Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6597
  • Last Modified:

Group Policy to allow software install

I am all new ot this group policy, pardon a newb question.  Win2003 AD, XP Pro desktops.  I want to create a new Group - call it PowerUser - for this group I want to allow a member to install software.  I will likely give a remote user membership to this group for a particular task, then take them of membership once that is done.  Can someone provide me a pretty striaght forward set of steps to do that.  We are a small company with only one domain and basically an out of the box AD setup.
1 Solution
the only option i can think, would be to create the group, then use restriced groups to add it to the local admin group of each machine, and add your member to the group

That would be the easiest and quickest way
allan1956Author Commented:
Seems funny that this is hard or not been done a hundred times before  Perhasp Im nt\ot explaing it well

Right now I basically have domain users, domain admins, enterprise admins
Im not always in the office so when a user needs to install Ill assign them to the enterprise admin group, they do the install, then I remove them from the group.  Id rather just have the old style PowerUser type group where they have some local admin capabilities like softwar einstall

allan1956Author Commented:
Raising this - w
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to and use offer code ‘EXPERTS’ to get 10% off your first purchase.

there is no solution other than admin need to understand that concept

never add your users to enterprise admins group, they simply need admin rights on the local machine
allan1956Author Commented:
Jay, thanks for the procedural advice, though it doesnt give me a way to do what I need.  You are helping clarify the requirement.

So heres what I want then, a way to add users to the local admin or powerusers group, and to remove them, with having to touch the workstation/PC.
Only want to touch the AD server.

One way is this, though it does require me to touch the Workstation once.
1- create a domain group:  Temp-PowerUsers (or even Temp-Admin i guess)
2- log into the workstation, manage local groups and add Domain/Temp-PowerUsers to the local PowerUser Group

Then if I want to grant a domain user the right of PowerUser I just make them a member of Temp-PowerUsers, they login into the workstation and viola.  When they are done, I remove thier membership from Temp-PowerUser and the next login they loose those rights.

However the downside then is the need to touch every existing workstation and to make this part of the build procedure of every future PC.

Being spoiled, but is there a way to deploy a script or some policy trick to add a domain group to a Local group?  In this case  to add the domain Temp-PowerUser group to the local PowerUser group on each computer?

Of course I'm still open to other ideas, I tested the above approach and it seems to work with the imperfections I mentioned.

Bro - read the first link i gave you - it tells you straight off the bat how to do Exactly this from start to finish without having to touch machines to actually configure the membership :) :) :)

Its restricted groups :)_ makes like much easier
allan1956Author Commented:
Ok, I see what you mean, but I have to assign the restricted group to the mydomain/administrators
Which I guess will make the users have all local adminstrator rights, (correct??)
a bit more rights then I was hoping - wanted something equivalant to the local  PowerUser rights

Any other suggestions?  If not we'll probably go withj this

no - it means you assign a specific group, with specific members from AD, to all the local admin groups on every machine the the policy applies too...that way you only have one user that you specify as the local admin...its its good for a service account for can just use that account on to install software
allan1956Author Commented:
I have created a group called 'Temp-PowerUser' and it is a member of the Restricted Group
The Restricted Group is a member of the domain's Administrators group (not DomainAdministraor)

Now if Tom or Sally, or Pete, ,,,   needs to install software I assign him/her to Temp-PowerUsers and they login and does thier thing.  I then remove him/her from Temp-PowerUsers

While the user is a member of Temp-PowerUsers they will have local administrator rights on any machine the restriced policy applies to.  Which is why I was hoping for something less then admin, like local poweruser.

We on the same page?  

nope, you want to install software, you give admin rights, no exceptions, no workarounds, its simple basic facts

I understand what you are asking, and i am giving you the answer that its not going to happen....why would MS implement security, when we could simply undo it and workaround it at a click of a few buttons...they wouldnt :)

Sorry mate you have no other options that i am aware of
I read through this thread and Im a bit confused between User and Power User then. What is the point having both of these if it seems like they pretty much do the same thing?

The following about Users and Power Users are not true then??

Users:   are prevented from making accidental or intentional system-wide changes and can run most applications.

Power Users:     are included for backwards compatibility and possess limited administrative powers

i thought the meaning of Power Users will give them limited rights to install applications?

From an IT Administrator standpoint, why are you letting your end users install software?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now