Link to home
Start Free TrialLog in
Avatar of Squirtle
Squirtle

asked on

Allow Roaming Users to Install Applications

Hey guys, I'm in the middle of learning the basics of Windows 2003 administration using Active Directory etc and have encountered a problem

My goal basically, is to allow roaming users to install applications of their choice on their machines (despite the obvious security risks). I have looked into publishing applications but without being able to anticipate what they may install rules this out.

I cannot find any information about allowing this but assume it's is possible as this was allowed at university on the Win2k machines?
Avatar of whiting002
whiting002

I don't believe this is something you can do in Active Directory.  What I would look at doing is when you setup the computer for your roaming user give the user either 'Admin', or 'Power User' rights on their local machine.
ASKER CERTIFIED SOLUTION
Avatar of littlebuddah
littlebuddah

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Make sure you articulate these threats to your remote users and provide them with some sort of anitspyware and antivirus software that they can run.  Also including a file in their 'My Documents' folder or even on their desktop with instructions on how to run the antivirus and antispyware services and some courses of action if spyware or viruses are found.  
You'll also need to set the "always install with elevated privileges" policy in Windows Installer so that the users can install the package without having admin or power user rights.  This policy needs to be set for both the user and the computer configurations to have any affect.

Computer / User Configuration -> Administrative Templates -> Windows Components -> Windows Installer -> Always Install with elevated privileges (enable)

This is useful to help curb security risks to avoid users requiring domain admin privileges to install across any machine.

Then add the software package to the User Configuration as "Assigned".  This way, the application wil be installed on whichever machine the user logs onto.

HTH
Avatar of Squirtle

ASKER

Thanks for the replies so far.

crazijoe & jacksonps4 - like I said, publishing / assigning software isn't an option :(

whiting002 & littlebuddah - would this allow me to still log into the domain then and the users access the files from any computer because I noticed you can't set AD users as members of the 'Power Users' group? (don't know that much about all this)

Thanks again :D
If you're not worried about security, why not just give the users domain admin privileges - then they can install any software on any machine.
Thanks, that lets the users install applications as I'd like but it means they have access to eachother's locally saved 'My Documents'. Is there anyway around this?
If the permissions on the "My Documents" folders are configured properly, this should be no problem.  For an example user 'test', set the folder permission so that SYSTEM has 'Full control', 'test' is the owner and has full control and remove all other entries.  This will prevent anyone other than the user 'test' from accessing the folder.  If you repeat this for all of your users, they will not be able to see each other's "My Documents".

However, the down side of this setup is that as users are domain admins, they can reset the permissions if they choose.  Obviously you could configure auditing so that you will know if someone has done this but it is not the ideal setup.  How many workstations are we talking about?  What you could do is ensure that all required users are "administrators" on all of the workstations but not domain admins - although if there are tens or hundreds of computers, it could take a while to sort out.

One other alternative might be (I've never tried it) to configure group policy so that although the users are domain admins, they have no rights on the file server.  You may be able to do this by setting the "deny logon locally" policy for the OU that contains the server.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial