GPO in 2008 R2 allow users to install software

hi all,

im just starting to create GPOS for our new server 2008 R2 network and am going through the thousands of GPOs

im looking at user config > windows settings > software restrictions

can i grant certain users the permission to install software through gpo or do i have to make them domain admins?

Thanks
LVL 1
awilderbeastAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike ThomasConsultantCommented:
Never ever make them a Domain Admin to install software, at worst they could be a local admin.

But really users should never be allwowed to install software imo, they should be baby sat and have software deployed to them.

Read this regarding how the policy can function though.

http://support.microsoft.com/kb/324036
0
Darius GhassemCommented:
You can add them to a restricted group on their local PC.
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
0
awilderbeastAuthor Commented:
ooops yeah i meant local admin sorry

i know that would be my preferred option, but its the directors, they said they want to install what they want, so hey what can i do :|

ill have a read of those articles

cheers
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

awilderbeastAuthor Commented:
i cant find restricted gourps on 2008 r2 and when you refer to local admins, do you mean i have to go onto the individual machines and add the users locally to local admins on that machine?

or can i use gpo or security groups to make users local admins?

cheers
0
Darius GhassemCommented:
You use a GPO to add the users to security groups to make them local admins.

Read over the link.
0
awilderbeastAuthor Commented:
ok so ive created a restricted group GPO that has a management group with the directors as members

now all i do is link the gpo to an OU with their computers in, or any computers they want local admin rights on?

Thanks
0
Darius GhassemCommented:
Yes
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
awilderbeastAuthor Commented:
Thanks :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.