I recently started working as a senior sys admin at a small company, and I've been tasked with removing local admin access for users on their devices. I'm facing a challenge with a specific application that requires admin access for updates that occur 1-2 times a week. The users say this app can't function without these updates. I attempted to give the necessary permissions on the application files within the program files (x86) directory, but that didn't help. I also tried using process monitor to track its activities, but I struggled to interpret the results.
Complicating matters, many of our users are non-technical and won't always be connected to the domain, making solutions like LAPS potentially ineffective long-term. The general sentiment seems to be that they want minimal interference while trying to do their jobs. I'm considering granting them power user access until we can transition to using Intune for better management. Has anyone dealt with a similar scenario and can offer some suggestions?
5 Answers
If you've already granted permissions to the necessary files and registry locations, you might want to explore using an Application Compatibility Toolkit (ACT) shim. This can prevent the UAC prompts from occurring, although it might not be perfect if the app's code is hard-coded to trigger UAC.
You can use Process Monitor to check which paths and registry keys the app modifies during updates. There are some great tutorials out there to help with that.
I swear by AutoElevate—it’s truly saved my team from headaches like this. It’s an investment but totally worth it!
I've been in a similar situation before. I reached out directly to the software vendor, who informed me about their enterprise installer option. Deploying that via GPO instead of sticking to the standard installer worked wonders!
That sounds like a good approach! I’m not usually impressed with vendor support, but it might be worth a shot in this case. Thanks!
I had a similar issue and the vendor provided a registry tweak that allowed updates without requiring admin access. Sometimes it's worth just asking them!
Have you thought about using AdminByRequest? You can whitelist the app or update tool, and it’s a straightforward, easy setup while you move toward Intune administration. It could really smooth things over for now.
That sounds interesting! I’ll definitely consider checking it out.
Consider using AutoElevate or another Privileged Access Management (PAM) solution. They’re designed to handle these exact types of situations where users need access without full admin rights. Just make sure you’ve already contacted the vendor for their insights.
Haha, so true! Vendors definitely know their applications better than we do!
I’ve found it to be one of the best tools out there for these types of scenarios.
I think I might not have granted it all the needed permissions. What tools do you recommend to audit permission requests effectively?