Allow Domain Users to Install Software locally on their computers

Posted on 2012-09-18
Last Modified: 2012-10-11
On a Windows 2008 R2 server I would like to allow users to be able to Install Software locally on their computers, by using a GPO Policy.

I have tried creating a GPO called "Local Admin Rights" and linking this to the OU which contains the machines. The settings are:
Computer Config>Policies>Windows Settings>Security Settings>Restricted Groups
Group Name: Domain\Local Admin Rights
This group is a member of: Administrators (I added builtin\administrators but when you go back into the GPO it only shows Administrators)

I have also added the Group "Local Admin Rights" to the users but this is not working. users still cannot install software locally. I am wondering if there may be another setting somewhere that I am missing?
Question by:CommodoreS
    LVL 18

    Expert Comment

    by:Sushil Sonawane
    To allow users to install software specific software you need to target the applicaiton install to the users account... not the computer

    Users > Policy > Software Settings > Software installtion then go New > Package... Select the Advanced option and then change the Deployment type to "Published"... This will give you users an option to install the program via Add/Remove Programs...

    Please refer below link



    You can make a domain user as local administrator through GPO for all pcs.

    LVL 39

    Expert Comment

    by:Krzysztof Pytko
    Everything looks good. Have you ran
    gpupdate /force

    Open in new window

    and rebooted client machine to get it applied? This is computer configuration policy which is loaded during computer startup process. After that, check in local administrators group if policy was applied.

    When you reboot computer, please also run in command-line
    gpresult /z >c:\gpresult.log

    Open in new window

    and attach it here for analyze, please (but only in case that it is still not working)

    LVL 16

    Expert Comment

    If it is only specific software then the solution above should do the trick. Otherwise if you really want to have the users local admin rights your procedure seems to be ok. CAn you verify that the GPO gets applied to the computers? Did you do a gpupdate /force on the target machine? What does the Group Policy Result Wizard say?
    LVL 23

    Expert Comment

    by:Nagendra Pratap Singh
    All users have admin rights on all workstations?
    LVL 39

    Accepted Solution

    Oh and one more thing as you have Windows Server 2008R2.
    It is much more better to use Group Policy Preferences (GPP) to achieve that instead of Restricted Groups. please see that article at

    to be able to apply GPP on Windows XP/2003 you need to install Client Side Extension (CSE) first. You can download it from

    for XP

    for 2003

    or push update from WSUS

    after that, those clients would be able to use GPP. Windows 7 and above OSes process GPP natively


    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    We recently had an issue where out of nowhere, end users started indicating that their logins to our terminal server were just showing a "blank screen." After checking the usual suspects -- profiles, shell=explorer.exe in the registry, userinit.exe,…
    Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
    This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
    This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now