Give Standard domain user admin rights for a specific software

Is there a way with software restriction policies to allow a domain user without admin rights to have admin rights to a specific software. There is one custom software that is constantly being updated because its in development and their are multiple users testing this client software. When an update is available it will pop up an update on the software and the user can click on it to run the update but you need admin rights to update it. I would like to create a gpo to do this and when the developer stops push updates every other day i can do the updates via software policies.
noclavAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
In general, no. Rights are not a function of software, so what you want is not natively available.

You can try Power Broker for Windows which is an add-on product that I think will do this for you.

http://www.beyondtrust.com/PowerBroker-Desktops-Windows-Edition.aspx?section=PowerBroker-Desktops-Windows-Edition

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ArmenioCommented:
Add the user to the local Administrators group. That way they have access to install software on the local computer only and not on the rest of the domain. (note they also have the ability to screw the workstation. but thats fixable .
JohnBusiness Consultant (Owner)Commented:
A standard (uninformed) user takes about 1 working day to wreck a computer when they are made administrator. I do not recommend this.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

ArmenioCommented:
Would you be using a standard uninformed user to test your software ??.

Alternatively create a user with local admin right and give the user the account details.  (That way when it prompts them they have a non Domain account to perform the install).

There is a fine line between security and productivity.  If your doing this sort of testing on live production systems one must assume you have build the systems to have quick recovery. Eg  Image restore with automatically deployment of required application.  If you do not I recommend you do not test software on live systems.
noclavAuthor Commented:
Im in a situation where the owner wants the users to have admin rights so she doesnt have to go to every ones machine. Im shocked by now you would think there is a way with group policy. As for testing on production this is a small client software and the owner first installs up on her machine then the users. Of there is no way how do you admins in big enterprises handle this situation.
McKnifeCommented:
John's response has linked the powerbroker product. It exists because there is no other built-in way to give admin rights per application.
The "fine line between security and productivity" is certainly crossed by making him local admin, this should be the very last resort and not applied in such a situation. Updates can be scripted - if the manufacturer foresees no way to do updates
-scripted or
-using an update service or
-using software packages
than such software should be avoided from a security standpoint.
ArmenioCommented:
Big enterprises do not have the situation you have as They are locked down and have dedicated testing procedures. However small businesses have different requirements and its can be prohibitive in productivity locking down machines excessively. At the end of the day your job is to provide the client what he wants. As the software mentioned does not provide or comply with the recommendations mentioned above. ( Please note I am not advocating Liberal security) However you can easily grant users admin right to a machine with out compromising the network and further infrastructure. If you have set and monitor the network correctly.

As this is a small business and the client does not have the time or money to implement best security practices.

Talk to the client explain the situation and let them accept responsibility. Your job at the end of the day is to provide the client with what they what while straddling that line of productivity vs security.

The question is how much time do you want to spend on this (and more importantly how much is the client going to pay you to do this.) Your job is to inform management with the options and your recommendation. Its managements job to decide on the level of security and consequences they will accept. If you keep them informed generally they will make the best decision they can afford. Small businesses make bigger compromises than Large ones. Finding the balance can be tricky

As above I recommend all the really good security advice provided and recommend following it  were reasonably practical.
McKnifeCommented:
I don't see why this should be a question of small vs. big. If you are small you cannot afford to have your machines at risk just as you could not if you were big. The bigger companies will have other methods to achieve that, sure.
"At the end of the day your job is to provide the client what he wants" - sure, agreed. Now imagine you would be made responsible for some security incident that happened because you made users local admins - and please, anybody should know how dangerous that is. Just an example: would you like to see your license keys sold on ebay? Local admins can read out many license keys that normal users can't. Would you like to risk that local admins go about and install keyloggers to get at network administrator's credentials and do whatever they like with those? Nope, surely not. But local admins can install keyloggers. Be it a big or a small company, this is nothing we should recommend.
ArmenioCommented:
Its not a question of small and big its a question and advising the client and allowing them to make an informed choice.

Unless you can provide a recommendation to the problem.
JohnBusiness Consultant (Owner)Commented:
@noclav  - Thank you and I was happy to help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.