Q. How can I let non-administrators install software on their machines?

John Savill

February 13, 2011

1 Min Read
ITPro Today logo in a gray background | ITPro Today

A. Changes in the way Windows Vista (and more so with Windows 7) were designed compared to earlier versions have led many organizations to stop letting their users be local administrators. It just isn't necessary for your users to be administrators, and having all your users as local administrators of their machines increases the risk of malware and instability on the machine.

One frequent request is to allow non-administrators to install software on their machines. However, in many ways this goes against having users with limited privileges, because installing software is one of the key reasons computers become unstable and subjected to malware.

The best way to let users install corporate software is to use Group Policy, System Center Configuration Manager, or Microsoft Application Virtualization, which can deploy software as a trusted install. Another option is to use UAC for an administrator to provide over-the-shoulder elevation to install the software.

You can configure the system to always install with elevated permissions using the HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsInstallerAlwaysInstallElevated registry value (it can also be set under HKEY_CURRENT_USER), but this isn't recommended because you incur extra risks if application installs run as system, with the access to system areas that permission brings. See this Microsoft site for more detail on this setting.

About the Author

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like