Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Group Policy to allow software install

Posted on 2007-11-28
12
Medium Priority
?
6,592 Views
Last Modified: 2010-04-21
I am all new ot this group policy, pardon a newb question.  Win2003 AD, XP Pro desktops.  I want to create a new Group - call it PowerUser - for this group I want to allow a member to install software.  I will likely give a remote user membership to this group for a particular task, then take them of membership once that is done.  Can someone provide me a pretty striaght forward set of steps to do that.  We are a small company with only one domain and basically an out of the box AD setup.
0
Comment
Question by:allan1956
12 Comments
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 750 total points
ID: 20369209
the only option i can think, would be to create the group, then use restriced groups to add it to the local admin group of each machine, and add your member to the group

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

That would be the easiest and quickest way
0
 

Author Comment

by:allan1956
ID: 20369657
Seems funny that this is hard or not been done a hundred times before  Perhasp Im nt\ot explaing it well

Right now I basically have domain users, domain admins, enterprise admins
Im not always in the office so when a user needs to install Ill assign them to the enterprise admin group, they do the install, then I remove them from the group.  Id rather just have the old style PowerUser type group where they have some local admin capabilities like softwar einstall

0
 

Author Comment

by:allan1956
ID: 20369658
Raising this - w
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20369711
there is no solution other than admin rights.....you need to understand that concept

never add your users to enterprise admins group, they simply need admin rights on the local machine
0
 

Author Comment

by:allan1956
ID: 20370269
Jay, thanks for the procedural advice, though it doesnt give me a way to do what I need.  You are helping clarify the requirement.

So heres what I want then, a way to add users to the local admin or powerusers group, and to remove them, with having to touch the workstation/PC.
Only want to touch the AD server.

One way is this, though it does require me to touch the Workstation once.
1- create a domain group:  Temp-PowerUsers (or even Temp-Admin i guess)
2- log into the workstation, manage local groups and add Domain/Temp-PowerUsers to the local PowerUser Group

Then if I want to grant a domain user the right of PowerUser I just make them a member of Temp-PowerUsers, they login into the workstation and viola.  When they are done, I remove thier membership from Temp-PowerUser and the next login they loose those rights.

However the downside then is the need to touch every existing workstation and to make this part of the build procedure of every future PC.

Being spoiled, but is there a way to deploy a script or some policy trick to add a domain group to a Local group?  In this case  to add the domain Temp-PowerUser group to the local PowerUser group on each computer?

Of course I'm still open to other ideas, I tested the above approach and it seems to work with the imperfections I mentioned.


0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20370372
Bro - read the first link i gave you - it tells you straight off the bat how to do Exactly this from start to finish without having to touch machines to actually configure the membership :) :) :)

Its restricted groups :)_ makes like much easier
0
 

Author Comment

by:allan1956
ID: 20371480
Ok, I see what you mean, but I have to assign the restricted group to the mydomain/administrators
Which I guess will make the users have all local adminstrator rights, (correct??)
a bit more rights then I was hoping - wanted something equivalant to the local  PowerUser rights

Any other suggestions?  If not we'll probably go withj this


0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20371488
no - it means you assign a specific group, with specific members from AD, to all the local admin groups on every machine the the policy applies too...that way you only have one user that you specify as the local admin...its its good for a service account for example....you can just use that account on to install software
0
 

Author Comment

by:allan1956
ID: 20371564
I have created a group called 'Temp-PowerUser' and it is a member of the Restricted Group
The Restricted Group is a member of the domain's Administrators group (not DomainAdministraor)

Now if Tom or Sally, or Pete, ,,,   needs to install software I assign him/her to Temp-PowerUsers and they login and does thier thing.  I then remove him/her from Temp-PowerUsers

While the user is a member of Temp-PowerUsers they will have local administrator rights on any machine the restriced policy applies to.  Which is why I was hoping for something less then admin, like local poweruser.

We on the same page?  



0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20377939
nope, you want to install software, you give admin rights, no exceptions, no workarounds, its simple basic facts

I understand what you are asking, and i am giving you the answer that its not going to happen....why would MS implement security, when we could simply undo it and workaround it at a click of a few buttons...they wouldnt :)

Sorry mate you have no other options that i am aware of
0
 

Expert Comment

by:janzalon
ID: 21532560
I read through this thread and Im a bit confused between User and Power User then. What is the point having both of these if it seems like they pretty much do the same thing?

The following about Users and Power Users are not true then??

Users:   are prevented from making accidental or intentional system-wide changes and can run most applications.

Power Users:     are included for backwards compatibility and possess limited administrative powers

i thought the meaning of Power Users will give them limited rights to install applications?

Thanks!
0
 

Expert Comment

by:mt3dek
ID: 31386616
From an IT Administrator standpoint, why are you letting your end users install software?
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Here's a look at newsworthy articles and community happenings during the last month.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question