Active Directory Allow User to Install Only
IMO, if you're letting him install stuff (and you don't trust him), then you've already compromised the network's integrity. :)
Having said that, here's a suggestion:
Use the GP Restricted Groups settings to add his domain account to the "Power Users" group on the workstations.
Caveat: This may not let him install drivers though, as they are system-level, and require Administrator permissions.
Power Users can install software but are not full admins. For more info on the deifferences, see this SU question: Difference between Power user and Administrator
Tutorial links:
- Adding users to local security groups using Group Policy (Speaks specifically to adding users to the Power Users group)
- Doing it with Group Policy Preferences instead
Related videos on Youtube
01 : 52
04 : 16
04 : 00
09 : 07
01 : 34
TheFrack
Updated on September 18, 2022Comments
-
TheFrack over 1 year
On my active directory network, I want to satisfy my boss by giving him semi-administrative permissions that will allow him to Install programs as administrator in emergency situations on all computers, but not sacrifice the integrity of the network. Is there any type of Admin Group setting or Group that I could create that would allow him basic user permissions + the ability to install programs/drivers as administrator? I don't want to give him Domain Admin or anything crazy, just bypass UAC.
I was going to give him permission to bypass UAC via GPO, but would I need to make an entire GPO just for him? Is that too much?
-
Patrick Seymour almost 10 yearsYou can allow normal users to install drivers, and put the drivers in a share where every PC can retrieve them. See technet.microsoft.com/en-us/library/cc725772.aspx or see Computer Configuration, Administrative Templates, System, Driver Installation in GPO.
-
-
Ƭᴇcʜιᴇ007 almost 10 years@guntbert "Power Users" still exists. See Default local groups for a list. -
guntbert almost 10 yearsIndeed, I stand corrected :-) -
TheFrack almost 10 yearsSorry I'm really new to this AD stuff, poorly self-taught. Is it this folder in the GPO: i.imgur.com/WktqcoT.png ? By the way... that group that's in my folder, is that normal? Looks weird. And yes, I don't trust my boss because his password is too weak and he doesn't know about computers. I have no say over it if he wants to install stuff.
-
Ƭᴇcʜιᴇ007 almost 10 yearsYeah, that's the one. And that weird entry looks to be an entry in GP that refers to a group that no longer exists (so you're seeing the SID instead of a name), I'd say you're safe to delete that entry. Also, I'll update my answer with a couple tutorial links on how to actually implement my answer. :)
-
TheFrack almost 10 yearsThanks, I just did like the tutorial said and added one user to it. Will this significantly slow down my network login if it's on the default GPO? I had to make it domain-wide.
-
Ƭᴇcʜιᴇ007 almost 10 yearsYou shouldn't be editing your Default Policy. Instead, make a new policy that's ONLY for this (and related items), and link it as required to the OU's containing the computers you want this to apply to. If you only edit the Computer configuration part, disable the User configuration part to help reduce processing times. Really though, you'd need 100's of policies in place before they'd be a concern of slow down (slow logins caused by GPOs are way more about what they're doing, than how many there are).
-
TheFrack almost 10 yearsI actually need this to apply this to all computers in my network, so I figured I'd do it on the default. Well I guess not the domain controller, but it probably doesn't really matter. Anyway, thanks.
