Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 278
  • Last Modified:

How do I give a regular user privileges to install and uninstall programs on various workstations without giving full admin rights?

I would like to allow a specific user the ability to periodically install/uninstall applications on Windows 7 Pro workstations without giving full admin rights.  The server is SBS 2011 Essentials.  I am a relative newbie to administering the server, so I may need a step by step starting from being logged into the server.
0
eeyo
Asked:
eeyo
1 Solution
 
Scott ThomsonCommented:
There aren't many ways for this..

The easiest is to create a -p account (-p stands for privlidge)
you can add the -p account to those specific machines with no other permissions attached to it (eg no network drives or permissions on the file server. and the user with Shift + right click to get "run as" and then he can uninstall things

This will allow full permissions on this account to those machines but if he just uses "run as" then he will not really get to use the full permissions.

the advantage of this method is you can specify each machine he can use the -p account on and if used correctly will minimise the chances of allowing him to screw something up.
0
 
Cliff GaliherCommented:
Keep in mind that there is a BBBIIIGGG difference between local admin rights and domain admin rights. To install programs, by far the easiest way is to add the user to the *local* admin group for the machine you want software installed on. They wont have domain admin privileges at all.

Realistically, while you could try to get away with less, the rights that it takes to install software...registering DLLs, etc...are so expansive that any attempt to lock the account down would be easily surpassed anyways. So there isn't a much reason to not just go local admin.

Now there *are* 3rd party utilities that use impersonation tokens to keep the account truly secure. But windows provides no native way to do this. So if you *really* want to keep the account privileges as a regular user but still have it install software, you'll have to spend money. And no small amount.
0
 
McKnifeCommented:
What people often forget is that we can assign softwares to users. You could assign the setups to your support user and whenever he logs on to any computer he may then install them using appwiz.cpl->install programs fro the network. He does need no admin rights and he will also be able to uninstall programs installed that way. http://technet.microsoft.com/en-us/library/cc783635(v=ws.10).aspx
0
 
eeyoAuthor Commented:
we can assign softwares to users.  You could assign the setups to your support user and whenever he logs on to any computer he may then install them using appwiz.cpl->install programs fro the network.
This looks promising.  I am new to Group Policy, but I gave it a try but couldn't figure it out.  On the server (SBS 2011 Essentials), I have opened up Group Policy Management > Forest mydomain.local > Domains > mydomain.local ...  now I have these options:
Default Domain Policy
Domain Controllers
Users (mydomain)
Group policy objects
WMI Filters
Starter GPOs
I edited the Default Domain Policy to add the software, rebooted the server, rebooted client desktop (Win 7 Pro), but no love.  Nothing appeared using appwiz.cpl->install programs from the network.
Any thoughts?
0
 
McKnifeCommented:
Two mistakes: use an extra policy otherwise anyone will be able to install. 2nd configure it in the user policy part.
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now