locked
How to create a Domain Admin with fewer rights RRS feed

  • Question

  • Hello everyone, I am working on a network where IT support staffs needs to be administrators in order to install legitimate soft-wares.  I don't want their account to be elevated as domain admins as I don't want them to have full administrative rights. I have tried using GPO to enable them with certain activities, it works only on their computer but they need to be at customer point with an administrative password. I need feedback asap. Thanks
    Thursday, March 24, 2016 10:54 AM

Answers

  • Hi

     To give software installation on the domain machine, you need to give a particular group local admin group membership,So you can create a group add the users to this group and configure "resticted groups" Gpo for add this group to client computers "local administrators group".

    Restricted Groups Policy

    http://www.frickelsoft.net/blog/?p=13

    https://technet.microsoft.com/en-us/library/cc756802(v=ws.10).aspx


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Proposed as answer by Jay Gu Wednesday, April 6, 2016 9:46 AM
    • Marked as answer by Amy Wang_ Thursday, April 7, 2016 8:41 AM
    Thursday, March 24, 2016 11:23 AM
  • Hi,

    Just confirm its for local or domain admin ?

    You can delegate normal users to have elevated privileges by selecting the OU and its objects.

    However, to give software installation permission on the domain machine, you need to be part of local admin group membership.

    You can use group policy preference to add particular group to the local administrator group on all the computers or use Restricted group policy.

    http://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx


    Devaraj G | Technical solution architect

    • Proposed as answer by Jay Gu Wednesday, April 6, 2016 9:46 AM
    • Marked as answer by Amy Wang_ Thursday, April 7, 2016 8:41 AM
    Thursday, March 24, 2016 11:23 AM
  • Hi,
     
    Am 24.03.2016 um 11:54 schrieb Nwambo Barikpoa:
    > I don't want their account to be elevated as domain admins
     
    make them member of the local Administrators group on the
    particular machine(s).
    You can use GP\restricted groups or GPP\Local Users and Groups
     
    > as I don't want them to have full administrative rights.
     
    That is not possible, because this is depending on the software to be
    installed. Software isntallation is a Admintask. End of story.
     
    Much better way:
    Deploy you software with a deployment solution (e.g. WSUS + WSUS PAckage
    Publisher) and no one needs admin rights, to isntall software.
     
    If you give them rights like the old powerusers group in XP, you will
    see some software can be installed, some can not.
    But if you give me permissions like a poweruser, it only takes 2 minutes
    to get administrative rights at all.
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    • Proposed as answer by Jay Gu Wednesday, April 6, 2016 9:46 AM
    • Marked as answer by Amy Wang_ Thursday, April 7, 2016 8:41 AM
    Thursday, March 24, 2016 11:36 AM

All replies

  • Hi

     To give software installation on the domain machine, you need to give a particular group local admin group membership,So you can create a group add the users to this group and configure "resticted groups" Gpo for add this group to client computers "local administrators group".

    Restricted Groups Policy

    http://www.frickelsoft.net/blog/?p=13

    https://technet.microsoft.com/en-us/library/cc756802(v=ws.10).aspx


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Proposed as answer by Jay Gu Wednesday, April 6, 2016 9:46 AM
    • Marked as answer by Amy Wang_ Thursday, April 7, 2016 8:41 AM
    Thursday, March 24, 2016 11:23 AM
  • Hi,

    Just confirm its for local or domain admin ?

    You can delegate normal users to have elevated privileges by selecting the OU and its objects.

    However, to give software installation permission on the domain machine, you need to be part of local admin group membership.

    You can use group policy preference to add particular group to the local administrator group on all the computers or use Restricted group policy.

    http://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx


    Devaraj G | Technical solution architect

    • Proposed as answer by Jay Gu Wednesday, April 6, 2016 9:46 AM
    • Marked as answer by Amy Wang_ Thursday, April 7, 2016 8:41 AM
    Thursday, March 24, 2016 11:23 AM
  • Hi,
     
    Am 24.03.2016 um 11:54 schrieb Nwambo Barikpoa:
    > I don't want their account to be elevated as domain admins
     
    make them member of the local Administrators group on the
    particular machine(s).
    You can use GP\restricted groups or GPP\Local Users and Groups
     
    > as I don't want them to have full administrative rights.
     
    That is not possible, because this is depending on the software to be
    installed. Software isntallation is a Admintask. End of story.
     
    Much better way:
    Deploy you software with a deployment solution (e.g. WSUS + WSUS PAckage
    Publisher) and no one needs admin rights, to isntall software.
     
    If you give them rights like the old powerusers group in XP, you will
    see some software can be installed, some can not.
    But if you give me permissions like a poweruser, it only takes 2 minutes
    to get administrative rights at all.
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    • Proposed as answer by Jay Gu Wednesday, April 6, 2016 9:46 AM
    • Marked as answer by Amy Wang_ Thursday, April 7, 2016 8:41 AM
    Thursday, March 24, 2016 11:36 AM
  • Hi,

    I agree with above.

    To install software on domain machine with domain user, you need add these accounts to local administrators group of these machines.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 24, 2016 12:49 PM