Link to home
Start Free TrialLog in
Avatar of MrMay

asked on

user permissions

I have a user who is a member of Active Directory (server 2008). His workstation is windows 7.
I need to give him permissions to install his own software updates (he has an electrical program that has updates randomly throughout the month that needs admin privileges to install) .. Now I don't want to make him an admin.
I was thinking of adding his Active directory user account to the "power users" group on his local computer.
That should allow him to run his own updates on his machine, right?
Will this give him permissions to make changes to other network based systems or just changes to his local computer?
Is there a better more secure way of doing this?
Avatar of pjam
Flag of United States of America image

Local Administrator or Power User have no permissions to the network or AD, only his computer.
Avatar of Scott C
Scott C
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Also, Power User was deprecated in Windows 7 and has no effect. The user must be Administrator of their computer or else they cannot install software.

Better to leave the user as Standard and install the software for him.

For some environments, Power Broker from Beyond Trust provides additional permissions through a GPO-like structure.
Why not just add him to the Administrator group on his own PC? This will only give him administrative rights on his own PC.
That gives the user full rights to do whatever they want and install anything they want.  If you grant full rights to the program's install folder and any necessary registry keys, the user is locked down to that one application.

It's the least rights principle.  Don't give the user more than they need and they'll break less.
Most people really do not know how to properly use a computer with administrator rights and I really do not recommend that.
install folder and any necessary registry keys, the user is locked down to that one application.

Programs could have several hundred registry files and this would be a nightmare to apply permissions and not miss any as they could be spread all over the registry. Also applicaitons use the windows Trusted Installer which can only be launched by an administrator or service account. So doing something like what you have suggested will likely not work. Simply setting permissions on a directory is not the same thing as installing or patching the software.

Active Directory natively does not have any means for "whitelisting" applicaitons to the end users. You can however take a look at Privildge Authority and/or Desktop Authority, which is an add-on to your Group Policy Infeastructure.

This is now a Dell Software product

Avatar of MrMay


Hello Will,
I'm assuming that Privilege Authority 2.7 is not a free program, is it?
also if I do install it on my Domain Controller do I need to install it on all my others ones as well if I have replication set between 2 Domain Controllers?
This is a Dell Product so not FREE! LoL. However this integrates into Group Policy so you would have like a management server for Privilege Authority which would then hook in to Group Policy. I have used this back in the day when Script Logic invented this which was then purchased by Dell a few years back.

I cannot give you all of the technical details on this as it has been awhile and i am sure they have made changes since Dell purchased this. If you are willing to spend the money i am sure that it will come with some sort of Support Agreement as well.

You could possibly get a trial version which you could use to test before you purchase. I am sure they will be able to support you if you have any type of technical questions or issues setting it up. Even a possible demo.

Happy to have helped.