jbpnet
asked on
2008 server GPO to create a Temp Local Admin Account
This seems to be the 'Question' that understandably is encased in a 'Grey' area. I have a project to allow our Windows 7 Desktop users to install (Work) Applications as needed without full local admin rights like our previous Windows XP-Power User account allowed.
Here is what I do know and from this I hope someone can give me their knowledge:
1) The Power User account for Windows 7 has been downgraded for Application installations.
2) UAC is the new controller used for installations.
3) I need to use a GPO to allow/prevent permissions for user to be able to install applications when instructed to do so.
4) My main goal is to remove as much IT interaction as possible.
5) My thoughts were looking at the GPOE-User Configs-Preferences-Contro l Panel-Local Users and Groups and allowing the users to be added to the local admin group temporarily until the application has been installed.
6) We do not want to push-install the applications ourselves as they will be presented at different times etc. We want to allow the corresponding application group to have the users go to a share drive and install the app from there. (Hence taking IT out of the picture - unless we need to tune on the GPO we have created for a certain date etc.)
7) I am also willing to accept my request being to broad to resolve all areas with one fix.
Here is what I need to know:
1) What have you successfully be able to do this task through GPO?
Thank you ALL,
jbpnet
Here is what I do know and from this I hope someone can give me their knowledge:
1) The Power User account for Windows 7 has been downgraded for Application installations.
2) UAC is the new controller used for installations.
3) I need to use a GPO to allow/prevent permissions for user to be able to install applications when instructed to do so.
4) My main goal is to remove as much IT interaction as possible.
5) My thoughts were looking at the GPOE-User Configs-Preferences-Contro
6) We do not want to push-install the applications ourselves as they will be presented at different times etc. We want to allow the corresponding application group to have the users go to a share drive and install the app from there. (Hence taking IT out of the picture - unless we need to tune on the GPO we have created for a certain date etc.)
7) I am also willing to accept my request being to broad to resolve all areas with one fix.
Here is what I need to know:
1) What have you successfully be able to do this task through GPO?
Thank you ALL,
jbpnet
ASKER
That is one of the parts of the problem as the applications will vary. So our thinking is we want to allow the users to install these on certain dates by turning on the GPO when needed. But not sure what GPO settings to use to allow to do that.
There are ways to deploy applications per user.
You could look into using a loopback GPO that will perform the software install per user (merge) with system level rights (without user interaction or ability to).
http://technet.microsoft.com/en-us/library/bb742421.aspx
You could test the publish option and see whether that is what you are looking for.
http://support.microsoft.com/kb/231747
References older OS, but could apply.
Test first in a test Computer OU.
You could look into using a loopback GPO that will perform the software install per user (merge) with system level rights (without user interaction or ability to).
http://technet.microsoft.com/en-us/library/bb742421.aspx
You could test the publish option and see whether that is what you are looking for.
http://support.microsoft.com/kb/231747
References older OS, but could apply.
Test first in a test Computer OU.
ASKER
The thing is we want user interaction. Once the install has completed it would pull them out of the elevated installation level.
You could use login scripts that will run with elevated rights to initiate the install, the problem is the user could then use the same process to install other things.
ASKER
Do you have any examples of elevated scripts?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Arnold for all the help. It looks like I will have to either use that runasspc (which works very well BTW) or install through GPO or allow users to do installs on a certain date (set them as Local Admin through GPO for the install or date/time).
Using rights assignment is one way, though other applications I.e. corporate anti-virus I.e. sep, mcaffee, etc. might bar non administrator account from installing.