sbs 2008 local admin rights

easyworks used Ask the Experts™
Running SBS 2008 sp2 and all client computers are running win7 pro.

I would like to create a security group/group policy so I can give individuals rights to be able to install programs on their local computer, but I don't to give them local administrator rights.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

you can use Run as Administrator option to install the programs, and you can create a network administrator account for it, and limit this account for domain.


That's not exactly what I'm looking for. I'm looking so I can add a group of people to a security group so they can install programs on their local computer because there are several computers that these individuals are going to be walking back and forth to.
Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.


I want to give several users the ability to install I'm not looking to be able to remotely install software.
Installing software always requires Administrator rights, at least if installed to %ProgramFiles% or if it writes to the HKLM registry (which is usually the case).

But there is a Group Policy setting that will always run MSIEXEC with elevated privileges. It will only work with installing
MSI packages:

I am assuming here that the computer objects of your workstations are grouped in an OU. These users probably can't log on to servers, but you probably don't want these users installing software on servers for sure.

1) Create a Global security group in your AD. Add the desired users and give it a good description ("Elevate MSIEXEC privileges on clients to allow software installation")
2) Create a new Group Policy object with a similar name.
3) Edit the following settings in the GPO:

User settings | Windows Components | Windows Installer | Always install with elevated privileges: Enabled
Computer Settings | System | Group Policy | User group policy loopback processing mode: Replace

4) Edit the GPO Security (Properties of the policy)
5) Disable the checkbox "Apply policy" for Authenticated Users.
6) Add the security group you added in step 1. Assign this group the "Apply policy" right.
7) Add the security group "Domain Computers". Also assign the Apply policy right.
8) Link the policy to the Organizational Unit that contains your client computers.

Wait for GP background processing to occur, or run Gpupdate on a client. Then restart the computer and try installing an MSI package with a non-privileged user.


thx this look like it did exactly what i was looking for thank you for going in detail explaining instead of just linking me an article.

Haha, I would like this article to be linked TO, have you thought of that :)

Glad that it worked. Cheers.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial