Solved

How do I give a regular user privileges to install and uninstall programs on various workstations without giving full admin rights?

Posted on 2014-07-29
5
218 Views
Last Modified: 2014-12-02
I would like to allow a specific user the ability to periodically install/uninstall applications on Windows 7 Pro workstations without giving full admin rights.  The server is SBS 2011 Essentials.  I am a relative newbie to administering the server, so I may need a step by step starting from being logged into the server.
0
Comment
Question by:eeyo
5 Comments
 
LVL 10

Expert Comment

by:Scott Thomson
ID: 40228290
There aren't many ways for this..

The easiest is to create a -p account (-p stands for privlidge)
you can add the -p account to those specific machines with no other permissions attached to it (eg no network drives or permissions on the file server. and the user with Shift + right click to get "run as" and then he can uninstall things

This will allow full permissions on this account to those machines but if he just uses "run as" then he will not really get to use the full permissions.

the advantage of this method is you can specify each machine he can use the -p account on and if used correctly will minimise the chances of allowing him to screw something up.
0
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 40228291
Keep in mind that there is a BBBIIIGGG difference between local admin rights and domain admin rights. To install programs, by far the easiest way is to add the user to the *local* admin group for the machine you want software installed on. They wont have domain admin privileges at all.

Realistically, while you could try to get away with less, the rights that it takes to install software...registering DLLs, etc...are so expansive that any attempt to lock the account down would be easily surpassed anyways. So there isn't a much reason to not just go local admin.

Now there *are* 3rd party utilities that use impersonation tokens to keep the account truly secure. But windows provides no native way to do this. So if you *really* want to keep the account privileges as a regular user but still have it install software, you'll have to spend money. And no small amount.
0
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 40230655
What people often forget is that we can assign softwares to users. You could assign the setups to your support user and whenever he logs on to any computer he may then install them using appwiz.cpl->install programs fro the network. He does need no admin rights and he will also be able to uninstall programs installed that way. http://technet.microsoft.com/en-us/library/cc783635(v=ws.10).aspx
0
 

Author Comment

by:eeyo
ID: 40231009
we can assign softwares to users.  You could assign the setups to your support user and whenever he logs on to any computer he may then install them using appwiz.cpl->install programs fro the network.
This looks promising.  I am new to Group Policy, but I gave it a try but couldn't figure it out.  On the server (SBS 2011 Essentials), I have opened up Group Policy Management > Forest mydomain.local > Domains > mydomain.local ...  now I have these options:
Default Domain Policy
Domain Controllers
Users (mydomain)
Group policy objects
WMI Filters
Starter GPOs
I edited the Default Domain Policy to add the software, rebooted the server, rebooted client desktop (Win 7 Pro), but no love.  Nothing appeared using appwiz.cpl->install programs from the network.
Any thoughts?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40231052
Two mistakes: use an extra policy otherwise anyone will be able to install. 2nd configure it in the user policy part.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If, like me, you have a lot of Dell servers in the estate you manage this article should save you a little time. When attempting to login to iDrac on any server I would be presented with two errors. The first reads "Do you want to run this applicati…
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question