Solved

Allow users to install apps without adding them as Domain Admins

Posted on 2009-03-30
7
805 Views
Last Modified: 2012-05-07
Is there a way to add permissions for certain users/groups only to install applications without adding them to the domain admins group?

I found the following page http://community.spiceworks.com/topic/18348?page=2 and saw "Ommer"'s responces, but cant make complete sense of them.

Whats the best way of doing this? If it is a script, please provide detailed information as I am not good at scripting.
Thanks!
0
Comment
Question by:romerica
  • 4
  • 3
7 Comments
 
LVL 35

Expert Comment

by:Joseph Daly
Comment Utility
To allow users to install software on their machines they only need to be an administrator on that machine. They do not need to be a domain admin.
0
 

Author Comment

by:romerica
Comment Utility
On the local machine or the domain?
Ive tried adding them as an admin in the domain w/ no luck - unless I missed something..

Could you please provide the steps? Also this is for more than one user/group. Is there a way to automate that process w/o touch each computer via GPO, etc?
0
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 500 total points
Comment Utility
To add users to the admin group via script

Set a startup script in group policy with the following line:
NET localgroup Administrators /add "domain_name\domain_group"
Once your computer is joined to the domain, place the computer in the proper OU (where your startup script lies) and reboot. (Or preconfigure your ADUC with the computername in the proper OU)


Or through group policy
http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:romerica
Comment Utility
hm.. Cant get it to work either way.
For your script, I added it to the Users Logon part of the GPO and
NET localgroup Administrators /add "budbeach\local admin" saved as a batch file..
Also restarted the computer numerous time and ran gpupdate /force  numerous times of both the DC and the PC..
the user is called "test" and is a member of the "local admin" group in the domain

Going to an account that DOES have admin priveleges, I can see that it did indeed add the "budbeach\local admin" group to the local administrators group..

Any thoughts?
0
 
LVL 35

Expert Comment

by:Joseph Daly
Comment Utility
Try running it as a startup script rather than a logon script. Running it as a logon script will run it under the user context running it as a startup script it will run under the system context.

http://technet.microsoft.com/en-us/library/bb742536.aspx
Look for this part "We have a test lab with 10 computers that five developers use. The developers need Administrators rights on any machine they log on to, and the computers are constantly being reloaded. How can we do this? "
0
 

Author Comment

by:romerica
Comment Utility
Ack! still no go..I removed that group manually from the local computer and retried, it does not show up under the local admin accounts after repeating those steps for a startup script and restarting the pc 2x and logging on to that user.

Do I need to add the computer to the group or the user??
See attached to ensure I have it configured correctly
Untitled.jpg
0
 

Author Closing Comment

by:romerica
Comment Utility
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now