?
Solved

GP Setting ? for Domain Users

Posted on 2006-04-02
7
Medium Priority
?
224 Views
Last Modified: 2010-08-05
Hi,

Is there a GPSetting which would permit domain users to install applications on a domain computer without asssigning admin priviledges?
0
Comment
Question by:zoon06
  • 3
  • 2
  • 2
7 Comments
 
LVL 78

Assisted Solution

by:Rob Williams
Rob Williams earned 200 total points
ID: 16356680
They actually need to be a member of the local admin group, but not the domain admin group. It gives up a lot of control but not as much ad domain admin. An easy way to make them a member of the local Admin account is to enable Restricted Groups in Group Policy. This will automatically add the users or a group to which they are a member to the local admin account:
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
http://support.microsoft.com/Default.aspx?kbid=279301

Note: apply the policy to an OU, do not apply to the Domain policy as it is possible to lock yourself out with restricted groups. You don't want to apply this, as a rule, to your servers.
0
 
LVL 10

Accepted Solution

by:
Walter Padrón earned 200 total points
ID: 16362100
GPO/Administrative Templates/Windows Installer/Always Install with Elevated Privileges
there are others policy settings you can configure too.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/324.asp
http://www.jsifaq.com/subG/TIP3200/rh3292.htm
0
 

Author Comment

by:zoon06
ID: 16373864
To wpadron & Rob,

"WP":  The msdn article to which you refer suggests that both user and computer configuration options are required to be enabled.  Conversely, the jsifaq makes no mention of this.  So my first question is, which is accurate?  Enable both or CC only?

Rob/WP:  It seems each suggestion will work, so I wonder which of the two solutions will provide the lower security risk, vis a vis, elevating user rights to a higher level?

Did I formulate this question correctly?  
0
Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

 
LVL 78

Expert Comment

by:Rob Williams
ID: 16374792
I would assume wpadron's recommendation would maintain greater security as it is not giving up as much control, assuming that works for you. Having said that, a well informed user may be able to achieve more that you want them to, as warned by both articles, but at least initial configuration is maintains more control.

As you suggested, Microsoft article clearly states, it must be enabled for both UC and CC, that may be the case archive all the required permissions, though I would have thought only UC would have don it for you. I have not used this method, so hopefully wpadron will have more input.
--Rob
0
 
LVL 10

Expert Comment

by:Walter Padrón
ID: 16376552
zoon06, the answer to your first question is follow Microsoft article as RobWill points too.

to your second question, is not generally a good idea to let users install software on their own. Using the Windows Installer way you make things a little hard because the users need to know how to escalate privileges because you don't grant explicitly Administrator privileges to them, but that's is security by obscurity. Neither solution give you security at all if security is your concern.
0
 

Author Comment

by:zoon06
ID: 16395231
Thanks.  While I'm aware of the risks of this practise, we had a stubborn customer who just wouldn't accept loggin on and off to install software, nor would he accept RIS as a solution...Anyways, both suggestions work so I decided to split the points.  Hope you're both satisfied.  Btw Rob, I'm really enjoying the forum and structure here, its the most comprehensive on the net...

Omar
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16396278
Thanks zoon06.  
Glad to hear you are enjoying the forum, it seems to me to be one of the best. Great help, lots of inpu,t and everybody seems far more polite than other forums.
--Rob
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
I came across an unsolved Outlook issue and here is my solution.
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses
Course of the Month13 days, 22 hours left to enroll

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question