Active Directory GPO to install and remove programs.

I would like to give an OU (help desk) the ability to install and remove programs. I don't want to give them any local machine rights unless they are temporarly granted through the GPO without them knowing the name and password.

In this case, I do not want to publish the application through AD or give the help desk local administrative priviliges even though I can reduce their access to only installing programs.

I don't want them to have a "run as" account or a general account for this.

This is a 2003 AD with XP Pro on the desktop.

Thanks for your help.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The only GPO I can think of like this would be the "always install using elevated priviliges".  But this only applies to .msi files, not regular .exe installers.

Things close to what you are alluding to will be available in Vista, but currently aren't built-in.

Third party software like the ones from DesktopStandard and Quest may do it, but they aren't cheap.

If another expert has an idea...
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Probably the best way to accomplish this is would be to create a DOMAIN SECURITY GROUP which you can add to the LOCAL Administrator's group on the workstations.  Then, make the help desk users members of the security group.  Their own username and password will give them local admin rights.  You can then disable the security group essentially turning it off and on when needed.

grountreeAuthor Commented:
Thanks Cleaner I will look into these 2 products.

Jeff, this is a great idea but with 1100 users, ERP systems, and 10 help desk people this is not possible.

How are other people dealing with this problem? In the past our help desk had the local admin password, that I would change if someone left, and they would use this to install software.

Any other Ideas out there?
Your best bet if you have that many workstations is to use something like SMS.  Then you can deploy/remove programs from the workstations through SMS.

You can assign delegated rights to the helpdesk that would allow them access to the SMS console to add/remove programs to various workstations/groups/etc as well as run software audits on those workstations and make sure they are compliant.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Thanks for the points.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.