locked
How do you give AD users the ability to install programs without making them a domain admin? RRS feed

  • Question

  • I need to give certain users in Active Directory the ability to install programs.  I added the users to the Administrators groups, however when I went to install a program, I kept getting a message saying that I don't have the rights to install.  

    If I add the user to the Domain Admin groups, then they are able to install programs, but that is giving the users way too much access rights.

     

    Tuesday, February 8, 2011 9:08 PM

Answers

  • Howdie!
     
    On 08.02.2011 22:08, The Black Rock wrote:
    > I need to give certain users in Active Directory the ability to install
    > programs. I added the users to the Administrators groups, however when I
    > went to install a program, I kept getting a message saying that I don't
    > have the rights to install.
    >
    > If I add the user to the Domain Admin groups, then they are able to
    > install programs, but that is giving the users *way *too much access rights.
     
    Local administrator should be all that's needed to install software in
    local boxes (client, workstations, member servers). Or .. are you
    referring to software installation on Domain Controllers?
     
    If on a client and the local administrator does not have permission -
    check the local administrator account and make sure it is a member of
    the "Administrators" group locally. If that is the case, check _why_ the
    application fails. Chances are the administrator has insufficient access
    to resources (registry, file system) the installer tries to write to. In
    fact, there is no such right as a "Install Software" right. It all comes
    down to the actual permissions to modify system files, folders and the
    registry. If it says "Access denied" some of those resources cannot be
    touched.
     
    And yeah, I agree, having software be installed as a domain admin _is_ a
    bad idea.
     
    Cheers,
    Florian
     
     

    The views and opinions expressed in my postings do NOT correlate with the ones of my friends, family or my employer.
    Tuesday, February 8, 2011 9:46 PM
  • You might want to consider an alternative approach which leverages Group Policy to publish software to designated users - which eliminates the problem you are referring to altogether. You can actually find out more info regarding this subject on Florian's blog at http://www.frickelsoft.net/blog/?p=20

    hth
    Marcin

    Wednesday, February 9, 2011 1:00 AM
  • Hi,

     

    As “Florian Frommherz” mentioned that the local administrators have the ability to install the programs.

     

    You may use the following Group Policies to add the users into Local Admins group.

     

    Computer Configuration\Windows Settings\Security Settings\Restricted Groups

     

    For more information, please refer to the following articles:

     

    Restricted Groups

    http://technet.microsoft.com/en-us/library/cc785631(WS.10).aspx

     

    How to use Restricted Groups? Part I

    http://www.frickelsoft.net/blog/?p=13

     

    In addition, you may also use the Group Policy preference below to achieve the same goal.

     

    Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups

     

    If you do not have Windows Server 2008 or Windows Server 2008 R2 installed on the Domain Controllers, you can also configure a Group Policy preference item in a Windows Server 2003 environment from either a Windows Server 2008/R2 server or a Windows Vista with Service Pack 1/Windows 7 client with RSAT update installed. If you do not have Windows Server 2008/R2 server, you can download and install Remote Server Administration Tools on a Windows Vista or Windows 7 client to manage and configure them.

    Microsoft Remote Server Administration Tools for Windows Vista 
    http://www.microsoft.com/downloads/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&displaylang=en


    Remote Server Administration Tools for Windows 7 

    http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en

    The CSEs for the new Group Policy preference functionality are required in Windows XP Service Pack 2 (SP2), Windows Server 2003 Service Pack 1 (SP1), and Windows Vista to process the new preference items. To download and install CSEs, please refer to the following link:

     

    Information about new Group Policy preferences in Windows Server 2008

    http://support.microsoft.com/kb/943729

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, February 9, 2011 5:00 AM

All replies

  • Howdie!
     
    On 08.02.2011 22:08, The Black Rock wrote:
    > I need to give certain users in Active Directory the ability to install
    > programs. I added the users to the Administrators groups, however when I
    > went to install a program, I kept getting a message saying that I don't
    > have the rights to install.
    >
    > If I add the user to the Domain Admin groups, then they are able to
    > install programs, but that is giving the users *way *too much access rights.
     
    Local administrator should be all that's needed to install software in
    local boxes (client, workstations, member servers). Or .. are you
    referring to software installation on Domain Controllers?
     
    If on a client and the local administrator does not have permission -
    check the local administrator account and make sure it is a member of
    the "Administrators" group locally. If that is the case, check _why_ the
    application fails. Chances are the administrator has insufficient access
    to resources (registry, file system) the installer tries to write to. In
    fact, there is no such right as a "Install Software" right. It all comes
    down to the actual permissions to modify system files, folders and the
    registry. If it says "Access denied" some of those resources cannot be
    touched.
     
    And yeah, I agree, having software be installed as a domain admin _is_ a
    bad idea.
     
    Cheers,
    Florian
     
     

    The views and opinions expressed in my postings do NOT correlate with the ones of my friends, family or my employer.
    Tuesday, February 8, 2011 9:46 PM
  • You might want to consider an alternative approach which leverages Group Policy to publish software to designated users - which eliminates the problem you are referring to altogether. You can actually find out more info regarding this subject on Florian's blog at http://www.frickelsoft.net/blog/?p=20

    hth
    Marcin

    Wednesday, February 9, 2011 1:00 AM
  • Hi,

     

    As “Florian Frommherz” mentioned that the local administrators have the ability to install the programs.

     

    You may use the following Group Policies to add the users into Local Admins group.

     

    Computer Configuration\Windows Settings\Security Settings\Restricted Groups

     

    For more information, please refer to the following articles:

     

    Restricted Groups

    http://technet.microsoft.com/en-us/library/cc785631(WS.10).aspx

     

    How to use Restricted Groups? Part I

    http://www.frickelsoft.net/blog/?p=13

     

    In addition, you may also use the Group Policy preference below to achieve the same goal.

     

    Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups

     

    If you do not have Windows Server 2008 or Windows Server 2008 R2 installed on the Domain Controllers, you can also configure a Group Policy preference item in a Windows Server 2003 environment from either a Windows Server 2008/R2 server or a Windows Vista with Service Pack 1/Windows 7 client with RSAT update installed. If you do not have Windows Server 2008/R2 server, you can download and install Remote Server Administration Tools on a Windows Vista or Windows 7 client to manage and configure them.

    Microsoft Remote Server Administration Tools for Windows Vista 
    http://www.microsoft.com/downloads/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&displaylang=en


    Remote Server Administration Tools for Windows 7 

    http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en

    The CSEs for the new Group Policy preference functionality are required in Windows XP Service Pack 2 (SP2), Windows Server 2003 Service Pack 1 (SP1), and Windows Vista to process the new preference items. To download and install CSEs, please refer to the following link:

     

    Information about new Group Policy preferences in Windows Server 2008

    http://support.microsoft.com/kb/943729

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, February 9, 2011 5:00 AM
  • Simple domain/non admin user can't deploy big software, but they can install small software like Google chrome,Firefox etc, which doesn't require use of windows folder for registering/storing installables.

    As Florian said, adding to the local admin is the way to go, adding to Domain admin means giving them key to your own locker.

    Domain admin is everything for single forest/domain.

     

    Regards,


    Awinish Vishwakarma

    Blog : http://awinish.wordpress.com

    Disclaimer : This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Wednesday, February 9, 2011 5:03 AM
  • Okay, I've made a video myself trying to set this up via the restricted users.  Please let me know what I am doing wrong.

    http://bit.ly/kuv9Eu

     


    Sunday, June 12, 2011 10:48 PM
  • Looks right. Do you have more than one domain controller. Sometimes when you make a change to GP on one DC you have to wait a bit for it to replicate. Seocndly, is John.Smith definitely a member of the staff.acconts group? Third, when you log in, right-click on computer and make sure that staff.accounts is in fact listed as part of the local admin group before trying to install the software. I think that might be the problem. (Do you have any other network or local group policies that might contradict the gp you've created? )
    Wednesday, June 29, 2011 2:36 PM