none
allow non admin users (without being local admin) the rights to install any software they choose without elevation, Not just deployed msi's etc.

    Question

  • Is this possible?? as im going greyer by the minute.

    I really need to allow non admin users or a group of domain users (without being local admin)  the rights to install any software they choose, Not just deployed msi's etc.

    All software installations require elevated permissions by a domain admin to install however,

    We have testers and dev guys that we need to allow to install any lil pieces of software all the time to test out product without me elevating the permissions everytime.

    All users are not to be local administrators on any pc.

    (have seen and tested a script that can make local admin domain admin in seconds :0/ little worrying considering all the security we have) .

    Ive trawled the internet and can't seem to find anyway to do this on server 2012. 

    Seems silly to have only domain admins that can elevate to install software???

    I'll make a hero out of anyone who can solve this or help me out in anyway

    All the best, G

    Thursday, October 6, 2016 10:40 AM

Answers

  • It isn't possible to traditional software (exes, MSIs, etc) without the user being a local admin. Because this software writes to many locations, the user has to have permission to write to these locations. Local admins have that permission. The newer APPX model gets around this by loading software into self contained files and installing them in the user profile.


    If my answer helped you, check out my blog: Deploy Happiness

    Thursday, October 6, 2016 11:23 AM
  • There are workarounds though. All of which will make your environment less secure. First, you could use Group Policy Local Users and Groups to make users an admin on their computer only when they are logged in (see: https://deployhappiness.com/clever-way-manage-administrative-rights-regular-users/). I learned this from: http://evilgpo.blogspot.com/

    Second, you could use a solution like LAPS (https://www.microsoft.com/en-us/download/details.aspx?id=46899) and provide the developers that local admin password. It would be unique to their machine and would change on a regular basis.

    Finally, you can make your users a member of the Hyper-V Administrators group and let them spin up their own test VMs. They could trial their software here without it affecting your domain. This requires your computers to be Windows 8 or higher.


    If my answer helped you, check out my blog: Deploy Happiness

    Thursday, October 6, 2016 11:27 AM

All replies

  • It isn't possible to traditional software (exes, MSIs, etc) without the user being a local admin. Because this software writes to many locations, the user has to have permission to write to these locations. Local admins have that permission. The newer APPX model gets around this by loading software into self contained files and installing them in the user profile.


    If my answer helped you, check out my blog: Deploy Happiness

    Thursday, October 6, 2016 11:23 AM
  • There are workarounds though. All of which will make your environment less secure. First, you could use Group Policy Local Users and Groups to make users an admin on their computer only when they are logged in (see: https://deployhappiness.com/clever-way-manage-administrative-rights-regular-users/). I learned this from: http://evilgpo.blogspot.com/

    Second, you could use a solution like LAPS (https://www.microsoft.com/en-us/download/details.aspx?id=46899) and provide the developers that local admin password. It would be unique to their machine and would change on a regular basis.

    Finally, you can make your users a member of the Hyper-V Administrators group and let them spin up their own test VMs. They could trial their software here without it affecting your domain. This requires your computers to be Windows 8 or higher.


    If my answer helped you, check out my blog: Deploy Happiness

    Thursday, October 6, 2016 11:27 AM
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 11, 2016 7:50 AM
    Moderator
  • Thanks Guys & Wendy,  great answers Sadly Looks like there is no easy answer though. Just glad i only have 100 users where i work not 1000. Do larger companies really just have to type in domain admin details everytime someone wants to install an exe? without being a local admin, seems mental.

    Anyway appreciate the time.

    Tuesday, October 18, 2016 1:39 PM
  • Thanks Guys & Wendy,  great answers Sadly Looks like there is no easy answer though. Just glad i only have 100 users where i work not 1000. Do larger companies really just have to type in domain admin details everytime someone wants to install an exe? without being a local admin, seems mental.

    Anyway appreciate the time.

    Tuesday, October 18, 2016 1:39 PM
  • Hi,

    Indeed, considering the security of environment and administrator account, we generally suggest to keep user more restrict for installing software.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 20, 2016 1:21 AM
    Moderator