Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Permissions to install software on Domain Computers

Posted on 2011-03-14
8
Medium Priority
?
1,364 Views
Last Modified: 2012-05-11
I am looking to grant our Helpdesk team enough permissions on domain computers to install software.  Currently they need to have a Domain Admin enter credentials.  Is there an AD group I can add them to that will allow us to grant this permission without giving them too much or do I need to start adding the helpdesk group to power users on the workstations?
0
Comment
Question by:purplecables
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 6

Expert Comment

by:brb6708
ID: 35130949
Just give them domain admin rights  and take away rights for domain admins from shares / files that you won't them to be able to access

0
 

Author Comment

by:purplecables
ID: 35130963
That is not an option.  We do not want them RDP'ing into servers or doing all of the other things Domain Admins do.  I'm pretty sure best practices is not to just give Helpdesk employees Domain Admin rights.
0
 
LVL 4

Expert Comment

by:CHutchins
ID: 35130985
You can build a GP to add them as local administrators to all PC's, But the Domain admin is th eonly one I know with the needed rights without building a new group.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 4

Accepted Solution

by:
vnicolae earned 2000 total points
ID: 35130994
I would create a domain group called HelpDesk Support  and add it to the local Administrators group of the PCs. Don't give them Domain Admins privileges, that is too much.
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 35131041
You will need to give them domainn admin rights for this. Why are they installing software on a doamin controller anyways?
0
 
LVL 5

Expert Comment

by:NotVeryFat
ID: 35131306
Is an option to simply set the LOCAL admin passwords the same for all PCs (different to servers), which can be done via a script, and then let the Helpdesk guys know just this password. Invariably even 1st line Helpdesk guys need to be trusted with local admin passwords for PCs.
0
 
LVL 4

Expert Comment

by:CHutchins
ID: 35157176
Yes it is possible, but why not just as was mentioned create a group and using GPO add the group as local admins.

Te settings would need to be applied to the Computer Group OU and then the computers settings side of GP.  I just can't remember off the top of my head the exact commands/locations.  It is not a script I used it is a setting.. thought I imagine a script has been made in the past.
0
 

Author Closing Comment

by:purplecables
ID: 35157323
This is an adequate solution
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog, we’ll look at how improvements to Percona XtraDB Cluster improved IST performance.
Article by: Shawn
IT teams define success as solving problems quickly. To enable ITSM modernization we have to think of adopting the tools and methods that will enable resolution of ITSM issues more quickly.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question