Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How do I give a regular user privileges to install and uninstall programs on various workstations without giving full admin rights?

Posted on 2014-07-29
5
Medium Priority
?
262 Views
Last Modified: 2014-12-02
I would like to allow a specific user the ability to periodically install/uninstall applications on Windows 7 Pro workstations without giving full admin rights.  The server is SBS 2011 Essentials.  I am a relative newbie to administering the server, so I may need a step by step starting from being logged into the server.
0
Comment
Question by:eeyo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 10

Expert Comment

by:Scott Thomson
ID: 40228290
There aren't many ways for this..

The easiest is to create a -p account (-p stands for privlidge)
you can add the -p account to those specific machines with no other permissions attached to it (eg no network drives or permissions on the file server. and the user with Shift + right click to get "run as" and then he can uninstall things

This will allow full permissions on this account to those machines but if he just uses "run as" then he will not really get to use the full permissions.

the advantage of this method is you can specify each machine he can use the -p account on and if used correctly will minimise the chances of allowing him to screw something up.
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 40228291
Keep in mind that there is a BBBIIIGGG difference between local admin rights and domain admin rights. To install programs, by far the easiest way is to add the user to the *local* admin group for the machine you want software installed on. They wont have domain admin privileges at all.

Realistically, while you could try to get away with less, the rights that it takes to install software...registering DLLs, etc...are so expansive that any attempt to lock the account down would be easily surpassed anyways. So there isn't a much reason to not just go local admin.

Now there *are* 3rd party utilities that use impersonation tokens to keep the account truly secure. But windows provides no native way to do this. So if you *really* want to keep the account privileges as a regular user but still have it install software, you'll have to spend money. And no small amount.
0
 
LVL 56

Accepted Solution

by:
McKnife earned 2000 total points
ID: 40230655
What people often forget is that we can assign softwares to users. You could assign the setups to your support user and whenever he logs on to any computer he may then install them using appwiz.cpl->install programs fro the network. He does need no admin rights and he will also be able to uninstall programs installed that way. http://technet.microsoft.com/en-us/library/cc783635(v=ws.10).aspx
0
 

Author Comment

by:eeyo
ID: 40231009
we can assign softwares to users.  You could assign the setups to your support user and whenever he logs on to any computer he may then install them using appwiz.cpl->install programs fro the network.
This looks promising.  I am new to Group Policy, but I gave it a try but couldn't figure it out.  On the server (SBS 2011 Essentials), I have opened up Group Policy Management > Forest mydomain.local > Domains > mydomain.local ...  now I have these options:
Default Domain Policy
Domain Controllers
Users (mydomain)
Group policy objects
WMI Filters
Starter GPOs
I edited the Default Domain Policy to add the software, rebooted the server, rebooted client desktop (Win 7 Pro), but no love.  Nothing appeared using appwiz.cpl->install programs from the network.
Any thoughts?
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40231052
Two mistakes: use an extra policy otherwise anyone will be able to install. 2nd configure it in the user policy part.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Let's recap what we learned from yesterday's Skyport Systems webinar.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question