Solved

How do I give a regular user privileges to install and uninstall programs on various workstations without giving full admin rights?

Posted on 2014-07-29
5
204 Views
Last Modified: 2014-12-02
I would like to allow a specific user the ability to periodically install/uninstall applications on Windows 7 Pro workstations without giving full admin rights.  The server is SBS 2011 Essentials.  I am a relative newbie to administering the server, so I may need a step by step starting from being logged into the server.
0
Comment
Question by:eeyo
5 Comments
 
LVL 10

Expert Comment

by:Scott Thomson
ID: 40228290
There aren't many ways for this..

The easiest is to create a -p account (-p stands for privlidge)
you can add the -p account to those specific machines with no other permissions attached to it (eg no network drives or permissions on the file server. and the user with Shift + right click to get "run as" and then he can uninstall things

This will allow full permissions on this account to those machines but if he just uses "run as" then he will not really get to use the full permissions.

the advantage of this method is you can specify each machine he can use the -p account on and if used correctly will minimise the chances of allowing him to screw something up.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 40228291
Keep in mind that there is a BBBIIIGGG difference between local admin rights and domain admin rights. To install programs, by far the easiest way is to add the user to the *local* admin group for the machine you want software installed on. They wont have domain admin privileges at all.

Realistically, while you could try to get away with less, the rights that it takes to install software...registering DLLs, etc...are so expansive that any attempt to lock the account down would be easily surpassed anyways. So there isn't a much reason to not just go local admin.

Now there *are* 3rd party utilities that use impersonation tokens to keep the account truly secure. But windows provides no native way to do this. So if you *really* want to keep the account privileges as a regular user but still have it install software, you'll have to spend money. And no small amount.
0
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 40230655
What people often forget is that we can assign softwares to users. You could assign the setups to your support user and whenever he logs on to any computer he may then install them using appwiz.cpl->install programs fro the network. He does need no admin rights and he will also be able to uninstall programs installed that way. http://technet.microsoft.com/en-us/library/cc783635(v=ws.10).aspx
0
 

Author Comment

by:eeyo
ID: 40231009
we can assign softwares to users.  You could assign the setups to your support user and whenever he logs on to any computer he may then install them using appwiz.cpl->install programs fro the network.
This looks promising.  I am new to Group Policy, but I gave it a try but couldn't figure it out.  On the server (SBS 2011 Essentials), I have opened up Group Policy Management > Forest mydomain.local > Domains > mydomain.local ...  now I have these options:
Default Domain Policy
Domain Controllers
Users (mydomain)
Group policy objects
WMI Filters
Starter GPOs
I edited the Default Domain Policy to add the software, rebooted the server, rebooted client desktop (Win 7 Pro), but no love.  Nothing appeared using appwiz.cpl->install programs from the network.
Any thoughts?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40231052
Two mistakes: use an extra policy otherwise anyone will be able to install. 2nd configure it in the user policy part.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Allow users from Trusted Domain to Access Resources 1 42
Error login w2012 domain 6 59
active directory 1 36
ADFS Redirection 4 31
Preface There are many applications where some computing systems need have their system clocks running synchronized within a small margin and eventually need to be in sync with the global time. There are different solutions for this, i.e. the W3…
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now