Deploy Office 2010 to users who are not administrators
Published: May 16, 2012
In the Windows environments that support the Microsoft Office 2010, by default, users have limited access to system areas of the computer. Because the Office Setup program writes to system areas of the operating system and the Windows registry, a user must have administrative permissions on the local computer to install Office.
To install Office 2010 on computers where users lack administrative permissions, you must run Setup in a context that provides it with administrative permissions. After Office is installed, users without administrative permissions can run all installed features, and can install features on demand.
In organizations where users are not the administrators of their computers, administrators can use the following ways to provide Office Setup with the appropriate permissions:
Log on to the computer as an administrator and install Office 2010.
Use a software management tool, such as Microsoft System Center Configuration Manager 2007, Microsoft System Center Essentials 2007, Systems Management Server (SMS) 2003, or a third-party software deployment tool.
Deploy Office 2010 to computers by using Group Policy computer startup scripts.
Use application virtualization.
After the initial installation is performed with administrative permissions, all later installations — including installation on demand and automatic repair of features — also run with those permissions.
Two general Windows policy settings that help install previous versions of Office are not supported in Office 2010 or in the 2007 Office system: the Windows Installer Always install with elevated privileges policy setting and the Enable user to use media source while elevated policy setting (these settings are in the Computer Configuration\Administrative Templates\Windows Components\Windows Installer node in Group Policy Object Editor). Setting the Always install with elevated privileges policy setting allows a user without administrative permissions to the computer to install any Windows Installer package. Similarly, setting the Enable user to use media source while elevated policy setting allows users without administrative permissions to install programs from a CD. In both cases, the installation runs with elevated privileges, and the user has unlimited access to system files and the registry. Setting either of these policy settings leaves the computer highly vulnerable, potentially allowing an attacker to run malicious code on the computer. Using these policy settings to allow a user who is not an administrator to install Office will not work with the 2010 or the 2007 version of Setup and is not supported in Office 2010 or in the 2007 Office system.
In this article:
Logging on as an administrator
You can install Office 2010 on a user's computer by logging on to the computer by using an administrator account. This provides the administrative permissions that you need for Office Setup to access restricted areas of the user's computer. Once Office is installed, users have no further need for administrative permissions to run Office applications.
For security reasons, applying a software update (.msp file) to an Office installation always requires administrative permissions, even if the original installation was performed with administrative permissions.
Using a software management tool
A software management tool, such as System Center Configuration Manager 2007 or SMS, can run Office Setup in an administrative context on the user's computer.
Administrators can also use System Center Essentials 2007 to deploy Office 2010 and the 2007 Office system. System Center Essentials 2007 is a management solution that was designed for IT system administrators in mid-sized organizations that include up to 30 servers and 500 client computers.
For more information, see Deploy Office 2010 by using System Center Configuration Manager 2007 and Deploy Office 2010 by using System Center Essentials 2010.
Deploying Office by using Group Policy computer startup scripts
Administrators can use Group Policy to assign computer startup scripts to deploy Office 2010 (and the 2007 Office system). Scripts can be written in any language that is supported by the client computer. Windows Script Host-supported languages, such as Microsoft Visual Basic Scripting Edition (VBScript) and Jscript, and command files are the most common. For more information, see Deploy Office 2010 by using Group Policy computer startup scripts.
Using application virtualization
Administrators can use Microsoft Application Virtualization (App-V) to deploy Office 2010. The application is published on a local client computer, and the application remains in a virtual environment. Applications run locally in a virtual environment, and are not installed on the local computer. For more information about virtualization types, technologies, and deployment methods, see Plan for virtualization for Office 2010 and Deploy Office 2010 by using Microsoft Application Virtualization.
ConceptsDeploy Office 2010 by using Group Policy computer startup scripts
Deploy Office 2010 by using System Center Configuration Manager 2007
Deploy Office 2010 by using System Center Essentials 2010
Plan for virtualization for Office 2010
Deploy Office 2010 by using Microsoft Application Virtualization
May 16, 2012