Windows Server 2000/2003 Thread, Using Group Policy to allow a user to install software in Technical; Our ICT Co-ordinator has asked to have access to be able to install software, e.g. a new font, drivers for ...
16th December 2009, 03:06 PM #1
Using Group Policy to allow a user to install software
Our ICT Co-ordinator has asked to have access to be able to install software, e.g. a new font, drivers for a new piece of IT eqpt etc. As I work 6 hours a week, this seems like a reasonable request, given that we've agreed how to log what he installs for auditting purposes etc.
I'm trying to provide him access to do this via another login which I have given more access rights to via Group Policy. However, given that installing software writes to the registry and c:\windows etc. I'm wondering whether this is achievable.
Has anyone else got this working and if so, can you advise which group policy settings need enabling?
I also thought about setting somethign up via a Power User, but this has been deleted from our Active Directory by the previous postholder by the looks of it.
16th December 2009, 03:09 PM #2
Power users is still available on local stations it's not a domain group.
Power users still have limitations that will cause all sorts of issus with bits of software i'd look into using restricted groups to make the person a local admin on certain stations. As power users is a subset of the administrators group not a superset of users it really doesn't provide much protection so you will save yourself hassle using a local admin.
Using Restricted Groups
Thanks to cookie_monster from:
kaphc (16th December 2009)
16th December 2009, 03:13 PM #3
That'll be why I couldn't find it in Active Directory then lol!
Thanks, cookie Monster, will take a look at Restricted Groups and see if that will do the trick.
16th December 2009, 09:37 PM #4
As cookie_monster just said - Local Admin rights may be the way to go, however if you combine these rights with group policy restrictions - you could give him the underlying rights while removing some of the more dangerous parts in theory.
Another way you could do it - is to add him to a domain group and grant that group specific admin rights on a local PC, particularly c:\windows etc...
So that they have the underlying rights to install software like an admin would, but they don't have some of the other parts.
It all depends how you want to do it really - we just give people local admin where they need it and if they break the PC, they live without it for a while - we eventually get around to it, they lose their local admin rights and we reimage the PC in question.
Fortunately though we have a very limited audience who have any kind of admin rights
Thanks to azrael78 from:
kaphc (18th December 2009)
By Iain.Faulkner in forum Windows Server 2008
Last Post: 7th September 2009, 11:36 PM
By TechSupp in forum Windows
Last Post: 25th February 2008, 01:22 PM
By FN-GM in forum Windows
Last Post: 12th July 2007, 09:11 PM
By ajbritton in forum Windows
Last Post: 1st December 2006, 03:13 PM
By ajbritton in forum Windows
Last Post: 21st March 2006, 02:05 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)