Solved

How do I give a regular user privileges to install and uninstall programs on various workstations without giving full admin rights?

Posted on 2014-07-29
5
245 Views
Last Modified: 2014-12-02
I would like to allow a specific user the ability to periodically install/uninstall applications on Windows 7 Pro workstations without giving full admin rights.  The server is SBS 2011 Essentials.  I am a relative newbie to administering the server, so I may need a step by step starting from being logged into the server.
0
Comment
Question by:eeyo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 10

Expert Comment

by:Scott Thomson
ID: 40228290
There aren't many ways for this..

The easiest is to create a -p account (-p stands for privlidge)
you can add the -p account to those specific machines with no other permissions attached to it (eg no network drives or permissions on the file server. and the user with Shift + right click to get "run as" and then he can uninstall things

This will allow full permissions on this account to those machines but if he just uses "run as" then he will not really get to use the full permissions.

the advantage of this method is you can specify each machine he can use the -p account on and if used correctly will minimise the chances of allowing him to screw something up.
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 40228291
Keep in mind that there is a BBBIIIGGG difference between local admin rights and domain admin rights. To install programs, by far the easiest way is to add the user to the *local* admin group for the machine you want software installed on. They wont have domain admin privileges at all.

Realistically, while you could try to get away with less, the rights that it takes to install software...registering DLLs, etc...are so expansive that any attempt to lock the account down would be easily surpassed anyways. So there isn't a much reason to not just go local admin.

Now there *are* 3rd party utilities that use impersonation tokens to keep the account truly secure. But windows provides no native way to do this. So if you *really* want to keep the account privileges as a regular user but still have it install software, you'll have to spend money. And no small amount.
0
 
LVL 55

Accepted Solution

by:
McKnife earned 500 total points
ID: 40230655
What people often forget is that we can assign softwares to users. You could assign the setups to your support user and whenever he logs on to any computer he may then install them using appwiz.cpl->install programs fro the network. He does need no admin rights and he will also be able to uninstall programs installed that way. http://technet.microsoft.com/en-us/library/cc783635(v=ws.10).aspx
0
 

Author Comment

by:eeyo
ID: 40231009
we can assign softwares to users.  You could assign the setups to your support user and whenever he logs on to any computer he may then install them using appwiz.cpl->install programs fro the network.
This looks promising.  I am new to Group Policy, but I gave it a try but couldn't figure it out.  On the server (SBS 2011 Essentials), I have opened up Group Policy Management > Forest mydomain.local > Domains > mydomain.local ...  now I have these options:
Default Domain Policy
Domain Controllers
Users (mydomain)
Group policy objects
WMI Filters
Starter GPOs
I edited the Default Domain Policy to add the software, rebooted the server, rebooted client desktop (Win 7 Pro), but no love.  Nothing appeared using appwiz.cpl->install programs from the network.
Any thoughts?
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40231052
Two mistakes: use an extra policy otherwise anyone will be able to install. 2nd configure it in the user policy part.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Let's recap what we learned from yesterday's Skyport Systems webinar.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question