Avatar of jbpnet
 asked on

2008 server GPO to create a Temp Local Admin Account

This seems to be the 'Question' that understandably is encased in a 'Grey' area. I have a project to allow our Windows 7 Desktop users to install (Work) Applications as needed without full local admin rights like our previous Windows XP-Power User account allowed.

Here is what I do know and from this I hope someone can give me their knowledge:
1) The Power User account for Windows 7 has been downgraded for Application installations.
2) UAC is the new controller used for installations.
3) I need to use a GPO to allow/prevent permissions for user to be able to install applications when instructed to do so.
4) My main goal is to remove as much IT interaction as possible.
5) My thoughts were looking at the GPOE-User Configs-Preferences-Control Panel-Local Users and Groups and allowing the users to be added to the local admin group temporarily until the application has been installed.
6) We do not want to push-install the applications ourselves as they will be presented at different times etc. We want to allow the corresponding application group to have the users go to a share drive and install the app from there. (Hence taking IT out of the picture - unless we need to tune on the GPO we have created for a certain date etc.)
7) I am also willing to accept my request being to broad to resolve all areas with one fix.

Here is what I need to know:
1) What have you successfully be able to do this task through GPO?

Thank you ALL,
Microsoft Legacy OSOS SecuritySecurity

Avatar of undefined
Last Comment

8/22/2022 - Mon

Depending on what applications you are talking about, software installation via GPO might be what could help.
 Using rights assignment is one way, though other applications I.e. corporate anti-virus I.e. sep, mcaffee, etc. might bar non administrator account from installing.

That is one of the parts of the problem as the applications will vary. So our thinking is we want to allow the users to install these on certain dates by turning on the GPO when needed. But not sure what GPO settings to use to allow to do that.

There are ways to deploy applications per user.

You could look into using a loopback GPO that will perform the software install per user (merge) with system level rights (without user interaction or ability to).


You could test the publish option and see whether that is what you are looking for.


References older OS, but could apply.

Test first in a test Computer OU.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy

The thing is we want user interaction. Once the install has completed it would pull them out of the elevated installation level.

You could use login scripts that will run with elevated rights to initiate the install, the problem is the user could then use the same process to install other things.

Do you have any examples of elevated scripts?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

Thanks Arnold for all the help. It looks like I will have to either use that runasspc (which works very well BTW) or install through GPO or allow users to do installs on a certain date (set them as Local Admin through GPO for the install or date/time).