Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Server 2003 Domain - users need the ability to perform updates (Vista) and install software (Vista and XP)

Posted on 2008-06-25
13
Medium Priority
?
279 Views
Last Modified: 2010-04-20
I have a client with a Windows 2003 domain.  The Vista users cannot perform updates (adobe, java..) on their own PCs.  There are situations where users need to install theior own software (Visio and new versions of Quickbooks).  

Where shoudl I start looking?

Thanks

Mountaineer*
0
Comment
Question by:MountaineerWV
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +3
13 Comments
 
LVL 4

Assisted Solution

by:andrewc2189
andrewc2189 earned 140 total points
ID: 21870548
They should be made local administrators on their computers. To start, I would test to see if that works for you on one machine. In order to add someone to the local admin group, right-click computer>manage> expand "local users and groups">groups>administrators. From here you can add any user in the windows 2003 domain as a local admin. This will allow them to add programs and updates on the local machine.

If you are looking for a more restricted group, try adding them to powers users, but I'm not sure if that will do everything you want. If you have a small company just go from computer to computer and do this for them, but if it is larger I can try to find and automated way through group policy to do this.
0
 
LVL 8

Expert Comment

by:pzozulka
ID: 21870550
Users must be Local Admins.
0
 
LVL 6

Expert Comment

by:MrNiss99
ID: 21870551
I f the users are in a 2k3 domain structure then I would start with Window Update Services (WSUS) it is a free tool provided by microsoft that allows more granular controll of the the Windows update process. As far as software that the users need to install, I would just publish those applications via group policy and then when a user needs to install of update a software package then that application is available in the start menu for the user to install, if you wish to push the software then just assign that application. Hope this helps :)
 
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 5

Expert Comment

by:Iekos
ID: 21870568
I remember having a similar problem and if I remember correctly, I created a user called 'Application' on the local PC that had install rights via the local PC group policy.  When they wanted to install apps, they would simply shift-rightclick on the exe and execute as the application user.

This is quite risky though and the real solution is for the administrator to do the updates.  The suggested solution can lead to problems.

I wonder if there are any third party apps that can manage this?
0
 
LVL 8

Expert Comment

by:pzozulka
ID: 21870581
If you have a big company there is actually a much better way of doing this. You will still have to go to every machine, but you will have much higher Management Power.

Create a Security Group in Active Directory called "LocalAdmin". Walk over to each machine and add that Security Group to be a Local Admin just like andrewc2189 explained.

Except instead of adding a user, add the "LocalAdmin" Group to the Local Administrators Group.

After doing that to all the machines, you can now add users to the LocalAdmin Group in Active Directory to whom you want to grant Local Admin rights.
0
 
LVL 5

Assisted Solution

by:Iekos
Iekos earned 140 total points
ID: 21870593
'If you have a big company there is actually a much better way of doing this. You will still have to go to every machine, but you will have much higher Management Power.

Create a Security Group in Active Directory called "LocalAdmin". Walk over to each machine and add that Security Group to be a Local Admin just like andrewc2189 explained.

Except instead of adding a user, add the "LocalAdmin" Group to the Local Administrators Group.

After doing that to all the machines, you can now add users to the LocalAdmin Group in Active Directory to whom you want to grant Local Admin rights'

What a top idea :)
0
 

Author Comment

by:MountaineerWV
ID: 21870940
This is a very small company - 10 users.  I am the "Outside consultant".

So if user "Mike" is a "Domain User" - I can go to Mike's PC and add him as an administrator of the PC...  that is what it sound like would be the best solution.

I'll give it a shot!
0
 
LVL 5

Expert Comment

by:minvis
ID: 21874316
Use restricted groups (GPO > computer configuration > windows settings > security settings > restricted groups).
With restricted groups you can define groups and it's members on computers. Make sure to link the GPO to an OU where the computer objects are.
0
 
LVL 8

Expert Comment

by:pzozulka
ID: 21875702
Lekos: Sorry I meant smaller company, instead of big.
0
 
LVL 8

Assisted Solution

by:pzozulka
pzozulka earned 220 total points
ID: 21875776
Lekos: It is actually a much better idea to add a Group instead of a User to a local machine. So that in the future when you need to take away admin rights from users, you don't have to walk to each individual machine ever again. You can simply add/delete users through Active Directory.
0
 
LVL 5

Expert Comment

by:Iekos
ID: 21877648
That is a very good idea and im planning to implement this at a company I'm supporting..
0
 
LVL 4

Expert Comment

by:andrewc2189
ID: 21877792
I'm glad to see there are a lot of responses for solving the issue in many different situations.

I would like to point out that if you do the easier solution of adding a group instead of each user, you are then giving every user in that group admin rights on every machine in the entire company. There are many situations where you may want a user to have admin rights on only their computer, but if you throw all users into a group and give the group admin rights on every machine, they could go to anyone else's machine and have the same privileges.

If that's a situation you do not want, I only know of going to each computer and adding the individual to the admins group.
0
 

Accepted Solution

by:
MountaineerWV earned 0 total points
ID: 21880364
hey guys and dolls!   Some great ideas here on some everyday practical items.  This actually involved 3 PCs that are domain Power Users and I added them as Administrators to their own respective machine.  They can now even change the time on their clocks!  (This was frustrating to one programming geek- hehe)...

I am headed on a 10 daqy vacation and will divvy up the points when I return.

Thanks for the great ideas - BTW pzozulka will get a few bonus points for his insight into the group thing.

Again - thank you all!
Mountaineer!  in Wild Wonderful!
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question