Solved

Give Standard domain user  admin rights for a specific software

Posted on 2014-10-26
10
204 Views
Last Modified: 2014-11-15
Is there a way with software restriction policies to allow a domain user without admin rights to have admin rights to a specific software. There is one custom software that is constantly being updated because its in development and their are multiple users testing this client software. When an update is available it will pop up an update on the software and the user can click on it to run the update but you need admin rights to update it. I would like to create a gpo to do this and when the developer stops push updates every other day i can do the updates via software policies.
0
Comment
Question by:noclav
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 90

Accepted Solution

by:
John Hurst earned 500 total points
ID: 40405415
In general, no. Rights are not a function of software, so what you want is not natively available.

You can try Power Broker for Windows which is an add-on product that I think will do this for you.

http://www.beyondtrust.com/PowerBroker-Desktops-Windows-Edition.aspx?section=PowerBroker-Desktops-Windows-Edition
0
 
LVL 5

Expert Comment

by:Armenio
ID: 40405572
Add the user to the local Administrators group. That way they have access to install software on the local computer only and not on the rest of the domain. (note they also have the ability to screw the workstation. but thats fixable .
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40405574
A standard (uninformed) user takes about 1 working day to wreck a computer when they are made administrator. I do not recommend this.
0
 
LVL 5

Expert Comment

by:Armenio
ID: 40405580
Would you be using a standard uninformed user to test your software ??.

Alternatively create a user with local admin right and give the user the account details.  (That way when it prompts them they have a non Domain account to perform the install).

There is a fine line between security and productivity.  If your doing this sort of testing on live production systems one must assume you have build the systems to have quick recovery. Eg  Image restore with automatically deployment of required application.  If you do not I recommend you do not test software on live systems.
0
 

Author Comment

by:noclav
ID: 40405619
Im in a situation where the owner wants the users to have admin rights so she doesnt have to go to every ones machine. Im shocked by now you would think there is a way with group policy. As for testing on production this is a small client software and the owner first installs up on her machine then the users. Of there is no way how do you admins in big enterprises handle this situation.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40405629
John's response has linked the powerbroker product. It exists because there is no other built-in way to give admin rights per application.
The "fine line between security and productivity" is certainly crossed by making him local admin, this should be the very last resort and not applied in such a situation. Updates can be scripted - if the manufacturer foresees no way to do updates
-scripted or
-using an update service or
-using software packages
than such software should be avoided from a security standpoint.
0
 
LVL 5

Expert Comment

by:Armenio
ID: 40405639
Big enterprises do not have the situation you have as They are locked down and have dedicated testing procedures. However small businesses have different requirements and its can be prohibitive in productivity locking down machines excessively. At the end of the day your job is to provide the client what he wants. As the software mentioned does not provide or comply with the recommendations mentioned above. ( Please note I am not advocating Liberal security) However you can easily grant users admin right to a machine with out compromising the network and further infrastructure. If you have set and monitor the network correctly.

As this is a small business and the client does not have the time or money to implement best security practices.

Talk to the client explain the situation and let them accept responsibility. Your job at the end of the day is to provide the client with what they what while straddling that line of productivity vs security.

The question is how much time do you want to spend on this (and more importantly how much is the client going to pay you to do this.) Your job is to inform management with the options and your recommendation. Its managements job to decide on the level of security and consequences they will accept. If you keep them informed generally they will make the best decision they can afford. Small businesses make bigger compromises than Large ones. Finding the balance can be tricky

As above I recommend all the really good security advice provided and recommend following it  were reasonably practical.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40405653
I don't see why this should be a question of small vs. big. If you are small you cannot afford to have your machines at risk just as you could not if you were big. The bigger companies will have other methods to achieve that, sure.
"At the end of the day your job is to provide the client what he wants" - sure, agreed. Now imagine you would be made responsible for some security incident that happened because you made users local admins - and please, anybody should know how dangerous that is. Just an example: would you like to see your license keys sold on ebay? Local admins can read out many license keys that normal users can't. Would you like to risk that local admins go about and install keyloggers to get at network administrator's credentials and do whatever they like with those? Nope, surely not. But local admins can install keyloggers. Be it a big or a small company, this is nothing we should recommend.
0
 
LVL 5

Expert Comment

by:Armenio
ID: 40405687
Its not a question of small and big its a question and advising the client and allowing them to make an informed choice.

Unless you can provide a recommendation to the problem.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40445014
@noclav  - Thank you and I was happy to help.
0

Join & Write a Comment

In our personal lives, we have well-designed consumer apps to delight us and make even the most complex transactions simple. Many enterprise applications, however, are a bit behind the times. For an enterprise app to be successful in today's tech wo…
The article will include the best Data Recovery Tools along with their Features, Capabilities, and their Download Links. Hope you’ll enjoy it and will choose the one as required by you.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now