?
Solved

Permissions to install software on Domain Computers

Posted on 2011-03-14
8
Medium Priority
?
1,332 Views
Last Modified: 2012-05-11
I am looking to grant our Helpdesk team enough permissions on domain computers to install software.  Currently they need to have a Domain Admin enter credentials.  Is there an AD group I can add them to that will allow us to grant this permission without giving them too much or do I need to start adding the helpdesk group to power users on the workstations?
0
Comment
Question by:purplecables
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 6

Expert Comment

by:brb6708
ID: 35130949
Just give them domain admin rights  and take away rights for domain admins from shares / files that you won't them to be able to access

0
 

Author Comment

by:purplecables
ID: 35130963
That is not an option.  We do not want them RDP'ing into servers or doing all of the other things Domain Admins do.  I'm pretty sure best practices is not to just give Helpdesk employees Domain Admin rights.
0
 
LVL 4

Expert Comment

by:CHutchins
ID: 35130985
You can build a GP to add them as local administrators to all PC's, But the Domain admin is th eonly one I know with the needed rights without building a new group.
0
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

 
LVL 4

Accepted Solution

by:
vnicolae earned 2000 total points
ID: 35130994
I would create a domain group called HelpDesk Support  and add it to the local Administrators group of the PCs. Don't give them Domain Admins privileges, that is too much.
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 35131041
You will need to give them domainn admin rights for this. Why are they installing software on a doamin controller anyways?
0
 
LVL 5

Expert Comment

by:NotVeryFat
ID: 35131306
Is an option to simply set the LOCAL admin passwords the same for all PCs (different to servers), which can be done via a script, and then let the Helpdesk guys know just this password. Invariably even 1st line Helpdesk guys need to be trusted with local admin passwords for PCs.
0
 
LVL 4

Expert Comment

by:CHutchins
ID: 35157176
Yes it is possible, but why not just as was mentioned create a group and using GPO add the group as local admins.

Te settings would need to be applied to the Computer Group OU and then the computers settings side of GP.  I just can't remember off the top of my head the exact commands/locations.  It is not a script I used it is a setting.. thought I imagine a script has been made in the past.
0
 

Author Closing Comment

by:purplecables
ID: 35157323
This is an adequate solution
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
If you are IT support and need to work after hours to resolve customer issues then here are a few tips on how to handle after hours support
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question