Deploy the 2007 Office system to users who are not administrators
Updated: November 25, 2006
Applies To: Office Resource Kit
In the Microsoft Windows environments that support the 2007 Microsoft Office system, default users have limited access to system areas of the computer. Because the Office Setup program writes to system areas of the operating system and the Windows registry, a user must have administrative rights on the local computer to install Office.
To install Office on computers where users lack administrative rights, you must run Setup in a context that provides it with administrative rights. After Office is installed, users without administrative rights can run all installed features, including installing features on demand.
In organizations where users are not the administrators of their computers, administrators can use the following methods of providing Office Setup with the appropriate rights:
Log on to the computer as an administrator and install Office 2007.
Assign Office 2007 to the computer by using Group Policy Software Installation.
Deploy Office 2007 to computers by using Group Policy computer startup scripts.
Use a software management tool, such as Microsoft Systems Management Server or Microsoft System Center Essentials 2007.
After the initial installation is performed with administrative rights, all subsequent installations—including install on demand and automatic repair of features—also run with those rights.
Two general Windows policy settings that have been used to help install previous versions of Office are no longer supported in the 2007 Office system. Setting the Windows Installer policy Always install with elevated privileges allows a user without administrative rights to the computer to install any Windows Installer package. Similarly, setting the policy Enable user to use media source while elevated allows users without administrative rights to install programs from a CD. In both cases, the installation runs with elevated privileges, and the user has unlimited access to system files and the registry. Setting either of these policies leaves the computer highly vulnerable, potentially allowing an attacker to run malicious code on the computer. Using these policies to allow a user who is not an administrator to install Office will not work with the 2007 version of Setup and is not supported in the 2007 Office system.
Logging on as an administrator
You can install the 2007 Office system on a user's computer by logging on to the computer with an administrator account. This provides the administrative rights necessary for Setup to access restricted areas of the user's computer. Once Office is installed, users have no further need for administrative rights to run Office applications.
For security reasons, applying a software update (MSP file) to an Office installation always requires administrative rights, even if the original installation was performed with administrative rights. For more information, see Distribute product updates for the 2007 Office system.
Assigning Office to the computer
If you have deployed Active Directory, then you can use Group Policy Software Installation features to assign the 2007 Office system to computers in your organization. The installation is performed with the appropriate administrator rights, and Office is available to all users on that computer. Only the administrator can remove Office in this case.
Although Group Policy can be used to install software applications in small-sized organizations with Active Directory installed, there are some limitations, and you must determine whether it is an appropriate solution for your deployment requirements. For more information, see the "Deployment considerations" section of Use Group Policy Software Installation to deploy the 2007 Office system.
Deploying Office with Group Policy computer startup scripts
Administrators can use Group Policy to assign computer startup scripts to deploy the 2007 Microsoft Office system. Scripts can be written in any language that is supported by the client computer. Windows Script Host-supported languages, such as VBScript and Jscript, and command files are the most common. For more information, see Use Group Policy to assign computer startup scripts for 2007 Office deployment.
Using a software management tool
A software management tool, such as Microsoft Systems Management Server, is able to run Office Setup in an administrative context on the user's computer. For more information, see Using Systems Management Server 2003 to deploy the 2007 Office system.
Administrators can also use Microsoft System Center Essentials 2007 to deploy the 2007 Office system. System Center Essentials 2007 is a management solution designed for IT system administrators in medium-sized organizations that include up to 30 servers and 500 client computers. For more information, see Deploy the 2007 Office system by using System Center Essentials 2007.
ConceptsUsing Systems Management Server 2003 to deploy the 2007 Office system
Deploy the 2007 Office system by using System Center Essentials 2007
Use Group Policy to assign computer startup scripts for 2007 Office deployment
Use Group Policy Software Installation to deploy the 2007 Office system
Group Policy overview (2007 Office system)