We help IT Professionals succeed at work.

how can I allow domain users to install/update software on their own PC, but have no admin rights to the domain?

how can I allow domain users to install/update software on their own PC, but have no admin rights to the domain?
Comment
Watch Question

Director, SD-WAN Solutions
BRONZE EXPERT
Commented:
Add them to the local administrators group on the computer
Hello ThereSystem Administrator
BRONZE EXPERT
Distinguished Expert 2018
Commented:
You can push the software via GPO and you do not have to give them local admin rights.
Mal OsborneAlpha Geek
BRONZE EXPERT
Commented:
Another possibility is to add INTERACTIVE user to the admin group on each PC. This means that any user logged onto that machine has local admin rights, but they don't have any rights to other machines.

If you add a user to a the administrators group, then they have admin access to that machine across the LAN.
DamianIT inc
Commented:
Just enable local administrator on the workstation, set a password, and give the user on that workstation the local administrator password.
Jackie Man IT Manager
SILVER EXPERT
Distinguished Expert 2019
Commented:
Log on with domain admin account on the user PC. Right-click Computer and select Manage.

Expand the tab of Local Users and Groups and click Groups folder. Double-click Administrators and add the user as a Member.

Local Administrator
The above are the steps to add a domain user as a local administrator of a PC but it is not a good practice to do so as the users can install any software on their own unless you have application whitelisting control in place. It is pretty easy to get malware installed if the domain users are local administrators also.
Shaun VermaakSenior Consultant
SILVER EXPERT
Awarded 2017
Distinguished Expert 2019
Commented:
and if anyone requires admin rights on all devices, follow this process below. Nobody should have DA rights except AD admin
https://www.experts-exchange.com/articles/29596/Securing-Active-Directory-Administrators-Groups.html
Giridhara Raam MDigital Marketing Specialist
Commented:
Try using self service portal feature in ManageEngine Desktop Central, which may help installing updates and deploying patches to the end users from centralised location.
SILVER EXPERT
Distinguished Expert 2019
Commented:
An old topic, evergreen.

The author should be clear on whether there are security concerns about making them local admins (not domain admins, of course).

What hasn't been mentioned, yet: you can use GPOs not only to deploy software, but even to make it installable on demand, without administrative rights. Caveat: is of course: this needs to be prepared in advance and is unusable for situations where a user decides, he needs a certain software right now.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.