>>>So when user2 logs on they should be able to install anything correct?
Did you use GPMC and RSOP to see whether it is applying or not ?
You can download from here: -
http://www.microsoft.com/d
Main Topics
Browse All TopicsHi everyone
ok i got Server 2003 installed and active directory configured.
I am having trouble with appying policies. here is what i got
I have a OU called "test" and than 2 sub OU's under that called ADMINS and USERS. i have 2 users called "user1" and "User2" ..user1 is in the ADMINS OU and user2 is in the USERS OU.
user1 is in the group "Domain Admins" and user2 is in the group "Users".
The windows XP client is configured to log onto the domain which it does just fine.
So in my both my SUB OU i have set up a linked group policy for each.
now my problem....
with my sub OU USERS i have set the group policy under windows compontents->windows installer->elevated privleges to enabled in both the user config and computer config. So when user2 logs on they should be able to install anything correct? ...but they can't :-(. So for testing if i disable windows messenger it indeed disables windows messanger from running so i guess that proves something in the group policy is working for OU USERS.
user1 has none of these problems because it is in the group "domain admins" ..if i change user2 and put in in the same group and can indeed install programs.
any ideas what is going on?...i really don't want to have to set every user that wants to be able to install apps to a "domain admin"
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
>>>So when user2 logs on they should be able to install anything correct?
Did you use GPMC and RSOP to see whether it is applying or not ?
You can download from here: -
http://www.microsoft.com/d
>>>So in my both my SUB OU i have set up a linked group policy for each.
From where you linked ? Did you create a separate GPO or you linked Default Domain Policy ?
Which application users are you trying to install? It should be a MSI installer. Group Policy with this setting enabled does not support installing EXE applications.
Let us know.
Thanks
You need to set this value both for the user *and* for the machine. If it's not enabled for the machine, the user value alone doesn't matter.
Check the notes about the security risks involved when allowing this:
How To Allow Users Who Are Not Administrators to Install MSI Packages
http://support.microsoft.c
How to configure Windows Installer for maximum security
http://support.microsoft.c
ok i can msi packages to install just so long as they don't require administrator access,if they do need admin access they fail ..i thought the elevated privleges option would take care of that. Also i enabled the windows update feature for the USER OU group policy but it fails also when you run it.
my ultimate goal is not to have every user be able to install programs but i would like a select few to be able too and i would also like every user to be able to use windows updates.
As for the policies and if they are applying or not, like i said earlier it does work when i restrict certain things like Windows messenger, it just seems to be very picky and choosy as to what it restricts. Also if the user is a member of domain admins all these problems go away but obviouslly i don't want every user having domain admins rights.
let me know if i haven't explained anything good enough ...o yeah i am at home now so i can't test nothing until monday
Cheers
>>>ok i can msi packages to install just so long as they don't require administrator access,if they do need admin access they fail ..
No. Not at all. If you deploy all MSI Applications using Group Policy they do not require administrative previleges.
>>>i thought the elevated privleges option would take care of that. Also i enabled the windows update feature for the USER OU group policy but it fails also when you run it.
You can't allow users to run Windows Update because Windows Update uses some services to run properly so some services run under security context of SYSTEM Account and some using the Administrator Account.
>>>my ultimate goal is not to have every user be able to install programs but i would like a select few to be able too and i would also like every user to be able to use windows updates.
Then absloutely you need to make them member of Administrator Group...because as i said about Windows Update its not possible.
Cheers
Business Accounts
Answer for Membership
by: SystmProgPosted on 2005-03-03 at 21:38:54ID: 13456337
What is your ulimate Goal ? Do you want users to install softwares on their system ?