Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 388
  • Last Modified:

Allow Roaming Users to Install Applications

Hey guys, I'm in the middle of learning the basics of Windows 2003 administration using Active Directory etc and have encountered a problem

My goal basically, is to allow roaming users to install applications of their choice on their machines (despite the obvious security risks). I have looked into publishing applications but without being able to anticipate what they may install rules this out.

I cannot find any information about allowing this but assume it's is possible as this was allowed at university on the Win2k machines?
0
Squirtle
Asked:
Squirtle
  • 3
  • 3
  • 2
  • +2
2 Solutions
 
whiting002Commented:
I don't believe this is something you can do in Active Directory.  What I would look at doing is when you setup the computer for your roaming user give the user either 'Admin', or 'Power User' rights on their local machine.
0
 
littlebuddahCommented:
whiting002 is spot on, Power user rights for authenticated users on the local machine will suffice and I know you seem to realize the risks but allowing all users power users rights will make the system a haven for spyware/malware/viruses/black hats etc.  If you give those rights and provide access to WWW you'll give yourself an admin nightmare.
0
 
whiting002Commented:
Make sure you articulate these threats to your remote users and provide them with some sort of anitspyware and antivirus software that they can run.  Also including a file in their 'My Documents' folder or even on their desktop with instructions on how to run the antivirus and antispyware services and some courses of action if spyware or viruses are found.  
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
jacksonps4Commented:
You'll also need to set the "always install with elevated privileges" policy in Windows Installer so that the users can install the package without having admin or power user rights.  This policy needs to be set for both the user and the computer configurations to have any affect.

Computer / User Configuration -> Administrative Templates -> Windows Components -> Windows Installer -> Always Install with elevated privileges (enable)

This is useful to help curb security risks to avoid users requiring domain admin privileges to install across any machine.

Then add the software package to the User Configuration as "Assigned".  This way, the application wil be installed on whichever machine the user logs onto.

HTH
0
 
SquirtleAuthor Commented:
Thanks for the replies so far.

crazijoe & jacksonps4 - like I said, publishing / assigning software isn't an option :(

whiting002 & littlebuddah - would this allow me to still log into the domain then and the users access the files from any computer because I noticed you can't set AD users as members of the 'Power Users' group? (don't know that much about all this)

Thanks again :D
0
 
jacksonps4Commented:
If you're not worried about security, why not just give the users domain admin privileges - then they can install any software on any machine.
0
 
SquirtleAuthor Commented:
Thanks, that lets the users install applications as I'd like but it means they have access to eachother's locally saved 'My Documents'. Is there anyway around this?
0
 
jacksonps4Commented:
If the permissions on the "My Documents" folders are configured properly, this should be no problem.  For an example user 'test', set the folder permission so that SYSTEM has 'Full control', 'test' is the owner and has full control and remove all other entries.  This will prevent anyone other than the user 'test' from accessing the folder.  If you repeat this for all of your users, they will not be able to see each other's "My Documents".

However, the down side of this setup is that as users are domain admins, they can reset the permissions if they choose.  Obviously you could configure auditing so that you will know if someone has done this but it is not the ideal setup.  How many workstations are we talking about?  What you could do is ensure that all required users are "administrators" on all of the workstations but not domain admins - although if there are tens or hundreds of computers, it could take a while to sort out.

One other alternative might be (I've never tried it) to configure group policy so that although the users are domain admins, they have no rights on the file server.  You may be able to do this by setting the "deny logon locally" policy for the OU that contains the server.
0
 
whiting002Commented:
I'm not suggesting you change their domain privileges.  I would leave Active Directory alone.  What you could do is set up all of your roaming users with admin rights on their local machines.  That's what I do here at my company with our Sales department.  They have laptops which they take all over the tri-state area and I have given them an admin rights under their local computer but they have very limited rights once they sign on to my domain.  Basically they have two user accounts a local account and then a domain account.  So you may have user "John" under domain "Acme" who has domain user privileges and then you have user "John" under domain "Laptop Computer" who has admin privileges.  The only set back that I have found with this is a slight inconvience for my Sales employees when they are on the domain trying to install software.  They will be prompted asking for an account with permissions to install software; all they have to do is go down and change the domain from your network to the local machine and they should be fine.  Let me know if I didn't explain this well enough or if this will not work for whatever reason.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 3
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now