user permissions

I have a user who is a member of Active Directory (server 2008). His workstation is windows 7.
I need to give him permissions to install his own software updates (he has an electrical program that has updates randomly throughout the month that needs admin privileges to install) .. Now I don't want to make him an admin.
I was thinking of adding his Active directory user account to the "power users" group on his local computer.
That should allow him to run his own updates on his machine, right?
Will this give him permissions to make changes to other network based systems or just changes to his local computer?
Is there a better more secure way of doing this?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Local Administrator or Power User have no permissions to the network or AD, only his computer.
Scott CSenior EngineerCommented:
One thing I've done in cases like this in the past that sometimes has worked is to grant the user full access to the install folder for that application.  That way they can make any changes they need to that folder and that folder only.

Now if the updates require making changes to the registry, you can also grant access to specific entries there as well.

This way he can't "go rogue" and install anything he wants onto his machine.  It will be a very targeted way of doing it.

It's more secure and focused than giving him Local Admin or Power User status of his machine.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JohnBusiness Consultant (Owner)Commented:
Also, Power User was deprecated in Windows 7 and has no effect. The user must be Administrator of their computer or else they cannot install software.

Better to leave the user as Standard and install the software for him.

For some environments, Power Broker from Beyond Trust provides additional permissions through a GPO-like structure.
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

Why not just add him to the Administrator group on his own PC? This will only give him administrative rights on his own PC.
Scott CSenior EngineerCommented:
That gives the user full rights to do whatever they want and install anything they want.  If you grant full rights to the program's install folder and any necessary registry keys, the user is locked down to that one application.

It's the least rights principle.  Don't give the user more than they need and they'll break less.
JohnBusiness Consultant (Owner)Commented:
Most people really do not know how to properly use a computer with administrator rights and I really do not recommend that.
Will SzymkowskiSenior Solution ArchitectCommented:
install folder and any necessary registry keys, the user is locked down to that one application.

Programs could have several hundred registry files and this would be a nightmare to apply permissions and not miss any as they could be spread all over the registry. Also applicaitons use the windows Trusted Installer which can only be launched by an administrator or service account. So doing something like what you have suggested will likely not work. Simply setting permissions on a directory is not the same thing as installing or patching the software.

Active Directory natively does not have any means for "whitelisting" applicaitons to the end users. You can however take a look at Privildge Authority and/or Desktop Authority, which is an add-on to your Group Policy Infeastructure.

This is now a Dell Software product

MrMayAuthor Commented:
Hello Will,
I'm assuming that Privilege Authority 2.7 is not a free program, is it?
also if I do install it on my Domain Controller do I need to install it on all my others ones as well if I have replication set between 2 Domain Controllers?
Will SzymkowskiSenior Solution ArchitectCommented:
This is a Dell Product so not FREE! LoL. However this integrates into Group Policy so you would have like a management server for Privilege Authority which would then hook in to Group Policy. I have used this back in the day when Script Logic invented this which was then purchased by Dell a few years back.

I cannot give you all of the technical details on this as it has been awhile and i am sure they have made changes since Dell purchased this. If you are willing to spend the money i am sure that it will come with some sort of Support Agreement as well.

You could possibly get a trial version which you could use to test before you purchase. I am sure they will be able to support you if you have any type of technical questions or issues setting it up. Even a possible demo.

Scott CSenior EngineerCommented:
Happy to have helped.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.