We frequently need to install application patches/updates, OS patches/updates, new fonts, or new applications to many or all machines. This just doesn't work as it sometimes takes a few days for each round due to scheduling conflicts. Example: today several people needed to connect to a Microsoft Webinar and needed the Webinar client installed -- three minutes before the Webinar was to begin.
Although some of the items can be installed using "Run As" (Administrator), not all can and that still requires hands-on access to each machine which is time intensive. We are a smaller shop than many, but we are frequently running into similar problems since we have to either log the user out and log in as Admin on each system to do the install or we have to give the user Admin permissions on each machine, do the install, then remove the permissions. Neither method is efficient and leaves room for error (forgetting to remove the Admin level permissions).
What is the best way to deploy such updates/installations/system changes from a Windows 2000 Server (or a XP Client w/domain admin privileges) without having to visit each machine manually or set/reset local system permissions?
There are a couple of ways to do this. One is to use Microsoft Systems Management Server in an administrative context to deploy the applications or patches in question. Another possibility, which is a little riskier, is to use the Windows Installer system policy "Always install with elevated privileges," although this will only work for apps that use .MSI packages or Windows Installer technology. Similarly, setting the policy "Enable user to use media source while elevated" allows users without administrator rights to install programs from a CD, but this is also risky. Using SMS may be the best choice here.
This was first published in December 2003