Something which has come up during our deployment of Office 2007 is the issue over rights, more specifically that of local administrator rights. You see, a lot of what we are going to do in terms of the deployment requires those rights in order to install the various parts of software and as an aside this opens up a bit of a issue:
How do you install Office 2007 without giving everyone local admin rights over their machine?
Well think about it, we don’t have the full luxury of a full rollout via either AD or System Centre, which is why this came about in the first place. So what is left? How about one user with the rights on the AD which will be used to install Office only via a logon script and nothing else?
That one generic user would have the majority of the installation code aside from one or two parts that are user specific, and then at the end of the script, the machine is told to reboot. And from a security standpoint you are allowing the users for a time to install other things in the background if they are quick enough.
Also this does mean that you are then reliant on users logging onto the machine in the first place using that generic user in order for Office to be deployed.
That issue can be minimised to a point with management sending out notices as to what the users are to do when the time comes for a rollout. Some form of message being sent to team leaders to make sure they are aware of what needs to happen and then they make sure it gets done is another method for this. Basically communication is going to be key in order for this part to succeed.
On the plus side to all this, if the users try to exit the KIX script early by clicking on the close button, the machine reboots, and also once Office was installed in the first place, the script would run quickly as it detects everything there and then reboots before anything happens. You can also have some detection within the logon script to see if Office 2007 is present and write to a text file if it currently is not, thus giving you a better clue as to who hasn’t performed the update.
This solution is not ideal, yet all of this was born out of the fact that we have a deployment to do without the right tools and in the grand scheme of things; there are worse ways of doing it!