[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 183
  • Last Modified:

Active Directory GPO to install and remove programs.

I would like to give an OU (help desk) the ability to install and remove programs. I don't want to give them any local machine rights unless they are temporarly granted through the GPO without them knowing the name and password.

In this case, I do not want to publish the application through AD or give the help desk local administrative priviliges even though I can reduce their access to only installing programs.

I don't want them to have a "run as" account or a general account for this.

This is a 2003 AD with XP Pro on the desktop.

Thanks for your help.
  • 3
1 Solution
The only GPO I can think of like this would be the "always install using elevated priviliges".  But this only applies to .msi files, not regular .exe installers.

Things close to what you are alluding to will be available in Vista, but currently aren't built-in.

Third party software like the ones from DesktopStandard and Quest may do it, but they aren't cheap.

If another expert has an idea...
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Probably the best way to accomplish this is would be to create a DOMAIN SECURITY GROUP which you can add to the LOCAL Administrator's group on the workstations.  Then, make the help desk users members of the security group.  Their own username and password will give them local admin rights.  You can then disable the security group essentially turning it off and on when needed.

grountreeAuthor Commented:
Thanks Cleaner I will look into these 2 products.

Jeff, this is a great idea but with 1100 users, ERP systems, and 10 help desk people this is not possible.

How are other people dealing with this problem? In the past our help desk had the local admin password, that I would change if someone left, and they would use this to install software.

Any other Ideas out there?
Your best bet if you have that many workstations is to use something like SMS.  Then you can deploy/remove programs from the workstations through SMS.

You can assign delegated rights to the helpdesk that would allow them access to the SMS console to add/remove programs to various workstations/groups/etc as well as run software audits on those workstations and make sure they are compliant.
Thanks for the points.

Featured Post

Microsoft Certification Exam 74-409

VeeamĀ® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now