?
Solved

Allow users to install apps without adding them as Domain Admins

Posted on 2009-03-30
7
Medium Priority
?
816 Views
Last Modified: 2012-05-07
Is there a way to add permissions for certain users/groups only to install applications without adding them to the domain admins group?

I found the following page http://community.spiceworks.com/topic/18348?page=2 and saw "Ommer"'s responces, but cant make complete sense of them.

Whats the best way of doing this? If it is a script, please provide detailed information as I am not good at scripting.
Thanks!
0
Comment
Question by:romerica
  • 4
  • 3
7 Comments
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 24018863
To allow users to install software on their machines they only need to be an administrator on that machine. They do not need to be a domain admin.
0
 

Author Comment

by:romerica
ID: 24018886
On the local machine or the domain?
Ive tried adding them as an admin in the domain w/ no luck - unless I missed something..

Could you please provide the steps? Also this is for more than one user/group. Is there a way to automate that process w/o touch each computer via GPO, etc?
0
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 1500 total points
ID: 24018888
To add users to the admin group via script

Set a startup script in group policy with the following line:
NET localgroup Administrators /add "domain_name\domain_group"
Once your computer is joined to the domain, place the computer in the proper OU (where your startup script lies) and reboot. (Or preconfigure your ADUC with the computername in the proper OU)


Or through group policy
http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html
0
Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

 

Author Comment

by:romerica
ID: 24020369
hm.. Cant get it to work either way.
For your script, I added it to the Users Logon part of the GPO and
NET localgroup Administrators /add "budbeach\local admin" saved as a batch file..
Also restarted the computer numerous time and ran gpupdate /force  numerous times of both the DC and the PC..
the user is called "test" and is a member of the "local admin" group in the domain

Going to an account that DOES have admin priveleges, I can see that it did indeed add the "budbeach\local admin" group to the local administrators group..

Any thoughts?
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 24020406
Try running it as a startup script rather than a logon script. Running it as a logon script will run it under the user context running it as a startup script it will run under the system context.

http://technet.microsoft.com/en-us/library/bb742536.aspx
Look for this part "We have a test lab with 10 computers that five developers use. The developers need Administrators rights on any machine they log on to, and the computers are constantly being reloaded. How can we do this? "
0
 

Author Comment

by:romerica
ID: 24020561
Ack! still no go..I removed that group manually from the local computer and retried, it does not show up under the local admin accounts after repeating those steps for a startup script and restarting the pc 2x and logging on to that user.

Do I need to add the computer to the group or the user??
See attached to ensure I have it configured correctly
Untitled.jpg
0
 

Author Closing Comment

by:romerica
ID: 31597468
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question