[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 9020
  • Last Modified:

Allow Domain Users to Install Software locally on their computers

On a Windows 2008 R2 server I would like to allow users to be able to Install Software locally on their computers, by using a GPO Policy.

I have tried creating a GPO called "Local Admin Rights" and linking this to the OU which contains the machines. The settings are:
Computer Config>Policies>Windows Settings>Security Settings>Restricted Groups
Group Name: Domain\Local Admin Rights
This group is a member of: Administrators (I added builtin\administrators but when you go back into the GPO it only shows Administrators)

I have also added the Group "Local Admin Rights" to the users but this is not working. users still cannot install software locally. I am wondering if there may be another setting somewhere that I am missing?
1 Solution
Sushil SonawaneCommented:
To allow users to install software specific software you need to target the applicaiton install to the users account... not the computer

Users > Policy > Software Settings > Software installtion then go New > Package... Select the Advanced option and then change the Deployment type to "Published"... This will give you users an option to install the program via Add/Remove Programs...

Please refer below link



You can make a domain user as local administrator through GPO for all pcs.

Krzysztof PytkoActive Directory EngineerCommented:
Everything looks good. Have you ran
gpupdate /force

Open in new window

and rebooted client machine to get it applied? This is computer configuration policy which is loaded during computer startup process. After that, check in local administrators group if policy was applied.

When you reboot computer, please also run in command-line
gpresult /z >c:\gpresult.log

Open in new window

and attach it here for analyze, please (but only in case that it is still not working)

If it is only specific software then the solution above should do the trick. Otherwise if you really want to have the users local admin rights your procedure seems to be ok. CAn you verify that the GPO gets applied to the computers? Did you do a gpupdate /force on the target machine? What does the Group Policy Result Wizard say?
Nagendra Pratap SinghCommented:
All users have admin rights on all workstations?
Krzysztof PytkoActive Directory EngineerCommented:
Oh and one more thing as you have Windows Server 2008R2.
It is much more better to use Group Policy Preferences (GPP) to achieve that instead of Restricted Groups. please see that article at

to be able to apply GPP on Windows XP/2003 you need to install Client Side Extension (CSE) first. You can download it from

for XP

for 2003

or push update from WSUS

after that, those clients would be able to use GPP. Windows 7 and above OSes process GPP natively


Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now