Solved

Allow Roaming Users to Install Applications

Posted on 2004-10-07
12
362 Views
Last Modified: 2010-05-18
Hey guys, I'm in the middle of learning the basics of Windows 2003 administration using Active Directory etc and have encountered a problem

My goal basically, is to allow roaming users to install applications of their choice on their machines (despite the obvious security risks). I have looked into publishing applications but without being able to anticipate what they may install rules this out.

I cannot find any information about allowing this but assume it's is possible as this was allowed at university on the Win2k machines?
0
Comment
Question by:Squirtle
  • 3
  • 3
  • 2
  • +2
12 Comments
 
LVL 2

Expert Comment

by:whiting002
ID: 12257481
I don't believe this is something you can do in Active Directory.  What I would look at doing is when you setup the computer for your roaming user give the user either 'Admin', or 'Power User' rights on their local machine.
0
 
LVL 2

Accepted Solution

by:
littlebuddah earned 50 total points
ID: 12257840
whiting002 is spot on, Power user rights for authenticated users on the local machine will suffice and I know you seem to realize the risks but allowing all users power users rights will make the system a haven for spyware/malware/viruses/black hats etc.  If you give those rights and provide access to WWW you'll give yourself an admin nightmare.
0
 
LVL 2

Expert Comment

by:whiting002
ID: 12257873
Make sure you articulate these threats to your remote users and provide them with some sort of anitspyware and antivirus software that they can run.  Also including a file in their 'My Documents' folder or even on their desktop with instructions on how to run the antivirus and antispyware services and some courses of action if spyware or viruses are found.  
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 7

Expert Comment

by:crazijoe
ID: 12258173
0
 
LVL 1

Expert Comment

by:jacksonps4
ID: 12260682
You'll also need to set the "always install with elevated privileges" policy in Windows Installer so that the users can install the package without having admin or power user rights.  This policy needs to be set for both the user and the computer configurations to have any affect.

Computer / User Configuration -> Administrative Templates -> Windows Components -> Windows Installer -> Always Install with elevated privileges (enable)

This is useful to help curb security risks to avoid users requiring domain admin privileges to install across any machine.

Then add the software package to the User Configuration as "Assigned".  This way, the application wil be installed on whichever machine the user logs onto.

HTH
0
 

Author Comment

by:Squirtle
ID: 12262254
Thanks for the replies so far.

crazijoe & jacksonps4 - like I said, publishing / assigning software isn't an option :(

whiting002 & littlebuddah - would this allow me to still log into the domain then and the users access the files from any computer because I noticed you can't set AD users as members of the 'Power Users' group? (don't know that much about all this)

Thanks again :D
0
 
LVL 1

Expert Comment

by:jacksonps4
ID: 12264466
If you're not worried about security, why not just give the users domain admin privileges - then they can install any software on any machine.
0
 

Author Comment

by:Squirtle
ID: 12265662
Thanks, that lets the users install applications as I'd like but it means they have access to eachother's locally saved 'My Documents'. Is there anyway around this?
0
 
LVL 1

Expert Comment

by:jacksonps4
ID: 12265688
If the permissions on the "My Documents" folders are configured properly, this should be no problem.  For an example user 'test', set the folder permission so that SYSTEM has 'Full control', 'test' is the owner and has full control and remove all other entries.  This will prevent anyone other than the user 'test' from accessing the folder.  If you repeat this for all of your users, they will not be able to see each other's "My Documents".

However, the down side of this setup is that as users are domain admins, they can reset the permissions if they choose.  Obviously you could configure auditing so that you will know if someone has done this but it is not the ideal setup.  How many workstations are we talking about?  What you could do is ensure that all required users are "administrators" on all of the workstations but not domain admins - although if there are tens or hundreds of computers, it could take a while to sort out.

One other alternative might be (I've never tried it) to configure group policy so that although the users are domain admins, they have no rights on the file server.  You may be able to do this by setting the "deny logon locally" policy for the OU that contains the server.
0
 
LVL 2

Assisted Solution

by:whiting002
whiting002 earned 50 total points
ID: 12274999
I'm not suggesting you change their domain privileges.  I would leave Active Directory alone.  What you could do is set up all of your roaming users with admin rights on their local machines.  That's what I do here at my company with our Sales department.  They have laptops which they take all over the tri-state area and I have given them an admin rights under their local computer but they have very limited rights once they sign on to my domain.  Basically they have two user accounts a local account and then a domain account.  So you may have user "John" under domain "Acme" who has domain user privileges and then you have user "John" under domain "Laptop Computer" who has admin privileges.  The only set back that I have found with this is a slight inconvience for my Sales employees when they are on the domain trying to install software.  They will be prompted asking for an account with permissions to install software; all they have to do is go down and change the domain from your network to the local machine and they should be fine.  Let me know if I didn't explain this well enough or if this will not work for whatever reason.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question