I am looking at deploying version 2010sp3.1 on my users workstations. I created the deployment image and am getting ready to do the install.
Last time, some of my users, being administrator on their workstation, were able to do the install quickly by simply running the installation from the deployment. For the others, it took the IT department months to go through everybody and do the install one by one. You must know that for the most part, IT is outsourced, and that is, at time, source of much frustration and delays.
Given that I am the person responsible for CAD, I can generate the admin image, and recommend installation procedures.
So this time, I was thinking of using the Run as admin functionnality to do the install. I was certain that I could convince the director to approve it. However, After only a few minutes of testing, I realized that the method allowed any usr to very quickly get admin access to its workstation. That could de a serious security issue, and our security advisor would certainly not allow that.
If you want to know how the user can get admin access, it is simple. To install the software he has to have access to the admin image. He can copy it locally on its workstation and modify the script to run a program before the install that will open a shell on the workstation. The shell is running as admin and consequently from there he can do whatever he wants.
Of course, the solution would be to use the tools of our IT department to do the install automatically. However, with outsourcing, they probably need three months to get it ready, and test it. Then you have to start all over again for each service pack that you want to deploy.
Has anybody found a solution for this security issue ? A way to allow the user to do their own install without giving them an easy access to the admin passwords ?