Link to home
Start Free TrialLog in
Avatar of wiscombep
wiscombep

asked on

Software requires users account to be a member of the local Administrators group

I am assisting a vendor in installing software on one of our servers. The software requires that the user be a member of the local Administrators group to install. This is fairly standard.

As a policy, we do not add users directly to the local Admins group. They need to be added to a domain users group and then that group can be added to the servers local admin group.

We created a domain users group for the vendors from this company. Added the users accounts to this group and then added the group to the local administrators group on the server.

The software would not install and the vendor stated that the reason was that the users needed to be added directly to the Administrators group. I tried that an it worked.

I am not looking for a solution on how to install the software, rather I am looking for an explanation as to why there would be a difference in adding a domain user account to a local group, vs adding a group they are a member of.
Avatar of Joseph Moody
Joseph Moody
Flag of United States of America image

If you install the software as an admin and then execute it as a standard user, will it work?
you could schedule it and use an admin account
You like that schedule trick don't you. :)
There shouldn't be a difference between these methods at all. It should be noted, though, that if the user was logged in when you added the group to the Local Admins, they would have had to log out and back in before the security token would reflect the change. Same with adding the user directly to the local admins group.
Avatar of wiscombep
wiscombep

ASKER

Again, I am not trying to find a solution to installing the software.
I put the users account DIRECTLY into the local administrators group and was able to install the software. The issue is that we have a corporate policcy that we don't have individual users added to local administrator groups. Rather we create domain groups, add the users to the groups, and then add the domain group to the local group.

The question is: Why would there be a difference in adding a user directly vs. adding a group that they are a member of.
yeah Jmoody10 schedule is a pretty good work around.
What software requires users to be a member of the domain administrator's group. I want to make sure to avoid that software like the plague.

Running software as a local administrator should be sufficient. Some file folders containg data edits within the file folders in program files of the local machine. That's the reason some older software requires LOCAL administrator priveleges on that file folder, (not the entire computer).

If you practice LEAST USER AUTHORIZATION, you will want to grant those users least priveleges on a computer network. This would NOT include adding every one of them to the domain administrator's group. This sounds to me like a lazy vendor of software that doesn't want to tell you what files and folders to grant local administrator priveleges to.

A MUCH better means to grant priveleges is to grant these users power user priveleges. OR you can use a program called Beyond Trust that allows you to creat priveleges for specific files.

If you ask me, Grab a test machine, and grant priveleges in program files and needed files (that could include registry edits) of these users locally.
ChiefIT, I didn't say that they needed to be a member of the Domain Administrators group. The question being asked is: Why would there be a difference between adding a users account directly to the local administrators group, and adding a group of which that person was a member.

Wiscombep, there isn't a technical difference between the two methods. The difference would more likely be whether the user was logged in when you made the changes or not. If the user was logged in to the system when you added the user to the domain group, then added the group to the local admins group, the changes don't take effect until the user logs out, as I said earlier. I think my earlier post may have gotten lost in the mix :D
SOLUTION
Avatar of Ron Malmstead
Ron Malmstead
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
We add local groups to global groups all the time. Local groups will imply that you are setting permissions (per group) on the file folders locally. Then, global groups would be active directory user groups that would have permissions to those files.. That works. I never tried adding global groups to global groups, (meaning AD accounts to AD accounts). So, you will have to create two groups:
-one local for local permissions to files and folders or the entire computer locally
-one global for global AD users.
OOPs>>got the first sentence backwards.

We add global groups to local groups:

An example would be a group local that has full control over the file shares. Then, we have a global group of, let's say, finance personel that belong to that local group that has full control. It would look like this:

Global group of G_Finance_Personell belongs to local group L_finance_files_full control. L_finance_full_control has to have full control permissions on the finance files.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Got updated information from the vendor. It turns out the installation is successful but it wil not run properly if the user isn't directly a member of the admins group. No error message, but the software doesn't show any available elements.

Basically what I have received here is a confirmation that there really isn't any difference betweeen having the user in a global group vs. directly in the local group, but that it is probably an issue issue  with the software in how it is checking permissions.

Thanks to those who replied
No problem!
Yes, there is no difference. But, it can get confusing when administering permission sets. It's best to use Local on the file permissions and Global for AD users. Then, marry the Global groups to the local groups.

Example:
File share>>Local group of the file share<<Global group<<users of the global group

How this lays out is:
File share>>L_fileshare_full control<<G_fileshare_full<<AD administrators of the file share
or
File share>>L_fileshare_read only<<G_Fileshare_readonly<<AD users of the file share with read only permissions

We also have an application called CARIS that requires power user or full permissions on the program files>>CARIS folder for users on the domain. CARIS is a proprietary program that is used for manually editing multibeam data. In staying within Federal ITSEC policies, I have to prevent users from being local administrators. So, I have to go to each machine's local program files folder and add a local full permissions on the CARIS program files folder, then add our department as a group that uses the program.  

good possible reasons. Not known if they were accurate.

Original post was not lokin for a "solution" so much as for a reason why the solution would work.