Domain users to install printer drivers and specific software only...

We have quite a few clients having received new computers with win7pro.  They are domain users under a w2008r2 domain.  They don't have the local admin password because I wanted to prevent that they install all kind of crappy software.

However I DO want them to be able to install printer drivers for their home printers, AND also to update Java, Windows Updates and preferable updates to all the software already installed (OpenOffice, Mozilla stuff etc...)

HOW do I solve this in an elegant way?  I wish windows had a permission type called 'Update any existing software'..  I tried to enable the GPO which allow users to install printer drivers, but it does not seem to work or give the desired effect.  At least their computers still yell for an admin when needing printer driver installers or updates.

Thanks for comments, good advice and howtos to elegantly allow users to maintain the software in their computers without giving them permission to install anything ...

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

if you add them to the power users group that should take care of most of your problems.

Power Users

The Power Users group primarily provides backward compatibility for running non-certified applications. The default permissions that are allotted to this group allow this group's members to modify computerwide settings. If non-certified applications must be supported, then end users will need to be part of the Power Users group.

Members of the Power Users group have more permissions than members of the Users group and fewer than members of the Administrators group. Power Users can perform any operating system task except tasks reserved for the Administrators group. The default Windows 2000 and Windows XP Professional security settings for Power Users are very similar to the default security settings for Users in Windows NT 4.0. Any program that a user can run in Windows NT 4.0, a Power User can run in Windows 2000 or Windows XP Professional.

Power Users can:

• Run legacy applications, in addition to Windows 2000 or Windows XP Professional certified applications.
• Install programs that do not modify operating system files or install system services.
• Customize systemwide resources including printers, date, time, power options, and other Control Panel resources.
• Create and manage local user accounts and groups.
• Stop and start system services which are not started by default.

Power Users do not have permission to add themselves to the Administrators group. Power Users do not have access to the data of other users on an NTFS volume, unless those users grant them permission.

Darius GhassemCommented:
For a user to  install programs or printer drivers they must be part of the local admin or Power user groups.

You can configure this through a GPO.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
geir056Author Commented:
Thanks both of you.  

I haven't seen the Power User group in the domain AD groups (I'm not at work now).  

If this is a local computer group, how do I add my domain users as members of this group?

regards Geir
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Darius GhassemCommented:
This is a local group if you look at the link I provided it will show you how to deploy through a GPO.
under users and computers, go to groups and find power users group and just add the domain account of the person you want to assign the rights to
geir056Author Commented:
You mean to do this sparately on every local computer?  I need a centralized solution, I will check the GPO solution at work tomorrow.

If I misunderstand your suggestion, please elaborate.


thanks to both of you, ill award the points to the genius ...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.