Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Allow users to install apps without adding them as Domain Admins

Posted on 2009-03-30
7
Medium Priority
?
814 Views
Last Modified: 2012-05-07
Is there a way to add permissions for certain users/groups only to install applications without adding them to the domain admins group?

I found the following page http://community.spiceworks.com/topic/18348?page=2 and saw "Ommer"'s responces, but cant make complete sense of them.

Whats the best way of doing this? If it is a script, please provide detailed information as I am not good at scripting.
Thanks!
0
Comment
Question by:romerica
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 24018863
To allow users to install software on their machines they only need to be an administrator on that machine. They do not need to be a domain admin.
0
 

Author Comment

by:romerica
ID: 24018886
On the local machine or the domain?
Ive tried adding them as an admin in the domain w/ no luck - unless I missed something..

Could you please provide the steps? Also this is for more than one user/group. Is there a way to automate that process w/o touch each computer via GPO, etc?
0
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 1500 total points
ID: 24018888
To add users to the admin group via script

Set a startup script in group policy with the following line:
NET localgroup Administrators /add "domain_name\domain_group"
Once your computer is joined to the domain, place the computer in the proper OU (where your startup script lies) and reboot. (Or preconfigure your ADUC with the computername in the proper OU)


Or through group policy
http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:romerica
ID: 24020369
hm.. Cant get it to work either way.
For your script, I added it to the Users Logon part of the GPO and
NET localgroup Administrators /add "budbeach\local admin" saved as a batch file..
Also restarted the computer numerous time and ran gpupdate /force  numerous times of both the DC and the PC..
the user is called "test" and is a member of the "local admin" group in the domain

Going to an account that DOES have admin priveleges, I can see that it did indeed add the "budbeach\local admin" group to the local administrators group..

Any thoughts?
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 24020406
Try running it as a startup script rather than a logon script. Running it as a logon script will run it under the user context running it as a startup script it will run under the system context.

http://technet.microsoft.com/en-us/library/bb742536.aspx
Look for this part "We have a test lab with 10 computers that five developers use. The developers need Administrators rights on any machine they log on to, and the computers are constantly being reloaded. How can we do this? "
0
 

Author Comment

by:romerica
ID: 24020561
Ack! still no go..I removed that group manually from the local computer and retried, it does not show up under the local admin accounts after repeating those steps for a startup script and restarting the pc 2x and logging on to that user.

Do I need to add the computer to the group or the user??
See attached to ensure I have it configured correctly
Untitled.jpg
0
 

Author Closing Comment

by:romerica
ID: 31597468
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question