We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Software requires users account to be a member of the local Administrators group

Medium Priority
702 Views
Last Modified: 2012-05-11
I am assisting a vendor in installing software on one of our servers. The software requires that the user be a member of the local Administrators group to install. This is fairly standard.

As a policy, we do not add users directly to the local Admins group. They need to be added to a domain users group and then that group can be added to the servers local admin group.

We created a domain users group for the vendors from this company. Added the users accounts to this group and then added the group to the local administrators group on the server.

The software would not install and the vendor stated that the reason was that the users needed to be added directly to the Administrators group. I tried that an it worked.

I am not looking for a solution on how to install the software, rather I am looking for an explanation as to why there would be a difference in adding a domain user account to a local group, vs adding a group they are a member of.
Comment
Watch Question

Joseph MoodyBlogger and wearer of all hats.
CERTIFIED EXPERT

Commented:
If you install the software as an admin and then execute it as a standard user, will it work?
CERTIFIED EXPERT

Commented:
you could schedule it and use an admin account
Joseph MoodyBlogger and wearer of all hats.
CERTIFIED EXPERT

Commented:
You like that schedule trick don't you. :)
Adam BrownSenior Systems Admin
CERTIFIED EXPERT
Top Expert 2010

Commented:
There shouldn't be a difference between these methods at all. It should be noted, though, that if the user was logged in when you added the group to the Local Admins, they would have had to log out and back in before the security token would reflect the change. Same with adding the user directly to the local admins group.

Author

Commented:
Again, I am not trying to find a solution to installing the software.
I put the users account DIRECTLY into the local administrators group and was able to install the software. The issue is that we have a corporate policcy that we don't have individual users added to local administrator groups. Rather we create domain groups, add the users to the groups, and then add the domain group to the local group.

The question is: Why would there be a difference in adding a user directly vs. adding a group that they are a member of.
CERTIFIED EXPERT

Commented:
yeah Jmoody10 schedule is a pretty good work around.

Commented:
What software requires users to be a member of the domain administrator's group. I want to make sure to avoid that software like the plague.

Running software as a local administrator should be sufficient. Some file folders containg data edits within the file folders in program files of the local machine. That's the reason some older software requires LOCAL administrator priveleges on that file folder, (not the entire computer).

If you practice LEAST USER AUTHORIZATION, you will want to grant those users least priveleges on a computer network. This would NOT include adding every one of them to the domain administrator's group. This sounds to me like a lazy vendor of software that doesn't want to tell you what files and folders to grant local administrator priveleges to.

A MUCH better means to grant priveleges is to grant these users power user priveleges. OR you can use a program called Beyond Trust that allows you to creat priveleges for specific files.

If you ask me, Grab a test machine, and grant priveleges in program files and needed files (that could include registry edits) of these users locally.
CERTIFIED EXPERT

Commented:

Author

Commented:
ChiefIT, I didn't say that they needed to be a member of the Domain Administrators group. The question being asked is: Why would there be a difference between adding a users account directly to the local administrators group, and adding a group of which that person was a member.

Adam BrownSenior Systems Admin
CERTIFIED EXPERT
Top Expert 2010

Commented:
Wiscombep, there isn't a technical difference between the two methods. The difference would more likely be whether the user was logged in when you made the changes or not. If the user was logged in to the system when you added the user to the domain group, then added the group to the local admins group, the changes don't take effect until the user logs out, as I said earlier. I think my earlier post may have gotten lost in the mix :D
Ron MalmsteadInformation Services Manager
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Commented:
We add local groups to global groups all the time. Local groups will imply that you are setting permissions (per group) on the file folders locally. Then, global groups would be active directory user groups that would have permissions to those files.. That works. I never tried adding global groups to global groups, (meaning AD accounts to AD accounts). So, you will have to create two groups:
-one local for local permissions to files and folders or the entire computer locally
-one global for global AD users.

Commented:
OOPs>>got the first sentence backwards.

We add global groups to local groups:

An example would be a group local that has full control over the file shares. Then, we have a global group of, let's say, finance personel that belong to that local group that has full control. It would look like this:

Global group of G_Finance_Personell belongs to local group L_finance_files_full control. L_finance_full_control has to have full control permissions on the finance files.
PowerShell Developer
CERTIFIED EXPERT
Top Expert 2010
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Got updated information from the vendor. It turns out the installation is successful but it wil not run properly if the user isn't directly a member of the admins group. No error message, but the software doesn't show any available elements.

Basically what I have received here is a confirmation that there really isn't any difference betweeen having the user in a global group vs. directly in the local group, but that it is probably an issue issue  with the software in how it is checking permissions.

Thanks to those who replied
Joseph MoodyBlogger and wearer of all hats.
CERTIFIED EXPERT

Commented:
No problem!

Commented:
Yes, there is no difference. But, it can get confusing when administering permission sets. It's best to use Local on the file permissions and Global for AD users. Then, marry the Global groups to the local groups.

Example:
File share>>Local group of the file share<<Global group<<users of the global group

How this lays out is:
File share>>L_fileshare_full control<<G_fileshare_full<<AD administrators of the file share
or
File share>>L_fileshare_read only<<G_Fileshare_readonly<<AD users of the file share with read only permissions

We also have an application called CARIS that requires power user or full permissions on the program files>>CARIS folder for users on the domain. CARIS is a proprietary program that is used for manually editing multibeam data. In staying within Federal ITSEC policies, I have to prevent users from being local administrators. So, I have to go to each machine's local program files folder and add a local full permissions on the CARIS program files folder, then add our department as a group that uses the program.  

Author

Commented:
good possible reasons. Not known if they were accurate.

Original post was not lokin for a "solution" so much as for a reason why the solution would work.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.