2008 server GPO to create a Temp Local Admin Account

jbpnet
jbpnet used Ask the Experts™
on
This seems to be the 'Question' that understandably is encased in a 'Grey' area. I have a project to allow our Windows 7 Desktop users to install (Work) Applications as needed without full local admin rights like our previous Windows XP-Power User account allowed.

Here is what I do know and from this I hope someone can give me their knowledge:
1) The Power User account for Windows 7 has been downgraded for Application installations.
2) UAC is the new controller used for installations.
3) I need to use a GPO to allow/prevent permissions for user to be able to install applications when instructed to do so.
4) My main goal is to remove as much IT interaction as possible.
5) My thoughts were looking at the GPOE-User Configs-Preferences-Control Panel-Local Users and Groups and allowing the users to be added to the local admin group temporarily until the application has been installed.
6) We do not want to push-install the applications ourselves as they will be presented at different times etc. We want to allow the corresponding application group to have the users go to a share drive and install the app from there. (Hence taking IT out of the picture - unless we need to tune on the GPO we have created for a certain date etc.)
7) I am also willing to accept my request being to broad to resolve all areas with one fix.


Here is what I need to know:
1) What have you successfully be able to do this task through GPO?


Thank you ALL,
jbpnet
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Commented:
Depending on what applications you are talking about, software installation via GPO might be what could help.
 Using rights assignment is one way, though other applications I.e. corporate anti-virus I.e. sep, mcaffee, etc. might bar non administrator account from installing.

Author

Commented:
That is one of the parts of the problem as the applications will vary. So our thinking is we want to allow the users to install these on certain dates by turning on the GPO when needed. But not sure what GPO settings to use to allow to do that.
Distinguished Expert 2017

Commented:
There are ways to deploy applications per user.

You could look into using a loopback GPO that will perform the software install per user (merge) with system level rights (without user interaction or ability to).

http://technet.microsoft.com/en-us/library/bb742421.aspx

You could test the publish option and see whether that is what you are looking for.

http://support.microsoft.com/kb/231747

References older OS, but could apply.

Test first in a test Computer OU.
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Author

Commented:
The thing is we want user interaction. Once the install has completed it would pull them out of the elevated installation level.
Distinguished Expert 2017

Commented:
You could use login scripts that will run with elevated rights to initiate the install, the problem is the user could then use the same process to install other things.

Author

Commented:
Do you have any examples of elevated scripts?
Distinguished Expert 2017
Commented:
You can encode the runas /user
http://www.snapfiles.com/get/runasspc.html

Author

Commented:
Thanks Arnold for all the help. It looks like I will have to either use that runasspc (which works very well BTW) or install through GPO or allow users to do installs on a certain date (set them as Local Admin through GPO for the install or date/time).

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial