We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


GP Setting ? for Domain Users

zoon06 asked
Medium Priority
Last Modified: 2010-08-05

Is there a GPSetting which would permit domain users to install applications on a domain computer without asssigning admin priviledges?
Watch Question

Top Expert 2013
They actually need to be a member of the local admin group, but not the domain admin group. It gives up a lot of control but not as much ad domain admin. An easy way to make them a member of the local Admin account is to enable Restricted Groups in Group Policy. This will automatically add the users or a group to which they are a member to the local admin account:

Note: apply the policy to an OU, do not apply to the Domain policy as it is possible to lock yourself out with restricted groups. You don't want to apply this, as a rule, to your servers.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
GPO/Administrative Templates/Windows Installer/Always Install with Elevated Privileges
there are others policy settings you can configure too.



To wpadron & Rob,

"WP":  The msdn article to which you refer suggests that both user and computer configuration options are required to be enabled.  Conversely, the jsifaq makes no mention of this.  So my first question is, which is accurate?  Enable both or CC only?

Rob/WP:  It seems each suggestion will work, so I wonder which of the two solutions will provide the lower security risk, vis a vis, elevating user rights to a higher level?

Did I formulate this question correctly?  
Top Expert 2013

I would assume wpadron's recommendation would maintain greater security as it is not giving up as much control, assuming that works for you. Having said that, a well informed user may be able to achieve more that you want them to, as warned by both articles, but at least initial configuration is maintains more control.

As you suggested, Microsoft article clearly states, it must be enabled for both UC and CC, that may be the case archive all the required permissions, though I would have thought only UC would have don it for you. I have not used this method, so hopefully wpadron will have more input.
zoon06, the answer to your first question is follow Microsoft article as RobWill points too.

to your second question, is not generally a good idea to let users install software on their own. Using the Windows Installer way you make things a little hard because the users need to know how to escalate privileges because you don't grant explicitly Administrator privileges to them, but that's is security by obscurity. Neither solution give you security at all if security is your concern.


Thanks.  While I'm aware of the risks of this practise, we had a stubborn customer who just wouldn't accept loggin on and off to install software, nor would he accept RIS as a solution...Anyways, both suggestions work so I decided to split the points.  Hope you're both satisfied.  Btw Rob, I'm really enjoying the forum and structure here, its the most comprehensive on the net...

Top Expert 2013

Thanks zoon06.  
Glad to hear you are enjoying the forum, it seems to me to be one of the best. Great help, lots of inpu,t and everybody seems far more polite than other forums.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.