Solved

Allow Roaming Users to Install Applications

Posted on 2004-10-07
12
367 Views
Last Modified: 2010-05-18
Hey guys, I'm in the middle of learning the basics of Windows 2003 administration using Active Directory etc and have encountered a problem

My goal basically, is to allow roaming users to install applications of their choice on their machines (despite the obvious security risks). I have looked into publishing applications but without being able to anticipate what they may install rules this out.

I cannot find any information about allowing this but assume it's is possible as this was allowed at university on the Win2k machines?
0
Comment
Question by:Squirtle
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2
12 Comments
 
LVL 2

Expert Comment

by:whiting002
ID: 12257481
I don't believe this is something you can do in Active Directory.  What I would look at doing is when you setup the computer for your roaming user give the user either 'Admin', or 'Power User' rights on their local machine.
0
 
LVL 2

Accepted Solution

by:
littlebuddah earned 50 total points
ID: 12257840
whiting002 is spot on, Power user rights for authenticated users on the local machine will suffice and I know you seem to realize the risks but allowing all users power users rights will make the system a haven for spyware/malware/viruses/black hats etc.  If you give those rights and provide access to WWW you'll give yourself an admin nightmare.
0
 
LVL 2

Expert Comment

by:whiting002
ID: 12257873
Make sure you articulate these threats to your remote users and provide them with some sort of anitspyware and antivirus software that they can run.  Also including a file in their 'My Documents' folder or even on their desktop with instructions on how to run the antivirus and antispyware services and some courses of action if spyware or viruses are found.  
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
LVL 1

Expert Comment

by:jacksonps4
ID: 12260682
You'll also need to set the "always install with elevated privileges" policy in Windows Installer so that the users can install the package without having admin or power user rights.  This policy needs to be set for both the user and the computer configurations to have any affect.

Computer / User Configuration -> Administrative Templates -> Windows Components -> Windows Installer -> Always Install with elevated privileges (enable)

This is useful to help curb security risks to avoid users requiring domain admin privileges to install across any machine.

Then add the software package to the User Configuration as "Assigned".  This way, the application wil be installed on whichever machine the user logs onto.

HTH
0
 

Author Comment

by:Squirtle
ID: 12262254
Thanks for the replies so far.

crazijoe & jacksonps4 - like I said, publishing / assigning software isn't an option :(

whiting002 & littlebuddah - would this allow me to still log into the domain then and the users access the files from any computer because I noticed you can't set AD users as members of the 'Power Users' group? (don't know that much about all this)

Thanks again :D
0
 
LVL 1

Expert Comment

by:jacksonps4
ID: 12264466
If you're not worried about security, why not just give the users domain admin privileges - then they can install any software on any machine.
0
 

Author Comment

by:Squirtle
ID: 12265662
Thanks, that lets the users install applications as I'd like but it means they have access to eachother's locally saved 'My Documents'. Is there anyway around this?
0
 
LVL 1

Expert Comment

by:jacksonps4
ID: 12265688
If the permissions on the "My Documents" folders are configured properly, this should be no problem.  For an example user 'test', set the folder permission so that SYSTEM has 'Full control', 'test' is the owner and has full control and remove all other entries.  This will prevent anyone other than the user 'test' from accessing the folder.  If you repeat this for all of your users, they will not be able to see each other's "My Documents".

However, the down side of this setup is that as users are domain admins, they can reset the permissions if they choose.  Obviously you could configure auditing so that you will know if someone has done this but it is not the ideal setup.  How many workstations are we talking about?  What you could do is ensure that all required users are "administrators" on all of the workstations but not domain admins - although if there are tens or hundreds of computers, it could take a while to sort out.

One other alternative might be (I've never tried it) to configure group policy so that although the users are domain admins, they have no rights on the file server.  You may be able to do this by setting the "deny logon locally" policy for the OU that contains the server.
0
 
LVL 2

Assisted Solution

by:whiting002
whiting002 earned 50 total points
ID: 12274999
I'm not suggesting you change their domain privileges.  I would leave Active Directory alone.  What you could do is set up all of your roaming users with admin rights on their local machines.  That's what I do here at my company with our Sales department.  They have laptops which they take all over the tri-state area and I have given them an admin rights under their local computer but they have very limited rights once they sign on to my domain.  Basically they have two user accounts a local account and then a domain account.  So you may have user "John" under domain "Acme" who has domain user privileges and then you have user "John" under domain "Laptop Computer" who has admin privileges.  The only set back that I have found with this is a slight inconvience for my Sales employees when they are on the domain trying to install software.  They will be prompted asking for an account with permissions to install software; all they have to do is go down and change the domain from your network to the local machine and they should be fine.  Let me know if I didn't explain this well enough or if this will not work for whatever reason.
0

Featured Post

Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Suggested Courses
Course of the Month6 days, 11 hours left to enroll

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question