AD User priviledges

I have a Windows 2008R2 as domain controller with an active directory.
Some have domain user rights but I need them to be able to make registry changes on their workstations, install software and run certain apps. What rights can I give a domain user to be able to do that without given them "admin" rights?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

This question is an evergreen.

Registry changes can be done through GPOs, that should be no reason for any privilege changes.
Installing software - that depends. GPOs can deploy software automatically disregarding user rights, but for example applying patches to a program needs patches in an already deployable form and preparation time...that makes it difficult to succeed here. We cannot use windows to delegate install permissions securely. That is only possible with third party management software like Powerbroker
Running "certain apps" again will mean you have apps that only run when admin - these apps should be substituted for compatible ones. if you can't afford that, again powerbroker is your best and most secure bet.
lcipolloneAuthor Commented:
I understand all of that but its really hard to explain and complicated. Let me put it this way...
1) What's the highest user right I can give a domain user but not administrator?
2) How can I give a user admin rights to only 1 machine via group policy
The registry has a similar security base as The windows File systems. You could log in as an administrator on the Machine and Give the user permissions to the Specific Key/folder you require them to change.

The above would be my suggestion. You could even setup a local "registry group" on each PC and allow that group to edit the keys you need them too. From there all you need to do is add the User that needs to edit these keys to the local group you created.

Alternatively you can allow users to edit the registry through the GPO by changing their permissions.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lcipolloneAuthor Commented:
Great answers, thanks!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.