Install Software as Standard User

M

matty3021

New member
Local time
9:32 AM
Messages
1
I have a dilemma, I have searched the threads but not found something that matches my exact problem.

We are implementing Windows 7 and Bitlocker as encryption. While this works brilliantly, I am now worried that our offsite engineers if they are given Local admin rights, can disable bitlocker. They need to install software onto there machines and this cannot be taken away from them. Problem is company policy also states that they are not allowed to disable the encryption, which is where my dilemma lies.

I can lock down bitlocker through Grou Policy, but the offsite engineers are software developers so it wouldn't take them long to disable it if they do have local admins.

Is there anyway at all I can give them access to install software without Local admins?
 

My Computer

OS
Windows 7
Software engineers typically /require/ admin prives (local admin that is) to their machines as part of their work. Especially driver writers but even standard apps while test installing and uninstalling sometimes require "hand work" to remove mis installed items or undo the damage caused by bugs.

There really is no way around it.

You could do periodic checks on the systems remotely if needed to check of they have not messed with any setings and of course if they have once, warn, twice, fire...
 

My Computer

Computer Manufacturer/Model Number
Scratch built
OS
Windows 7 x64 Ultimate
CPU
i7 960
Motherboard
Asus P6X58D
Memory
12 Gig Corsair Dominator
Graphics Card(s)
Nvidia 480
Sound Card
Maudio Delta 44 + breakout box
Monitor(s) Displays
Dell UltraSharp U2410 24in and Samsung 21 dual monitors
Screen Resolution
1920x1200 and 1280x1024
Hard Drives
Primary: Intel X-25M G2 160G SSD
Secondary: Segate baracuda 1.0 TB
HDs in AHCI mode.
PSU
Corasair TX850
Case
Cooler Master HAF
Cooling
Corsair H50
Keyboard
Logitech G15 + N52 game pad
Mouse
Logitech MX518
Internet Speed
15kbs down 4.5kbps up
Other Info
WEI 7.6
CPU & RAM 7.6
Graphics 7.9
Hard disk 7.7
That's actually what we do - check Bitlocker periodically in the logon script (manage-bde.exe), and if it's been disabled we popup a custom HTA that the user MUST interact with (which will re-enable bitlocker on the next reboot) and we make a note on a network location. If the next reboot comes up and bitlocker is still disabled (and the PC is capable of bitlocker, of course) the user's network port is disabled. This forces them to call the helpdesk to re-enable the port, and then explain why they need bitlocker disabled (anyone with a really valid reason will be exempted, but those reasons are pretty rare).
 
Last edited:

My Computer

Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom
OS
Windows 10 Pro x64
CPU
Intel Core i7 4790K @ 4.5GHz
Motherboard
Asus Maximus Hero VII
Memory
32GB DDR3
Graphics Card(s)
Nvidia GeForce GTX970
Sound Card
Realtek HD Audio
Screen Resolution
1920x1200
Hard Drives
1x Samsung 250GB SSD
4x WD RE 2TB (RAIDZ)
PSU
Corsair AX760i
Case
Fractal Design Define R4
Cooling
Noctua NH-D15
Hy Carl, is it possible to get this script, we have still the same situation, but how you going to this with remote users, because I wouldn´t let them connect if Bitlocker is disabled, maybe you can gave me a hint or how I can handle that?

thx
Gerald

Austria isn´t Australia
 

My Computer

OS
Windows 7 Ulimate
You must log in or register to reply here.
Back
Top