This is related to Local Admin's right. A user who has got this local admin's rights will be able to install " a program or anything"; I believe the Domain Admin has this capability automatically.
To make it clear what I mean with this "local admin's rights", please see the followings:
- Say it; the domain's name is "Boba"; there is a user called "James White" which is read as " Boba\jwhite "
The normal way to make this user (=Boba\jwhite) having the "local admin's rights" by following the below PATH.
PATH : At a workstation please do the followings: right-click "my computer" > select "manage" > expand "local users and groups" > highlight "groups" > double-click "administrators " (on the right pane) > click "Add" > select "Boba\jwhite" --> then the user jwhite will be able to install "everything" in the workstation.
But there is an other way, to make "Boba\jwhite" having the "local admin's right"; I saw this method at a company. The arrangement is as the followings:
- The company created a group called "Boba local Admin" group
- Whenever a user say it Boba\jwhite wants to install "something" in the workstation, the Security Administrator will ADD "Boba\jwhite" to "Boba Local Admin" group. This user --> "Boba\jwhite" will be given a day to install; then, the next day "Boba\jwhite" will be taken out from the "Boba Local Admin" group; so he will not be able to install "anything" anymore.
My question: Somebody knows How to create the above "Boba Local Admin" group? (please provide a little bit steps).