Solved

Group Policy to allow software install

Posted on 2007-11-28
12
6,569 Views
Last Modified: 2010-04-21
I am all new ot this group policy, pardon a newb question.  Win2003 AD, XP Pro desktops.  I want to create a new Group - call it PowerUser - for this group I want to allow a member to install software.  I will likely give a remote user membership to this group for a particular task, then take them of membership once that is done.  Can someone provide me a pretty striaght forward set of steps to do that.  We are a small company with only one domain and basically an out of the box AD setup.
0
Comment
Question by:allan1956
12 Comments
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 250 total points
Comment Utility
the only option i can think, would be to create the group, then use restriced groups to add it to the local admin group of each machine, and add your member to the group

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

That would be the easiest and quickest way
0
 

Author Comment

by:allan1956
Comment Utility
Seems funny that this is hard or not been done a hundred times before  Perhasp Im nt\ot explaing it well

Right now I basically have domain users, domain admins, enterprise admins
Im not always in the office so when a user needs to install Ill assign them to the enterprise admin group, they do the install, then I remove them from the group.  Id rather just have the old style PowerUser type group where they have some local admin capabilities like softwar einstall

0
 

Author Comment

by:allan1956
Comment Utility
Raising this - w
0
 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
there is no solution other than admin rights.....you need to understand that concept

never add your users to enterprise admins group, they simply need admin rights on the local machine
0
 

Author Comment

by:allan1956
Comment Utility
Jay, thanks for the procedural advice, though it doesnt give me a way to do what I need.  You are helping clarify the requirement.

So heres what I want then, a way to add users to the local admin or powerusers group, and to remove them, with having to touch the workstation/PC.
Only want to touch the AD server.

One way is this, though it does require me to touch the Workstation once.
1- create a domain group:  Temp-PowerUsers (or even Temp-Admin i guess)
2- log into the workstation, manage local groups and add Domain/Temp-PowerUsers to the local PowerUser Group

Then if I want to grant a domain user the right of PowerUser I just make them a member of Temp-PowerUsers, they login into the workstation and viola.  When they are done, I remove thier membership from Temp-PowerUser and the next login they loose those rights.

However the downside then is the need to touch every existing workstation and to make this part of the build procedure of every future PC.

Being spoiled, but is there a way to deploy a script or some policy trick to add a domain group to a Local group?  In this case  to add the domain Temp-PowerUser group to the local PowerUser group on each computer?

Of course I'm still open to other ideas, I tested the above approach and it seems to work with the imperfections I mentioned.


0
 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
Bro - read the first link i gave you - it tells you straight off the bat how to do Exactly this from start to finish without having to touch machines to actually configure the membership :) :) :)

Its restricted groups :)_ makes like much easier
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:allan1956
Comment Utility
Ok, I see what you mean, but I have to assign the restricted group to the mydomain/administrators
Which I guess will make the users have all local adminstrator rights, (correct??)
a bit more rights then I was hoping - wanted something equivalant to the local  PowerUser rights

Any other suggestions?  If not we'll probably go withj this


0
 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
no - it means you assign a specific group, with specific members from AD, to all the local admin groups on every machine the the policy applies too...that way you only have one user that you specify as the local admin...its its good for a service account for example....you can just use that account on to install software
0
 

Author Comment

by:allan1956
Comment Utility
I have created a group called 'Temp-PowerUser' and it is a member of the Restricted Group
The Restricted Group is a member of the domain's Administrators group (not DomainAdministraor)

Now if Tom or Sally, or Pete, ,,,   needs to install software I assign him/her to Temp-PowerUsers and they login and does thier thing.  I then remove him/her from Temp-PowerUsers

While the user is a member of Temp-PowerUsers they will have local administrator rights on any machine the restriced policy applies to.  Which is why I was hoping for something less then admin, like local poweruser.

We on the same page?  



0
 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
nope, you want to install software, you give admin rights, no exceptions, no workarounds, its simple basic facts

I understand what you are asking, and i am giving you the answer that its not going to happen....why would MS implement security, when we could simply undo it and workaround it at a click of a few buttons...they wouldnt :)

Sorry mate you have no other options that i am aware of
0
 

Expert Comment

by:janzalon
Comment Utility
I read through this thread and Im a bit confused between User and Power User then. What is the point having both of these if it seems like they pretty much do the same thing?

The following about Users and Power Users are not true then??

Users:   are prevented from making accidental or intentional system-wide changes and can run most applications.

Power Users:     are included for backwards compatibility and possess limited administrative powers

i thought the meaning of Power Users will give them limited rights to install applications?

Thanks!
0
 

Expert Comment

by:mt3dek
Comment Utility
From an IT Administrator standpoint, why are you letting your end users install software?
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now