?
Solved

Allow users to install apps without adding them as Domain Admins

Posted on 2009-03-30
7
Medium Priority
?
812 Views
Last Modified: 2012-05-07
Is there a way to add permissions for certain users/groups only to install applications without adding them to the domain admins group?

I found the following page http://community.spiceworks.com/topic/18348?page=2 and saw "Ommer"'s responces, but cant make complete sense of them.

Whats the best way of doing this? If it is a script, please provide detailed information as I am not good at scripting.
Thanks!
0
Comment
Question by:romerica
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 24018863
To allow users to install software on their machines they only need to be an administrator on that machine. They do not need to be a domain admin.
0
 

Author Comment

by:romerica
ID: 24018886
On the local machine or the domain?
Ive tried adding them as an admin in the domain w/ no luck - unless I missed something..

Could you please provide the steps? Also this is for more than one user/group. Is there a way to automate that process w/o touch each computer via GPO, etc?
0
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 1500 total points
ID: 24018888
To add users to the admin group via script

Set a startup script in group policy with the following line:
NET localgroup Administrators /add "domain_name\domain_group"
Once your computer is joined to the domain, place the computer in the proper OU (where your startup script lies) and reboot. (Or preconfigure your ADUC with the computername in the proper OU)


Or through group policy
http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:romerica
ID: 24020369
hm.. Cant get it to work either way.
For your script, I added it to the Users Logon part of the GPO and
NET localgroup Administrators /add "budbeach\local admin" saved as a batch file..
Also restarted the computer numerous time and ran gpupdate /force  numerous times of both the DC and the PC..
the user is called "test" and is a member of the "local admin" group in the domain

Going to an account that DOES have admin priveleges, I can see that it did indeed add the "budbeach\local admin" group to the local administrators group..

Any thoughts?
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 24020406
Try running it as a startup script rather than a logon script. Running it as a logon script will run it under the user context running it as a startup script it will run under the system context.

http://technet.microsoft.com/en-us/library/bb742536.aspx
Look for this part "We have a test lab with 10 computers that five developers use. The developers need Administrators rights on any machine they log on to, and the computers are constantly being reloaded. How can we do this? "
0
 

Author Comment

by:romerica
ID: 24020561
Ack! still no go..I removed that group manually from the local computer and retried, it does not show up under the local admin accounts after repeating those steps for a startup script and restarting the pc 2x and logging on to that user.

Do I need to add the computer to the group or the user??
See attached to ensure I have it configured correctly
Untitled.jpg
0
 

Author Closing Comment

by:romerica
ID: 31597468
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Let's recap what we learned from yesterday's Skyport Systems webinar.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question