• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2742
  • Last Modified:

MMC, How to remove Group Policy on the Domain

Hi Experts,
Just started new job, we have problem with our Office In China, no IT Support.
Ok to the point:
User need to install various apps, but the Local Admin Rights are not enough.
By the company policy we are not allowed to give Domain admin for the Users.
MMC is blocked by the Domain Policy.

Question 1) Any way to enable the policy for these users, so we can run MMC tool from our office. And give them Domain Admin rights for a short time than Disable it again.

Question 2) Is it possible to create in AD new OU and add these users in, so they can run the Software they need to install. But without abusing this permission by adding any Folders and Files they should not have.

4 Solutions
I would start by removing the current Group Policy you have in place or create a new GP and check Link Enabled to make it domianate or other GP.  In the new GP set the rights of the user to install applications or turn on the windows installer. You can create a new OU as well, or just remove the GP from the current one.
Please describe what you mean by "the Local Admin Rights are not enough". What part of the installation fails? Normally, there will be no difference between dom. admin  and local admin on his machine.
About the policies: make out what policy that is and edit the security info of the policy to either exclude (deny access) the user or the computer object, depending on the type of policy.
tihobufAuthor Commented:
Hi McKnife,
When user try to install any software, soon it start running, it says to to install this software contact you Administrator.You must seen the Permision Messages in your line of work.It is quite common.User can not install some Apps, because Local Admin permisions are not enough.

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Group Policy applies itself as the top level policy for the user account to follow, if Link Enabled is turned on.  If you have access to change the group policy, I would go in and make a change to Administrative Template > Windows Components > Windows Installer. As well make sure the GP for the Computer itself is not blocking installations.  I would look at theGP, look at  Computer Configuration > Administrative Templates > Windows Components > Windows Installer.

I would also check to see what GP's are being applied to the PC.  From the command prompt run gpresults to see where the GP is being pulled from as well which items are being applied to the PC.  

I was also wondering can you post the reports for the GP's being applied to the specific User account and computer account.
"...because Local Admin permisions are not enough." - never ever. As long as you don't mess with software restriction policies, the local admin and the domain admin are equal when it comes to installing a software locally.
HowTo: Reset Security Settings Back to the Defaults

This should help you, it explains using the default setup security template to re-apply the default security settings.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managed Security Services Webinar - March 15

Selecting the right managed security services platform to grow your business can be a huge undertaking. Join WatchGuard and Frost & Sullivan in an upcoming webinar as we dive into the key elements of selecting a vendor platform and partnership to fuel a successful MSSP business.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now