GPO in 2008 R2 allow users to install software

hi all,

im just starting to create GPOS for our new server 2008 R2 network and am going through the thousands of GPOs

im looking at user config > windows settings > software restrictions

can i grant certain users the permission to install software through gpo or do i have to make them domain admins?

Thanks
LVL 1
awilderbeastAsked:
Who is Participating?
 
Darius GhassemConnect With a Mentor Commented:
Yes
0
 
Mike ThomasConsultantCommented:
Never ever make them a Domain Admin to install software, at worst they could be a local admin.

But really users should never be allwowed to install software imo, they should be baby sat and have software deployed to them.

Read this regarding how the policy can function though.

http://support.microsoft.com/kb/324036
0
 
Darius GhassemCommented:
You can add them to a restricted group on their local PC.
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
awilderbeastAuthor Commented:
ooops yeah i meant local admin sorry

i know that would be my preferred option, but its the directors, they said they want to install what they want, so hey what can i do :|

ill have a read of those articles

cheers
0
 
awilderbeastAuthor Commented:
i cant find restricted gourps on 2008 r2 and when you refer to local admins, do you mean i have to go onto the individual machines and add the users locally to local admins on that machine?

or can i use gpo or security groups to make users local admins?

cheers
0
 
Darius GhassemCommented:
You use a GPO to add the users to security groups to make them local admins.

Read over the link.
0
 
awilderbeastAuthor Commented:
ok so ive created a restricted group GPO that has a management group with the directors as members

now all i do is link the gpo to an OU with their computers in, or any computers they want local admin rights on?

Thanks
0
 
awilderbeastAuthor Commented:
Thanks :)
0
All Courses

From novice to tech pro — start learning today.