GP Setting ? for Domain Users

Hi,

Is there a GPSetting which would permit domain users to install applications on a domain computer without asssigning admin priviledges?
zoon06Asked:
Who is Participating?
 
Walter PadrónCommented:
GPO/Administrative Templates/Windows Installer/Always Install with Elevated Privileges
there are others policy settings you can configure too.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/324.asp
http://www.jsifaq.com/subG/TIP3200/rh3292.htm
0
 
Rob WilliamsCommented:
They actually need to be a member of the local admin group, but not the domain admin group. It gives up a lot of control but not as much ad domain admin. An easy way to make them a member of the local Admin account is to enable Restricted Groups in Group Policy. This will automatically add the users or a group to which they are a member to the local admin account:
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
http://support.microsoft.com/Default.aspx?kbid=279301

Note: apply the policy to an OU, do not apply to the Domain policy as it is possible to lock yourself out with restricted groups. You don't want to apply this, as a rule, to your servers.
0
 
zoon06Author Commented:
To wpadron & Rob,

"WP":  The msdn article to which you refer suggests that both user and computer configuration options are required to be enabled.  Conversely, the jsifaq makes no mention of this.  So my first question is, which is accurate?  Enable both or CC only?

Rob/WP:  It seems each suggestion will work, so I wonder which of the two solutions will provide the lower security risk, vis a vis, elevating user rights to a higher level?

Did I formulate this question correctly?  
0
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

 
Rob WilliamsCommented:
I would assume wpadron's recommendation would maintain greater security as it is not giving up as much control, assuming that works for you. Having said that, a well informed user may be able to achieve more that you want them to, as warned by both articles, but at least initial configuration is maintains more control.

As you suggested, Microsoft article clearly states, it must be enabled for both UC and CC, that may be the case archive all the required permissions, though I would have thought only UC would have don it for you. I have not used this method, so hopefully wpadron will have more input.
--Rob
0
 
Walter PadrónCommented:
zoon06, the answer to your first question is follow Microsoft article as RobWill points too.

to your second question, is not generally a good idea to let users install software on their own. Using the Windows Installer way you make things a little hard because the users need to know how to escalate privileges because you don't grant explicitly Administrator privileges to them, but that's is security by obscurity. Neither solution give you security at all if security is your concern.
0
 
zoon06Author Commented:
Thanks.  While I'm aware of the risks of this practise, we had a stubborn customer who just wouldn't accept loggin on and off to install software, nor would he accept RIS as a solution...Anyways, both suggestions work so I decided to split the points.  Hope you're both satisfied.  Btw Rob, I'm really enjoying the forum and structure here, its the most comprehensive on the net...

Omar
0
 
Rob WilliamsCommented:
Thanks zoon06.  
Glad to hear you are enjoying the forum, it seems to me to be one of the best. Great help, lots of inpu,t and everybody seems far more polite than other forums.
--Rob
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.