?
Solved

MMC, How to remove Group Policy on the Domain

Posted on 2007-12-05
7
Medium Priority
?
2,740 Views
Last Modified: 2013-12-04
Hi Experts,
Just started new job, we have problem with our Office In China, no IT Support.
Ok to the point:
User need to install various apps, but the Local Admin Rights are not enough.
By the company policy we are not allowed to give Domain admin for the Users.
MMC is blocked by the Domain Policy.

Question 1) Any way to enable the policy for these users, so we can run MMC tool from our office. And give them Domain Admin rights for a short time than Disable it again.

Question 2) Is it possible to create in AD new OU and add these users in, so they can run the Software they need to install. But without abusing this permission by adding any Folders and Files they should not have.

Cheers
t-buf
0
Comment
Question by:tihobuf
6 Comments
 
LVL 5

Accepted Solution

by:
Taurance earned 1000 total points
ID: 20415211
I would start by removing the current Group Policy you have in place or create a new GP and check Link Enabled to make it domianate or other GP.  In the new GP set the rights of the user to install applications or turn on the windows installer. You can create a new OU as well, or just remove the GP from the current one.
0
 
LVL 57

Assisted Solution

by:McKnife
McKnife earned 1000 total points
ID: 20423369
Please describe what you mean by "the Local Admin Rights are not enough". What part of the installation fails? Normally, there will be no difference between dom. admin  and local admin on his machine.
About the policies: make out what policy that is and edit the security info of the policy to either exclude (deny access) the user or the computer object, depending on the type of policy.
0
 

Author Comment

by:tihobuf
ID: 20426298
Hi McKnife,
When user try to install any software, soon it start running, it says to to install this software contact you Administrator.You must seen the Permision Messages in your line of work.It is quite common.User can not install some Apps, because Local Admin permisions are not enough.





0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 5

Assisted Solution

by:Taurance
Taurance earned 1000 total points
ID: 20427368
Group Policy applies itself as the top level policy for the user account to follow, if Link Enabled is turned on.  If you have access to change the group policy, I would go in and make a change to Administrative Template > Windows Components > Windows Installer. As well make sure the GP for the Computer itself is not blocking installations.  I would look at theGP, look at  Computer Configuration > Administrative Templates > Windows Components > Windows Installer.

I would also check to see what GP's are being applied to the PC.  From the command prompt run gpresults to see where the GP is being pulled from as well which items are being applied to the PC.  

I was also wondering can you post the reports for the GP's being applied to the specific User account and computer account.
0
 
LVL 57

Assisted Solution

by:McKnife
McKnife earned 1000 total points
ID: 20431161
"...because Local Admin permisions are not enough." - never ever. As long as you don't mess with software restriction policies, the local admin and the domain admin are equal when it comes to installing a software locally.
0
 

Expert Comment

by:NHChats
ID: 26024335
HowTo: Reset Security Settings Back to the Defaults
http://support.microsoft.com/default.aspx?scid=kb;en-us;313222&Product=winxp

This should help you, it explains using the default setup security template to re-apply the default security settings.

-NH
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question