Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

only domain admin group can install

Posted on 2010-08-24
14
Medium Priority
?
756 Views
Last Modified: 2012-05-10
I have a faculty group in which all faculty are members I need them to be able to install and modify registry for some programs they install and use so I need them to be local machine administrators without bumping up their rights on the network side

this is the restricted group setup I have

Group Members Member of
Administrator    STJ\Faculty, STJ\SISFIN, STJ\Staff, STJ\Techadmin  
BUILTIN\Administrators      sisk12, STJ\Administration, STJ\administrator, STJ\Faculty, STJ\SISFIN, STJ\SISK12, STJ\Staff, STJ\Techadmin, STJ\Techs  
BUILTIN\Remote Desktop Users     STJ\Domain Admins, STJ\Techadmin, STJ\Techs  

what am i doing wrong because it says they do not have rights to install
0
Comment
Question by:joshcahill
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 5
14 Comments
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 2000 total points
ID: 33511839
When you go into the local admin on a machine are they listed now (making sure the restricted group GPO is applying)

Are there any other GPOs that may prevent the installation of software (for example are you using whitelists like (\user configuration\administrative templates\system  ….  “Run only specified Windows applications”)   or Software Restriction Policies

thanks

Mike
0
 

Author Comment

by:joshcahill
ID: 33511869
here is what I inherited this is the only policy that has software restrictions

Enforcement
Policy Setting
Apply software restriction policies to the following All software files except libraries (such as DLLs)
Apply software restriction policies to the following users All users
When applying software restriction policies Ignore certificate rules
 
Designated File Types
File Extension File Type
ADE ADE File
ADP ADP File
BAS BAS File
BAT Windows Batch File
CHM Compiled HTML Help file
CMD Windows Command Script
COM MS-DOS Application
CPL Control Panel Item
CRT Security Certificate
EXE Application
HLP Help File
HTA HTML Application
INF Setup Information
INS INS File
ISP ISP File
LNK Shortcut
MDB MDB File
MDE MDE File
MSC Microsoft Common Console Document
MSI Windows Installer Package
MSP Windows Installer Patch
MST MST File
OCX ActiveX Control
PCD PCD File
PIF Shortcut to MS-DOS Program
REG Registration Entries
SCR Screen Saver
SHS SHS File
URL Internet Shortcut
VB VB File
WSC Windows Script Component
 
Trusted Publishers
Trusted publisher management Allow all administrators and users to manage user's own Trusted Publishers
Certificate verification None
 
0
 

Author Comment

by:joshcahill
ID: 33522892
I changed the above from all users to except administrator

and this is the groups for restricted groups

Administrator STJ\Faculty, STJ\SISFIN, STJ\Staff, STJ\Techadmin  
BUILTIN\Administrators sisk12, STJ\Administration, STJ\administrator, STJ\Faculty, STJ\SISFIN, STJ\SISK12, STJ\Staff, STJ\Techadmin, STJ\Techs  
BUILTIN\Remote Desktop Users STJ\Domain Admins, STJ\Techadmin, STJ\Techs
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 33522915
can they still not installs software
0
 

Author Comment

by:joshcahill
ID: 33522932
no, did gpupdate /force on system to make sure it is the latest
0
 

Author Comment

by:joshcahill
ID: 33530969
I still cannot install on local machines as a member of "faculty" group
0
 

Author Comment

by:joshcahill
ID: 33532518
this is all for software restriction under computer administrative templates

all other gpo apply to drive maps and printers- getting into user on local machine using run as shows they are not makeing faculty a member of the administrators group


Enforcement
Policy Setting
Apply software restriction policies to the following All software files except libraries (such as DLLs)
Apply software restriction policies to the following users All users except local administrators
When applying software restriction policies Ignore certificate rules
 
Designated File Types
File Extension File Type
ADE ADE File
ADP ADP File
BAS BAS File
BAT Windows Batch File
CHM Compiled HTML Help file
CMD Windows Command Script
COM MS-DOS Application
CPL Control Panel Item
CRT Security Certificate
EXE Application
HLP Help File
HTA HTML Application
INF Setup Information
INS INS File
ISP ISP File
LNK Shortcut
MDB MDB File
MDE MDE File
MSC Microsoft Common Console Document
MSI Windows Installer Package
MSP Windows Installer Patch
MST MST File
OCX ActiveX Control
PCD PCD File
PIF Shortcut to MS-DOS Program
REG Registration Entries
SCR Screen Saver
SHS SHS File
URL Internet Shortcut
VB VB File
WSC Windows Script Component
 
Trusted Publishers
Trusted publisher management Allow all administrators and users to manage user's own Trusted Publishers
Certificate verification None
 

Software Restriction Policies/Security Levelshide
Policy Setting
Default Security Level Unrestricted

Software Restriction Policies/Additional Ruleshide
Path Ruleshide
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
Security Level Unrestricted
Description  
Date last modified 8/2/2010 1:56:50 PM


 
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
Security Level Unrestricted
Description  
Date last modified 8/2/2010 1:56:50 PM
 
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33532550
What has me stumped is that you have

Apply software restriction policies to the following users All users except local administrators

Are the local admin groups updating properly
0
 

Author Comment

by:joshcahill
ID: 33532570
I just checked - no only sisk12 user shows up on local machine as part of administrator group besides local admin and domain admin
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 2000 total points
ID: 33532606
Check your restricted groups GPO again, Florian has a great article here that may help

http://www.frickelsoft.net/blog/?p=13

Thanks

Mike
0
 

Author Comment

by:joshcahill
ID: 33532614
will do
0
 

Author Comment

by:joshcahill
ID: 33532683
ok I have them in restricted group but my faculty group is on closer inspection a distribution group not security group -- I have a security group fac_security but I use this group to grant rights to dfs share if I use this group in restricted groups will it affect the dfs share access?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33533046
No it won't affect the dfs share access, it will just add that group to the local admin group on the boxes
If you want to be safe create a new group, call it "Local admin installers"...or something like that
0
 

Author Comment

by:joshcahill
ID: 33533169
ok great will try it
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question