Group Policy to allow software install

Posted on 2007-11-28
Last Modified: 2010-04-21
I am all new ot this group policy, pardon a newb question.  Win2003 AD, XP Pro desktops.  I want to create a new Group - call it PowerUser - for this group I want to allow a member to install software.  I will likely give a remote user membership to this group for a particular task, then take them of membership once that is done.  Can someone provide me a pretty striaght forward set of steps to do that.  We are a small company with only one domain and basically an out of the box AD setup.
Question by:allan1956
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 48

Accepted Solution

Jay_Jay70 earned 250 total points
ID: 20369209
the only option i can think, would be to create the group, then use restriced groups to add it to the local admin group of each machine, and add your member to the group

That would be the easiest and quickest way

Author Comment

ID: 20369657
Seems funny that this is hard or not been done a hundred times before  Perhasp Im nt\ot explaing it well

Right now I basically have domain users, domain admins, enterprise admins
Im not always in the office so when a user needs to install Ill assign them to the enterprise admin group, they do the install, then I remove them from the group.  Id rather just have the old style PowerUser type group where they have some local admin capabilities like softwar einstall


Author Comment

ID: 20369658
Raising this - w
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

LVL 48

Expert Comment

ID: 20369711
there is no solution other than admin need to understand that concept

never add your users to enterprise admins group, they simply need admin rights on the local machine

Author Comment

ID: 20370269
Jay, thanks for the procedural advice, though it doesnt give me a way to do what I need.  You are helping clarify the requirement.

So heres what I want then, a way to add users to the local admin or powerusers group, and to remove them, with having to touch the workstation/PC.
Only want to touch the AD server.

One way is this, though it does require me to touch the Workstation once.
1- create a domain group:  Temp-PowerUsers (or even Temp-Admin i guess)
2- log into the workstation, manage local groups and add Domain/Temp-PowerUsers to the local PowerUser Group

Then if I want to grant a domain user the right of PowerUser I just make them a member of Temp-PowerUsers, they login into the workstation and viola.  When they are done, I remove thier membership from Temp-PowerUser and the next login they loose those rights.

However the downside then is the need to touch every existing workstation and to make this part of the build procedure of every future PC.

Being spoiled, but is there a way to deploy a script or some policy trick to add a domain group to a Local group?  In this case  to add the domain Temp-PowerUser group to the local PowerUser group on each computer?

Of course I'm still open to other ideas, I tested the above approach and it seems to work with the imperfections I mentioned.

LVL 48

Expert Comment

ID: 20370372
Bro - read the first link i gave you - it tells you straight off the bat how to do Exactly this from start to finish without having to touch machines to actually configure the membership :) :) :)

Its restricted groups :)_ makes like much easier

Author Comment

ID: 20371480
Ok, I see what you mean, but I have to assign the restricted group to the mydomain/administrators
Which I guess will make the users have all local adminstrator rights, (correct??)
a bit more rights then I was hoping - wanted something equivalant to the local  PowerUser rights

Any other suggestions?  If not we'll probably go withj this

LVL 48

Expert Comment

ID: 20371488
no - it means you assign a specific group, with specific members from AD, to all the local admin groups on every machine the the policy applies too...that way you only have one user that you specify as the local admin...its its good for a service account for can just use that account on to install software

Author Comment

ID: 20371564
I have created a group called 'Temp-PowerUser' and it is a member of the Restricted Group
The Restricted Group is a member of the domain's Administrators group (not DomainAdministraor)

Now if Tom or Sally, or Pete, ,,,   needs to install software I assign him/her to Temp-PowerUsers and they login and does thier thing.  I then remove him/her from Temp-PowerUsers

While the user is a member of Temp-PowerUsers they will have local administrator rights on any machine the restriced policy applies to.  Which is why I was hoping for something less then admin, like local poweruser.

We on the same page?  

LVL 48

Expert Comment

ID: 20377939
nope, you want to install software, you give admin rights, no exceptions, no workarounds, its simple basic facts

I understand what you are asking, and i am giving you the answer that its not going to happen....why would MS implement security, when we could simply undo it and workaround it at a click of a few buttons...they wouldnt :)

Sorry mate you have no other options that i am aware of

Expert Comment

ID: 21532560
I read through this thread and Im a bit confused between User and Power User then. What is the point having both of these if it seems like they pretty much do the same thing?

The following about Users and Power Users are not true then??

Users:   are prevented from making accidental or intentional system-wide changes and can run most applications.

Power Users:     are included for backwards compatibility and possess limited administrative powers

i thought the meaning of Power Users will give them limited rights to install applications?


Expert Comment

ID: 31386616
From an IT Administrator standpoint, why are you letting your end users install software?

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question