Allow users to start setups with limited admin rights and monitor which software they install

By | July 22, 2018

Ever had the problem that a user needs to install a software for his home printer or a freeware tool for his job but can’t do because of missing admin rights? Providing a package in SCCM is of course an option but single-user installations are usually not worth the effort. Giving the user full admin rights is of course not a good solution either in most cases. The 3rd solution is a manual installation by a help desk agent or field supporter but it’s hard to control centrally what has been installed and for which purpose. In case the software breaks other components, you may have to go through a time-consuming trouble-shooting process.

Controlled Install is a tool that gives the user enhanced permissions but allows a central monitoring of what he has been doing with it. It also gives you the option to set restrictions: You can black-list applications by executable or search string in the properties. The solution only works in context with SCCM or similar deployment solutions: It needs to be launched in system context or with the permissions of a deployment account that has local admin rights. The user will be able to pick an installation from the local machine and run it. Administrators are able to track what has been installed.

Controlled Install imposes some natural limitations on the user:

  • Opening a command prompt or exe (Microsoft Management Console) is not possible when running the tool in system context. Therefore, the user can’t directly access management tools on the workstation
  • Accessing the internet requires the user to start C:\Program Files\Internet Explorer\iexplore.exe and to authenticate in case of connections over the proxy. In case the user wants to install software from the internet, he/she should download it first and call Controlled Install to launch the installation from the local hard disk.
  • Installations that require access the internet (e.g. to check license information) may fail.















You may have the objection that users can abuse the tool to gain full admin rights on their machine. Although this is not easy, it is not impossible. It is therefore recommended to frequently check what the tool was used for (see below for options). If you are monitoring who has local admin permission you should be able to track such cases. You should also make clear in the displayed text that users are responsible for license compliance of any software that they install and that the usage of the tool will be monitored (see the example below).















Finally, I would like to mention that the tool can also be used to test how installations behave when being called by SCCM in system context. As you probably know, it can make a difference if you call a setup in user context or system context or if you launch a script manually or by the SCCM agent that is running in 32bit context– everything may work fine if you call the setup with local admin rights but as soon as SCCM installs it the behavior may be different. Assigning Controlled Install to your test machine will help you to find out during the packaging process.

The tool itself has been compiled with Visual Studio 2017 with all required DLLs included and will therefore run on any Windows OS (no prereqs to consider). It will be updated and extended in the future but it will of course not check for updates or make any connections to the internet for other reasons.

The download contains a detailed technical documentation of the parameters that you can use. As always, any feedback is welcome.



Leave a Reply

Your email address will not be published. Required fields are marked *