Link to home
Create AccountLog in
Avatar of Kaptain1
Kaptain1Flag for United States of America

asked on

Allow Domain Users to Install sofware

Hi Experts!

I've got a Server 2008 R2, that has AD and GP, workstations are Win 7 and XP pro.

It seems that Domain Users by default aren't allowed to install software. I'd like to allow users to install any software that they want on their computers.

Please include a few steps, as i've been struggling even with making users "local admins" (not sure if it's the best option).

Thank You!
Avatar of Krzysztof Pytko
Krzysztof Pytko
Flag of Poland image

Hi, this is the only one option :/ Regular users cannot install software without local administrator rights. You can do that using GPO and restricted groups. Configure there DOMAINNAME\Domain Users group link to computers OU, reboot PCs and check if the can install software. However it is not recommended in domain environment granting domain users full local administrative rights, because they can mess up! Please, consider it once again

Regards,
Krzysztof
I create a DOMAINNAME\WorkstationAdmin group, and make that group a member of the Administrators group on each workstation.

Then, if I find a particular user causing grief, I can remove them from the WrokstationAdmin group.
Avatar of Kaptain1

ASKER

Sorry guys. I gave it a good try - created a "WorkstationAdmin" group in the BuiltIN (in AD), and made it member of Administrators, and added my user to the WorkstationAdmins group. Restarted laptop, but still can't install.

Could you please add some steps on where I create that group (server/client), in which tabs (AD, GP, or where?)

Also, i'm a bit confused about this suggestion: "You can do that using GPO and restricted groups. Configure there DOMAINNAME\Domain Users group link to computers OU" Could you please add some steps.

Thanks in advance! :)
Nope, create WorkstationAdmin group within ADUC console (but in some OU not in Built-in container), then create new GPO and go to

"Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups
click add group and "Browse" button. Add there administrator account and that newly created WorkstationAdmin group.

Reboot PC. But be aware, if you had in local administrators group other accounts they will be removed, so you have to manually add them also to that Restricted Groups node, you defined!

Regards,
Krzysztof
Since you have windows 2008 r2, using group policy preference is the way to go & its much granular to achieve control of who is to be the member local admin group.

Yes, ISiek is right, if you want user to be able to install software you have to make them member of local administrator group.

http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/
Throough restriction group policies add the users to Power Users group and check....its work or not
Hello,

Didn't quite work so far.

I've created a new "WindowsAdmin" group inside the OU that has my users, but used the same GPO as I'm currently using, didn't create a new one.

In GP, i was able to add this new "WindowsAdmin" group that I've created (btw, what am i suppose to select on the prompt screen - members and member of) when adding a group to Restricted Groups? Then, I tried to add Administrator, but it's not available, so i added "Admistrators" group. Again, am i suppose to select anything in "members" or "Member of" i'm suppose to select when it prompts me?

Didn't work. What am I doing wrong?

Thanks. It's a bit funny that I can't do this thing, even after taking 1 semester of Server 08 class, and working with AD here and there...

Persistence is the key :)

ASKER CERTIFIED SOLUTION
Avatar of Krzysztof Pytko
Krzysztof Pytko
Flag of Poland image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Thanks! I'll try it out once I'll be at the office, and will report back.
You're welcome :)
Haven't had a chance to test this out yet. Will try it and report back.

Thank You
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.