none
Allow limited users to install software by group policy

    Question

  • I need to allow a limted user (domian user): 1.Install software. 2.access & modify regedit 3.access and modify system variables I need to do this with group policy and without adding the user to the local administrators group on the desktop. I need the settings to be applied where ever the user is logged on (any machine in domain).
    Tuesday, June 09, 2009 2:16 PM

Answers

  • As said, allowing "Software installation". You could allow those users access to literally all registry keys and file system places except the user profiles of other users - not a good idea. If user profiles/data is the only concern for local admins of those supporters, think about redirecting user data to a server and secure them there (just a suggestion).

    Software Installation can be done using Computer startup scripts. You basically create a script and call the installer. The installer must obviously be capable of running quietly - you might wanna test that. Using computer startup scripts to deploy software, the script (and therefore the installer) runs in the SYSTEM context (hence priviledged to install any kind of software).

    As for system variables, you can do that with Group Policy Preferences: http://technet.microsoft.com/en-us/library/cc772047.aspx. If you need a read-up for Group Policy Preferences, see: http://www.microsoft.com/downloads/details.aspx?FamilyID=42e30e3f-6f01-4610-9d6e-f6e0fb7a0790

    Cheers,
    Florian
    Microsoft MVP - Group Policy -- blog: http://www.frickelsoft.net/blog
    Tuesday, June 09, 2009 7:54 PM

All replies

  • Hello,

    you can use restricted groups via GPO to add a user account to the power users group on the local computers, maybe that is enough. But i think all that options you specify need local admin permissions.


    See here about using restricted groups:
    http://www.frickelsoft.net/blog/?p=13
    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, June 09, 2009 4:53 PM
  • I already added the uer in teh power user group,also I enabled elevated privilege in GPO, but I couldn't install anything.
    Tuesday, June 09, 2009 5:52 PM
  • There's no permission "Install Software". A successful software installation depends on whether the user has sufficient permission on the registry keys and folders the installer wants to write to. If your PowerUser doesn't have permission to write into the system32 folder and the installer tries to, installation will fail.

    You're best off rolling that software out automatically. If it's just one user and one app on one machine, grant the user temporarily administrative access to the machine or - better yet - install the software yourself.

    What is the scope of this software installation? How many machines are affected?

    Cheers,
    Florian
    Microsoft MVP - Group Policy -- blog: http://www.frickelsoft.net/blog
    Tuesday, June 09, 2009 6:19 PM
  • There are some users who will support a customized application for HR department.They have to installa Sw,edit in regitry and system variable. Till now 3 machines,but adding user as local administrator is not accepted by my manager.
    He wants to use the group policy to apply these settings. (giving local admin on the machines will give these users access to other users' files which might be confedintial).
    the registry problem is solved by allowing the registry edit in GPO.
    The only problem now is the installation and system variables.
    Tuesday, June 09, 2009 6:29 PM
  • As said, allowing "Software installation". You could allow those users access to literally all registry keys and file system places except the user profiles of other users - not a good idea. If user profiles/data is the only concern for local admins of those supporters, think about redirecting user data to a server and secure them there (just a suggestion).

    Software Installation can be done using Computer startup scripts. You basically create a script and call the installer. The installer must obviously be capable of running quietly - you might wanna test that. Using computer startup scripts to deploy software, the script (and therefore the installer) runs in the SYSTEM context (hence priviledged to install any kind of software).

    As for system variables, you can do that with Group Policy Preferences: http://technet.microsoft.com/en-us/library/cc772047.aspx. If you need a read-up for Group Policy Preferences, see: http://www.microsoft.com/downloads/details.aspx?FamilyID=42e30e3f-6f01-4610-9d6e-f6e0fb7a0790

    Cheers,
    Florian
    Microsoft MVP - Group Policy -- blog: http://www.frickelsoft.net/blog
    Tuesday, June 09, 2009 7:54 PM