Link to home
Start Free TrialLog in
Avatar of roarteam

asked on

How can I give Domain Users rights to install software

I am a volunteer Domain admin for a small school.  We have windows server 2003 and XP pro on all machines.  I have groups set up (like Students, Staff, Teachers), etc. and have GPOs as well.  My problem is that no Teacher or Staff member can install software, printers, etc.  How can I give them rights to do that without adding them to the admin group?  If there's not a way, which actual group do I make the respective OU a member of?
Avatar of Brian Pierce
Brian Pierce
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
... note you are not making the users Domain Admins, but are granting them admin rights on the individual PCs
Avatar of robsantos

what about the local Power Users group?  is that an option for you?
Avatar of roarteam


I thought about the Power Users group, but it does not show up when I try to add the OU to that group.
You can't add an OU to a group !
However you could use "power users" as per my intial suggestion rather than "Administrators"

First put the users that you want to give local admin rights to into a security group (or you Domain Users if you want it to apply to all users)

Create and OU that contains the computers that you want them to have rights on and put the computers into the OU. Note that this cannot be the Computers Container and should not contain any servers or Domain Controllers for obvious reasons.

Create a group policy that configures the security group as a Restricted Group, and under the "This group is a member of...", option add "Power Users"

Link the GPO to the OU that contains the computers

Run gpupate/force to update the policy
First, I apologize for my ignorance here, but I tried to add the Security Group (global) Teachers as "member of" administrators.  That worked, but that would give them access to log in to the server as well. (Using my test ID).  I tried the solution above by doing the following:

There is already a OU that contains the Classroom PCs
I created a GPO and linked it to that OU
In the GPO, I configured Computer configuration->Windows Settings->Security Settings->Restricted groups by doing "add Group", used the "Teachers" security group and then under "This group is a member of", used Administrators (since Power Users did not show.

I then made sure the ID was a member of "Teachers" and the PC was in the classroom OU.  I rebooted, logged in and still can't install anything.  I even ran gpupdate and no luck.  

Did I miss something?
As an update, after some checking I found the GPO was being handed out from the secondary domain controller.  I don't know why, as I rebotted several times and it was still getting all policies from the secondary, not the primary.  After some time, it finally got the updated GPO.  

Next question, if I understand restricted groups, it will replace what is on the machine, so do I need to set up other restricted groups as well (like Students, Domain admins, etc)?