Allow Non-admin Users to Update Firefox
We recently noticed a problem where Firefox would prompt users (who are not administrators on their workstations) to update to the latest version (ie, from 2.0.0.8 to 2.0.0.9). If they tried to complete the update however, it would fail, giving the error “Software Update Failed”.
We decided the best solution was to come up with a way to let users update Firefox themselves, without being made local admins. The reason we wanted them to be able to do this is that IT doesn’t get around to everyone’s workstation often enough to keep up with the latest version of Firefox, and we felt that it was important for them to have that (for security reasons).
After some testing I found that a Domain User account was able to install Firefox updates if they were given write permissions to the C:\Program Files\Mozilla Firefox folder (or wherever Firefox may be installed in your case). To go around to each workstation and change that permission would still be troublesome (30 workstations plus some odd laptops, and no time to spare). So I came up with a solution that I could implement from my desk.
I did this through the use of PsExec from SysInternals (now Microsoft Corp.). PsTools only has to be installed on the workstation you’re running it from, and it’s a completely free download from Microsoft’s website (see here). This tool allows you to run commands / programs on remote systems. It helps if you extract them to someplace that is in your PATH, such as C:\Windows\System32 (just don’t overwrite anything). Once PsTools is installed, it’s easiest if you create a list of all the workstations you want to update, if you don’t already have that. The list needs to be one workstation per line (or at least, that’s how it worked for me).
psexec @active_workstations.txt -u DOMAIN\bwoodruff cacls "C:\Program Files\\Mozilla Firefox" /E /G "DOMAIN\Domain Users":W
That is the command I used to re-permission the folder and give users the access they need to run the update.
The bits in blue need to be replaced with your own values. active_workstations.txt is the name I gave the file that listed all the workstations I wanted to run the command on (note: leave in the @ – it isn’t part of the file name), and in each instance DOMAIN needs to be replaced with your Active Directory domain (not the FQDN, just the part NetBIOS uses). “bwoodruff” should be replaced with a domain admin user account.
This should work if you are on a workgroup also, but you will have to change DOMAIN\bwoodruff to a local admin account that exists on each workstation (“Administrator” usually works – unless you’re on XP Home, ugh). You’ll also have to change DOMAIN\Domain Users to the local users group (usually just “Users”).
The command should output something like “cacls exited with error code 0″ for each workstation that was in your list.
This should also work for changing permissions on other folders.
Read more: http://www.markmmanning.com/blog/2007/12/allow-non-admins-to-update-firefox.html
9 Comments