend a return to INI files for
most per-user customisations, since they hve learned the hard way
that the registry doesn't scale well to several thousand users.


ch...@nospam.com

unread,
Nov 22, 2001, 11:36:43 PM11/22/01
to


In most cases, large companies don't want the end user installing
software or patches. Most antivirus software doesn't require the uer
to have admin rights to update the definition files since it runs as a
service under the system account.

In our case, we user the Symantec Corporate antivirus which has a
server push any definition updates out to all the clients daily.

As for OS and software patches, the IT person has to figure out how to
push updates to client as needed. Using the scheduler and a batch
file works well. For example, write a script which copies the patch
file to the temp directory on each client and then schedules it to run
at a specific time. Most MS patches can be run silently with no user
input by adding the appropraite switch to the command line. Perhaps
another script to verify the installaion later.

Oh, you'll also be amazed to find out just how lax those registry key
permissions are. Most of the sw keys are writeable for all users.


-Chris

Derek Paterson

unread,
Nov 26, 2001, 11:24:31 AM11/26/01
to
Thanks.

Think I'm going with Admin rights required for first installation which will
then wipe out registry security for our keys so that subsequent updates can
go unhindered. Can't see why we need to protect our own custom keys from
our own users.

Derek

"Ken Hagan" <K.H...@thermoteknix.co.uk> wrote in message
news:1006426091.14390....@news.demon.co.uk...

0 new messages