Solved

Group Policy to allow software install

Posted on 2007-11-28
12
6,587 Views
Last Modified: 2010-04-21
I am all new ot this group policy, pardon a newb question.  Win2003 AD, XP Pro desktops.  I want to create a new Group - call it PowerUser - for this group I want to allow a member to install software.  I will likely give a remote user membership to this group for a particular task, then take them of membership once that is done.  Can someone provide me a pretty striaght forward set of steps to do that.  We are a small company with only one domain and basically an out of the box AD setup.
0
Comment
Question by:allan1956
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
12 Comments
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 250 total points
ID: 20369209
the only option i can think, would be to create the group, then use restriced groups to add it to the local admin group of each machine, and add your member to the group

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

That would be the easiest and quickest way
0
 

Author Comment

by:allan1956
ID: 20369657
Seems funny that this is hard or not been done a hundred times before  Perhasp Im nt\ot explaing it well

Right now I basically have domain users, domain admins, enterprise admins
Im not always in the office so when a user needs to install Ill assign them to the enterprise admin group, they do the install, then I remove them from the group.  Id rather just have the old style PowerUser type group where they have some local admin capabilities like softwar einstall

0
 

Author Comment

by:allan1956
ID: 20369658
Raising this - w
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20369711
there is no solution other than admin rights.....you need to understand that concept

never add your users to enterprise admins group, they simply need admin rights on the local machine
0
 

Author Comment

by:allan1956
ID: 20370269
Jay, thanks for the procedural advice, though it doesnt give me a way to do what I need.  You are helping clarify the requirement.

So heres what I want then, a way to add users to the local admin or powerusers group, and to remove them, with having to touch the workstation/PC.
Only want to touch the AD server.

One way is this, though it does require me to touch the Workstation once.
1- create a domain group:  Temp-PowerUsers (or even Temp-Admin i guess)
2- log into the workstation, manage local groups and add Domain/Temp-PowerUsers to the local PowerUser Group

Then if I want to grant a domain user the right of PowerUser I just make them a member of Temp-PowerUsers, they login into the workstation and viola.  When they are done, I remove thier membership from Temp-PowerUser and the next login they loose those rights.

However the downside then is the need to touch every existing workstation and to make this part of the build procedure of every future PC.

Being spoiled, but is there a way to deploy a script or some policy trick to add a domain group to a Local group?  In this case  to add the domain Temp-PowerUser group to the local PowerUser group on each computer?

Of course I'm still open to other ideas, I tested the above approach and it seems to work with the imperfections I mentioned.


0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20370372
Bro - read the first link i gave you - it tells you straight off the bat how to do Exactly this from start to finish without having to touch machines to actually configure the membership :) :) :)

Its restricted groups :)_ makes like much easier
0
 

Author Comment

by:allan1956
ID: 20371480
Ok, I see what you mean, but I have to assign the restricted group to the mydomain/administrators
Which I guess will make the users have all local adminstrator rights, (correct??)
a bit more rights then I was hoping - wanted something equivalant to the local  PowerUser rights

Any other suggestions?  If not we'll probably go withj this


0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20371488
no - it means you assign a specific group, with specific members from AD, to all the local admin groups on every machine the the policy applies too...that way you only have one user that you specify as the local admin...its its good for a service account for example....you can just use that account on to install software
0
 

Author Comment

by:allan1956
ID: 20371564
I have created a group called 'Temp-PowerUser' and it is a member of the Restricted Group
The Restricted Group is a member of the domain's Administrators group (not DomainAdministraor)

Now if Tom or Sally, or Pete, ,,,   needs to install software I assign him/her to Temp-PowerUsers and they login and does thier thing.  I then remove him/her from Temp-PowerUsers

While the user is a member of Temp-PowerUsers they will have local administrator rights on any machine the restriced policy applies to.  Which is why I was hoping for something less then admin, like local poweruser.

We on the same page?  



0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20377939
nope, you want to install software, you give admin rights, no exceptions, no workarounds, its simple basic facts

I understand what you are asking, and i am giving you the answer that its not going to happen....why would MS implement security, when we could simply undo it and workaround it at a click of a few buttons...they wouldnt :)

Sorry mate you have no other options that i am aware of
0
 

Expert Comment

by:janzalon
ID: 21532560
I read through this thread and Im a bit confused between User and Power User then. What is the point having both of these if it seems like they pretty much do the same thing?

The following about Users and Power Users are not true then??

Users:   are prevented from making accidental or intentional system-wide changes and can run most applications.

Power Users:     are included for backwards compatibility and possess limited administrative powers

i thought the meaning of Power Users will give them limited rights to install applications?

Thanks!
0
 

Expert Comment

by:mt3dek
ID: 31386616
From an IT Administrator standpoint, why are you letting your end users install software?
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question