Solved

Allow users to install apps without adding them as Domain Admins

Posted on 2009-03-30
7
811 Views
Last Modified: 2012-05-07
Is there a way to add permissions for certain users/groups only to install applications without adding them to the domain admins group?

I found the following page http://community.spiceworks.com/topic/18348?page=2 and saw "Ommer"'s responces, but cant make complete sense of them.

Whats the best way of doing this? If it is a script, please provide detailed information as I am not good at scripting.
Thanks!
0
Comment
Question by:romerica
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 24018863
To allow users to install software on their machines they only need to be an administrator on that machine. They do not need to be a domain admin.
0
 

Author Comment

by:romerica
ID: 24018886
On the local machine or the domain?
Ive tried adding them as an admin in the domain w/ no luck - unless I missed something..

Could you please provide the steps? Also this is for more than one user/group. Is there a way to automate that process w/o touch each computer via GPO, etc?
0
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 500 total points
ID: 24018888
To add users to the admin group via script

Set a startup script in group policy with the following line:
NET localgroup Administrators /add "domain_name\domain_group"
Once your computer is joined to the domain, place the computer in the proper OU (where your startup script lies) and reboot. (Or preconfigure your ADUC with the computername in the proper OU)


Or through group policy
http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:romerica
ID: 24020369
hm.. Cant get it to work either way.
For your script, I added it to the Users Logon part of the GPO and
NET localgroup Administrators /add "budbeach\local admin" saved as a batch file..
Also restarted the computer numerous time and ran gpupdate /force  numerous times of both the DC and the PC..
the user is called "test" and is a member of the "local admin" group in the domain

Going to an account that DOES have admin priveleges, I can see that it did indeed add the "budbeach\local admin" group to the local administrators group..

Any thoughts?
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 24020406
Try running it as a startup script rather than a logon script. Running it as a logon script will run it under the user context running it as a startup script it will run under the system context.

http://technet.microsoft.com/en-us/library/bb742536.aspx
Look for this part "We have a test lab with 10 computers that five developers use. The developers need Administrators rights on any machine they log on to, and the computers are constantly being reloaded. How can we do this? "
0
 

Author Comment

by:romerica
ID: 24020561
Ack! still no go..I removed that group manually from the local computer and retried, it does not show up under the local admin accounts after repeating those steps for a startup script and restarting the pc 2x and logging on to that user.

Do I need to add the computer to the group or the user??
See attached to ensure I have it configured correctly
Untitled.jpg
0
 

Author Closing Comment

by:romerica
ID: 31597468
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question