none
How could I allow selected Domain users or Computers to install programs and not be asked for Admin credentials.

    Question

  •  We have a handfull of Laptops in the company. They are all joined to our

    Domain. The default domain policy keeps these non-adminstrators from installing

    software without prodiving the administrator credentials for the domain. We have a

    few users that we would let install programs but would prefer not to make administrators.

    I have been all over the place searching for solutions. Is there an actual field to allow this

    in Group Policy? All the suggestions I have seen have dead-ended on me....Any thoughts.

    Server is Windows 2003R2 and clients are all WIndows 7 Pro. Again, at this point I would like

    to be able to allow specified computers this right.

    Saturday, April 12, 2014 5:26 PM

Answers

  • Make the domain user a member of the local power users group.

    http://support.microsoft.com/kb/243330/en-us

    • Name: Power Users
      Description: A built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares.

    Saturday, April 12, 2014 5:39 PM
  • Power Users Group solves your problem and introduce another one because a member of the Power Users group could install a malicious program or a DLL, and they are able to gain administrator rights and permissions according to this article:

    http://support.microsoft.com/kb/825069

    Otherwise you can use Group Policy to Publish Software packages, then the software will appear in Add/ Remove programs in control panel and will be able to install any application without administrative rights.

    For more information about Assigning and Publishing Software using GPO:

    http://technet.microsoft.com/en-us/library/cc783635(v=ws.10).aspx

    Housam


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

    Saturday, April 12, 2014 7:07 PM
  • Yes that's right..

    If you don't have s custom set of applications and you have a lot of roaming users, then you can't use GPO to install applications anytime. Otherwise local Administrators is the only solution for your case. But surly it will be at security risk.

    Regards,


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

    Sunday, April 13, 2014 5:00 PM

All replies

  • Make the domain user a member of the local power users group.

    http://support.microsoft.com/kb/243330/en-us

    • Name: Power Users
      Description: A built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares.

    Saturday, April 12, 2014 5:39 PM
  • Power Users Group solves your problem and introduce another one because a member of the Power Users group could install a malicious program or a DLL, and they are able to gain administrator rights and permissions according to this article:

    http://support.microsoft.com/kb/825069

    Otherwise you can use Group Policy to Publish Software packages, then the software will appear in Add/ Remove programs in control panel and will be able to install any application without administrative rights.

    For more information about Assigning and Publishing Software using GPO:

    http://technet.microsoft.com/en-us/library/cc783635(v=ws.10).aspx

    Housam


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

    Saturday, April 12, 2014 7:07 PM
  • Based on what I have found Power Users group has no added user rights in Windows 7:

    From http://technet.microsoft.com/en-us/library/cc771990.aspx:

    By default, members of this group have no more user rights or permissions than a standard user account. The Power Users group in previous versions of Windows was designed to give users specific administrator rights and permissions to perform common system tasks. In this version of Windows, standard user accounts inherently have the ability to perform most common configuration tasks, such as changing time zones. For legacy applications that require the same Power User rights and permissions that were present in previous versions of Windows, administrators can apply a security template that enables the Power Users group to assume the same rights and permissions that were present in previous versions of Windows.

    So despite the caution it does not  seem like an option. As for Publishing Software, if the user needs to install something "on the fly" that will not work. I guess i could just add to the administrator group as needed in order to install programs then remove. Now the user is remote operationg on cached credentials. Would then not need to come to the domain and log in locally in order to update their security tokens.

    Sunday, April 13, 2014 11:55 AM
  • Yes that's right..

    If you don't have s custom set of applications and you have a lot of roaming users, then you can't use GPO to install applications anytime. Otherwise local Administrators is the only solution for your case. But surly it will be at security risk.

    Regards,


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

    Sunday, April 13, 2014 5:00 PM