Announcement

Collapse
No announcement yet.

Allowing Domain Users to Install Software on Workstations

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Allowing Domain Users to Install Software on Workstations

    OS: Server 2003 R2
    1 DC with AD and DNS roles


    Problem: Users are always installing/uninstalling software to client machines - scanners, some want Firefox instead of explorer, etc.
    So, I want to allowing domain users full administrative rights on client machine (ie. un/installing software, changing system time, etc). Presently since resources are tight, some users log on locally to DC for light work (internet research, etc), so I do not want them to be able to install software on DC.

    One solution I found on the net was to go to each client machine's security policies and add each domain users to the administrative list.
    That sounds like a lot of work and it would be extremely difficult to manage once we expand, so I was looking for an easier way via AD and found this article but don't know how to go about doing what it says (I'm stuck):

    http://support.microsoft.com/kb/279301

    Can someone please assist?
    Maybe this is not the beat to solve my problem, is there an easier way.

    Thank you in advance.

  • #2
    Re: Allowing Domain Users to Install Software on Workstations

    In what sense are you "stuck"? What have you done so far, what results are you getting and what results were you expecting to get?

    No matter how tight resources are, is it really desirable to have users logging on to the DC? that sounds like it has bad news written all over it...

    I'd also suggest that you really shouldn't be letting users install software on their computers since you lose all control over licensing, security etc.
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: Allowing Domain Users to Install Software on Workstations

      gforceindustries - there are trusted users, so sharing of resources and accessibility is more important than security. Regardless, maybe making domain users client administrators is not a great idea, but I have not found anything else on the net to the problem of allowing users to install software and change system time (users must be allowed to do these 2 things at the minimum).

      I'm stuck because I can't figure out how restricted groups works and how attach policies to a certain group.

      Comment


      • #4
        Re: Allowing Domain Users to Install Software on Workstations

        From a Network admin prespective nothing is more important than security. As admins it's up to us to find the right balance.
        If the fit hits the shan and the company ends up in financial los due to a preventable malware that was installed on the computer and this wasn't covered in the company policy, those "Trusted users" will be the first to point fingers.

        It all depends on the nature of the business but can you give us a good reason why users will need those rights??

        I can't see a good reason why someone might need to change the system time and not let the relevant windows service handle it.
        However if you must:
        To change the system time you'd need to grant them the SeSystemTimePrivilege
        This can be done by GPO:
        computer - windows settings - security
        settings - local policy- user right- change system time


        In terms of software installation, I'd suggest not to give the end user the rights to do it. Even if it means registry permission changes, contacting the developers, investing in extra IT support staff, Deployment tools etc etc.
        Caesar's cipher - 3

        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

        SFX JNRS FC U6 MNGR

        Comment


        • #5
          Re: Allowing Domain Users to Install Software on Workstations

          I agree! NEVER let the end user log on directly to a DC.
          GoogleFu is strong with this one ^

          Comment


          • #6
            Re: Allowing Domain Users to Install Software on Workstations

            To follow up on this post, do not give users more privileges than needed, especially installing software. I was wrong and the reason why users should be allowed minimal access to get the job done is because:

            http://forums.petri.com/showthread.php?t=40831

            They intentionally or unintentionally do things (ie. install software) that do funny things (ie. like open ports) that cause me headaches.

            Just do not do it.

            Comment


            • #7
              Re: Allowing Domain Users to Install Software on Workstations

              Originally posted by HotDay2222 View Post
              To follow up on this post, do not give users more privileges than needed, especially installing software. I was wrong and the reason why users should be allowed minimal access to get the job done is because:

              http://forums.petri.com/showthread.php?t=40831

              They intentionally or unintentionally do things (ie. install software) that do funny things (ie. like open ports) that cause me headaches.

              Just do not do it.

              Unfortunately, end users don't understand the risks of their actions.


              - On another note, your network logon (on a day to day basis) should be be a domain administrator. Microsoft Best Practice is to use a separate domain administrator account then your day to day network logon.

              Comment


              • #8
                Re: Allowing Domain Users to Install Software on Workstations

                Originally posted by NikkiLav View Post
                Unfortunately, end users don't understand the risks of their actions
                Exactly. You can train them as much as you want, but they still won't fully understand it until it goes wrong. Unless they happen to have been IT staff at some point.

                And that's why it's critical to lock the system down as tightly as you can without being too draconian.

                Originally posted by NikkiLav View Post
                On another note, your network logon (on a day to day basis) should be be a domain administrator. Microsoft Best Practice is to use a separate domain administrator account then your day to day network logon.
                Think that was meant to read should not be

                To expand on that, first off, give all of your administrators their own admin account so that you can log exactly who does what - don't give them all the Administrator password. And rather than logging on as an administrator, logon as your standard account and use runas to execute administrative tasks where feasible.
                Gareth Howells

                BSc (Hons), MBCS, MCP, MCDST, ICCE

                Any advice is given in good faith and without warranty.

                Please give reputation points if somebody has helped you.

                "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                Comment


                • #9
                  Re: Allowing Domain Users to Install Software on Workstations

                  Originally posted by gforceindustries View Post
                  Exactly. You can train them as much as you want, but they still won't fully understand it until it goes wrong. Unless they happen to have been IT staff at some point.

                  And that's why it's critical to lock the system down as tightly as you can without being too draconian.



                  Think that was meant to read should not be

                  To expand on that, first off, give all of your administrators their own admin account so that you can log exactly who does what - don't give them all the Administrator password. And rather than logging on as an administrator, logon as your standard account and use runas to execute administrative tasks where feasible.
                  oops! I meant to put should not be

                  Comment

                  Working...
                  X