Active Directory GPO to install and remove programs.

Posted on 2006-04-05
Last Modified: 2010-04-19
I would like to give an OU (help desk) the ability to install and remove programs. I don't want to give them any local machine rights unless they are temporarly granted through the GPO without them knowing the name and password.

In this case, I do not want to publish the application through AD or give the help desk local administrative priviliges even though I can reduce their access to only installing programs.

I don't want them to have a "run as" account or a general account for this.

This is a 2003 AD with XP Pro on the desktop.

Thanks for your help.
Question by:grountree
    LVL 23

    Expert Comment

    The only GPO I can think of like this would be the "always install using elevated priviliges".  But this only applies to .msi files, not regular .exe installers.

    Things close to what you are alluding to will be available in Vista, but currently aren't built-in.

    Third party software like the ones from DesktopStandard and Quest may do it, but they aren't cheap.

    If another expert has an idea...
    LVL 74

    Expert Comment

    by:Jeffrey Kane - TechSoEasy
    Probably the best way to accomplish this is would be to create a DOMAIN SECURITY GROUP which you can add to the LOCAL Administrator's group on the workstations.  Then, make the help desk users members of the security group.  Their own username and password will give them local admin rights.  You can then disable the security group essentially turning it off and on when needed.


    Author Comment

    Thanks Cleaner I will look into these 2 products.

    Jeff, this is a great idea but with 1100 users, ERP systems, and 10 help desk people this is not possible.

    How are other people dealing with this problem? In the past our help desk had the local admin password, that I would change if someone left, and they would use this to install software.

    Any other Ideas out there?
    LVL 23

    Accepted Solution

    Your best bet if you have that many workstations is to use something like SMS.  Then you can deploy/remove programs from the workstations through SMS.

    You can assign delegated rights to the helpdesk that would allow them access to the SMS console to add/remove programs to various workstations/groups/etc as well as run software audits on those workstations and make sure they are compliant.
    LVL 23

    Expert Comment

    Thanks for the points.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
    by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now