Solved

Allow Roaming Users to Install Applications

Posted on 2004-10-07
12
360 Views
Last Modified: 2010-05-18
Hey guys, I'm in the middle of learning the basics of Windows 2003 administration using Active Directory etc and have encountered a problem

My goal basically, is to allow roaming users to install applications of their choice on their machines (despite the obvious security risks). I have looked into publishing applications but without being able to anticipate what they may install rules this out.

I cannot find any information about allowing this but assume it's is possible as this was allowed at university on the Win2k machines?
0
Comment
Question by:Squirtle
  • 3
  • 3
  • 2
  • +2
12 Comments
 
LVL 2

Expert Comment

by:whiting002
ID: 12257481
I don't believe this is something you can do in Active Directory.  What I would look at doing is when you setup the computer for your roaming user give the user either 'Admin', or 'Power User' rights on their local machine.
0
 
LVL 2

Accepted Solution

by:
littlebuddah earned 50 total points
ID: 12257840
whiting002 is spot on, Power user rights for authenticated users on the local machine will suffice and I know you seem to realize the risks but allowing all users power users rights will make the system a haven for spyware/malware/viruses/black hats etc.  If you give those rights and provide access to WWW you'll give yourself an admin nightmare.
0
 
LVL 2

Expert Comment

by:whiting002
ID: 12257873
Make sure you articulate these threats to your remote users and provide them with some sort of anitspyware and antivirus software that they can run.  Also including a file in their 'My Documents' folder or even on their desktop with instructions on how to run the antivirus and antispyware services and some courses of action if spyware or viruses are found.  
0
 
LVL 7

Expert Comment

by:crazijoe
ID: 12258173
0
 
LVL 1

Expert Comment

by:jacksonps4
ID: 12260682
You'll also need to set the "always install with elevated privileges" policy in Windows Installer so that the users can install the package without having admin or power user rights.  This policy needs to be set for both the user and the computer configurations to have any affect.

Computer / User Configuration -> Administrative Templates -> Windows Components -> Windows Installer -> Always Install with elevated privileges (enable)

This is useful to help curb security risks to avoid users requiring domain admin privileges to install across any machine.

Then add the software package to the User Configuration as "Assigned".  This way, the application wil be installed on whichever machine the user logs onto.

HTH
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:Squirtle
ID: 12262254
Thanks for the replies so far.

crazijoe & jacksonps4 - like I said, publishing / assigning software isn't an option :(

whiting002 & littlebuddah - would this allow me to still log into the domain then and the users access the files from any computer because I noticed you can't set AD users as members of the 'Power Users' group? (don't know that much about all this)

Thanks again :D
0
 
LVL 1

Expert Comment

by:jacksonps4
ID: 12264466
If you're not worried about security, why not just give the users domain admin privileges - then they can install any software on any machine.
0
 

Author Comment

by:Squirtle
ID: 12265662
Thanks, that lets the users install applications as I'd like but it means they have access to eachother's locally saved 'My Documents'. Is there anyway around this?
0
 
LVL 1

Expert Comment

by:jacksonps4
ID: 12265688
If the permissions on the "My Documents" folders are configured properly, this should be no problem.  For an example user 'test', set the folder permission so that SYSTEM has 'Full control', 'test' is the owner and has full control and remove all other entries.  This will prevent anyone other than the user 'test' from accessing the folder.  If you repeat this for all of your users, they will not be able to see each other's "My Documents".

However, the down side of this setup is that as users are domain admins, they can reset the permissions if they choose.  Obviously you could configure auditing so that you will know if someone has done this but it is not the ideal setup.  How many workstations are we talking about?  What you could do is ensure that all required users are "administrators" on all of the workstations but not domain admins - although if there are tens or hundreds of computers, it could take a while to sort out.

One other alternative might be (I've never tried it) to configure group policy so that although the users are domain admins, they have no rights on the file server.  You may be able to do this by setting the "deny logon locally" policy for the OU that contains the server.
0
 
LVL 2

Assisted Solution

by:whiting002
whiting002 earned 50 total points
ID: 12274999
I'm not suggesting you change their domain privileges.  I would leave Active Directory alone.  What you could do is set up all of your roaming users with admin rights on their local machines.  That's what I do here at my company with our Sales department.  They have laptops which they take all over the tri-state area and I have given them an admin rights under their local computer but they have very limited rights once they sign on to my domain.  Basically they have two user accounts a local account and then a domain account.  So you may have user "John" under domain "Acme" who has domain user privileges and then you have user "John" under domain "Laptop Computer" who has admin privileges.  The only set back that I have found with this is a slight inconvience for my Sales employees when they are on the domain trying to install software.  They will be prompted asking for an account with permissions to install software; all they have to do is go down and change the domain from your network to the local machine and they should be fine.  Let me know if I didn't explain this well enough or if this will not work for whatever reason.
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Join & Write a Comment

What’s a web proxy server? A proxy server is a server that goes between clients and web servers, used in corporate to enforce corporate browsing policy and ensure security. Proxy servers are commonly used in three modes. A)    Forward proxy …
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now