How to configure non-admin users to allow them to install updates for Java and Adobe Acrobat Reader (or any other application which may need such privileges) without needing for administrator password on Windows 7. Updates for Microsoft products install without problems.
This can be Active Directory (Windows 2003) solution, or computer based (employable through GPO or login script).
Edit:
Just to add some information. I know Secunia offers Secunia CSI
that integrates with WSUS and allows other software updates deployed thru it. But it's pay software which is something I would like to avoid.
Also giving an admin/power-user rights is not something i want to have since then it opens up additional security holes.
Package the updates as MSI with your favourite packager (if they're not already in a suitable MSI format) and deploy them using Active Directory's built-in deployer. This will not require any administrative rights on the clients. It can become tedious though, there's where patch management and software distribution suites come into play.
Also as a side note, Power User is basically the same as Administrator when it comes to security, so it's not really any better than Administrator.
I set their systems to be managed in AD and then I just right click the machine name, click on manage, and then temporarily change their permissions. I give them 2-4 hours to do what they need to, and then I set it back.
You can set up group policy and apply it to a new OU and put their computers in there. The only problem is that I am unable to do so with Windows 7 users. I manually have to touch the local gp on their machines. I put it as part of my build checklist or change the gp when I am working on their system.
Apparently, I will be able to set it up for the W7 machines when replacing my DC with Windows 2008 R2.
My two cents.
Well, you really do need to give the person doing this admin rights on each local PC. You might get by with power user rights (depending on the software that needs updating), but it's unlikely.
Here is how I would approach this...
Create user account(s) on your domain for the people that are going to do this work, create a group called something like 'Local Admin Rights', add all the new accounts to the group.
Using Active Directory Users and Computers, create a policy on the computers' containers, and implement a restricted groups policy to force the domain group 'Local Admin Rights' to be a member of each computers 'Administrators' group. - take care to place the policy so that it only affects the computers you are interested in (i.e. take care to avoid this server taking effect on your servers).