We are in the process of designing our Windows 7 deployment. I'm tasked with the local security part of it. Desktop users will be standard users with no install rights. But, management requires that laptop users have install rights. I don't want to make them all admins on the system. I have read many suggestions about having a local admin account for the user to use for installs. So, the user would have a "domain\user" standard account for their normal computer usage. Then, they would have a "computername\useradmin" to type in when UAC prompts for credentials. The problem is, on the domain, this prompt defaults to a domain account. To change this, the user would have to type "computername\useradmin" and then password every time. This is one thing that my manager has balked at. He says it would be too cumbersome to type. Users would have to go looking for their computer name. Is there a way to make Windows 7 default to asking for a local account? So, when logged into a domain account, they would only have to type "useradmin" and password?

Hi, as a quick idea you could invoke the RunAs command in a batch to start the installation, i.e. runas /user:%computername%\Administrator "path to installation file" No time to test, if it works. Best greetings from Germany Olaf

This is for the user, not the admins. For example, the user is traveling and needs to install something. I'm trying to make it secure, but easy for them. I'm pretty sure that if the user has to type the computer name, username, and password, management will tell us that we have to just give the user admin access on the laptops. Is there a way to do this?

"This is for the user, not the admins." runas /user:%computername%\Administrator "path to installation file" And that is exactly what the command script is for, it's for allowing standard users to execute code running under the context of an admin. This command would have the security token updated so that it would be running under the Local Admin, effectively giving them the rights to perform the install, whereas with the standard account they cannot. "I'm pretty sure that if the user has to type the computer name, username, and password, management will tell us that we have to just give the user admin access on the laptops" Well this is effectively what you're doing with a runas script anyway, except that it would be prepopulated with the localmachine name and lcoal admin account, the main thing they would be responsible for would be typing in a password, which is what I presume they have to already do to logon to the machine anyway so it's really not that difficult.

So, how would the user get the path to the installation file into the script? Would the user have to edit that? Would they have to do that with each install?

"Is there a way to make Windows 7 default to asking for a local account? So, when logged into a domain account, they would only have to type "useradmin" and password?" This is effectively what they're doing when they attempt to use RunAs Local Administrator on their laptops and it prompts for the password. This would both make it secure, in the sense that only they would be able to modify system settings with this elevated account & easy as it would only require them to remember one more password. One easier option would be to get laptops which have a biometric finger scanner and setup the Standard user to use say the index finger, while the Local Admin would use the middle finger. That way anytime they wanted to install the SW it would prompt and they could just swipe their finger. Of course, this procedure requires some documentation on how they would set this up, but it's fairly straighforward, & quite secure & I would say lower costs of support compared with having them recall their Local Admin password. IMO, the issue is right here "the user would have to type "computername\useradmin" and then password every time. This is one thing that my manager has balked at." Humbly I have to say that the user would have to key in the password, or swipe their finger, or what have you each time to elevate as an admin anyway, unless you're going to let them logon directly as local admins and circumvent some of the internal security already, this is the most practical option while making them logon using a Standard Account.

The company already decided against biometric measures. So, the scanners are out of the question. Thanks for the suggestion, though. Typing in the user name and password is what I'm shooting for. But, no user has their computer name memorized. We use the service tags as computer names for tracking on the network. So, they would have to write it down off of the lid of the laptop and then type that before the user name every time they go to install SW or make a system change. My goal is just to avoid having to type the computer name. We've discussed just giving them 2 domain accounts. But, they aren't liking the fact that we would add work for the Support Center to manage these accounts.

That's why I recommended the batch - the variable %COMPUTERNAME% returns the machine name, as you can test with the command echo %computername% Best greetings from Germany Olaf

"Typing in the user name and password is what I'm shooting for. But, no user has their computer name memorized." Understood, but Olaf's runas script using %computername% would still work, at least test it out. Also, (assuming they're a Standard User) right-clicking the file they would like to install and specifying RunAs Administrator automatically defaults to the local machines Local Admin account (not the domain) where all they would have to do is input the password for it to install.

I would like to test out the script. I still don't understand the "path to installation" part though. Can you explain a little more for me? Let's say a user downloads a printer driver from HP for their home printer. Does the user have to edit the script before the install? I tested your second suggestion. Domain account. Standard user. I right clicked the installer and selected Run as admin. It's still defaulting to the domain.

runas /user:%computername%\Administrator "C:\Software\users software.exe" "Does the user have to edit the script before the install?" Yes. The script Olaf mentioned would only be really practical if you're thinking about having mutiple installs in succession, like for instance using msiexe.exe - http://support.microsoft.com/kb/314881 Otherwise them performing one off installs using a script is less practical and you might as well have them just use the GUI as they will have to key in the password anyway. If you're worried about them having to recall the whole computer name, instead just tell them to key in .\userid (.\adminstrator) and then the password. The .\ in vista & 7 identify the logon as local. "Domain account. Standard user. I right clicked the installer and selected Run as admin. It's still defaulting to the domain." Sorry, forget you're in a domain, it would default to that account.

Awesome! That works. That may be the workaround that we are looking for! Thanks! .\user