Allowing Domain Users to Install Software on Workstations

Home Forums Microsoft Networking and Management Services Active Directory Allowing Domain Users to Install Software on Workstations

This topic contains 8 replies, has 5 voices, and was last updated by Avatar Anonymous 10 years, 2 months ago.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • Avatar
    HotDay2222
    Member
    #144777

    OS: Server 2003 R2
    1 DC with AD and DNS roles

    Problem: Users are always installing/uninstalling software to client machines – scanners, some want Firefox instead of explorer, etc.
    So, I want to allowing domain users full administrative rights on client machine (ie. un/installing software, changing system time, etc). Presently since resources are tight, some users log on locally to DC for light work (internet research, etc), so I do not want them to be able to install software on DC.

    One solution I found on the net was to go to each client machine’s security policies and add each domain users to the administrative list.
    That sounds like a lot of work and it would be extremely difficult to manage once we expand, so I was looking for an easier way via AD and found this article but don’t know how to go about doing what it says (I’m stuck):

    http://support.microsoft.com/kb/279301

    Can someone please assist?
    Maybe this is not the beat to solve my problem, is there an easier way.

    Thank you in advance.

    #344091

    Re: Allowing Domain Users to Install Software on Workstations

    In what sense are you “stuck”? What have you done so far, what results are you getting and what results were you expecting to get?

    No matter how tight resources are, is it really desirable to have users logging on to the DC? :confused: that sounds like it has bad news written all over it…

    I’d also suggest that you really shouldn’t be letting users install software on their computers since you lose all control over licensing, security etc.

    Avatar
    HotDay2222
    Member
    #328128

    Re: Allowing Domain Users to Install Software on Workstations

    gforceindustries – there are trusted users, so sharing of resources and accessibility is more important than security. Regardless, maybe making domain users client administrators is not a great idea, but I have not found anything else on the net to the problem of allowing users to install software and change system time (users must be allowed to do these 2 things at the minimum).

    I’m stuck because I can’t figure out how restricted groups works and how attach policies to a certain group.

    Avatar
    L4ndy
    Member
    #276260

    Re: Allowing Domain Users to Install Software on Workstations

    From a Network admin prespective nothing is more important than security. As admins it’s up to us to find the right balance.
    If the fit hits the shan and the company ends up in financial los due to a preventable malware that was installed on the computer and this wasn’t covered in the company policy, those “Trusted users” will be the first to point fingers.

    It all depends on the nature of the business but can you give us a good reason why users will need those rights??

    I can’t see a good reason why someone might need to change the system time and not let the relevant windows service handle it.
    However if you must:
    To change the system time you’d need to grant them the SeSystemTimePrivilege
    This can be done by GPO:
    computer – windows settings – security
    settings – local policy- user right- change system time

    In terms of software installation, I’d suggest not to give the end user the rights to do it. Even if it means registry permission changes, contacting the developers, investing in extra IT support staff, Deployment tools etc etc.

    Avatar
    stamandster
    Member
    #280345

    Re: Allowing Domain Users to Install Software on Workstations

    I agree! NEVER let the end user log on directly to a DC.

    Avatar
    HotDay2222
    Member
    #328136

    Re: Allowing Domain Users to Install Software on Workstations

    To follow up on this post, do not give users more privileges than needed, especially installing software. I was wrong and the reason why users should be allowed minimal access to get the job done is because:

    http://forums.petri.com/showthread.php?t=40831

    They intentionally or unintentionally do things (ie. install software) that do funny things (ie. like open ports) that cause me headaches.

    Just do not do it.

    Avatar
    Anonymous
    #367533

    Re: Allowing Domain Users to Install Software on Workstations

    HotDay2222;184240 wrote:
    To follow up on this post, do not give users more privileges than needed, especially installing software. I was wrong and the reason why users should be allowed minimal access to get the job done is because:

    http://forums.petri.com/showthread.php?t=40831

    They intentionally or unintentionally do things (ie. install software) that do funny things (ie. like open ports) that cause me headaches.

    Just do not do it.

    Unfortunately, end users don’t understand the risks of their actions.

    – On another note, your network logon (on a day to day basis) should be be a domain administrator. Microsoft Best Practice is to use a separate domain administrator account then your day to day network logon.

    #344127

    Re: Allowing Domain Users to Install Software on Workstations

    NikkiLav;184628 wrote:
    Unfortunately, end users don’t understand the risks of their actions

    Exactly. You can train them as much as you want, but they still won’t fully understand it until it goes wrong. Unless they happen to have been IT staff at some point.

    And that’s why it’s critical to lock the system down as tightly as you can without being too draconian.

    NikkiLav;184628 wrote:
    On another note, your network logon (on a day to day basis) should be be a domain administrator. Microsoft Best Practice is to use a separate domain administrator account then your day to day network logon.

    Think that was meant to read should not be ;)

    To expand on that, first off, give all of your administrators their own admin account so that you can log exactly who does what – don’t give them all the Administrator password. And rather than logging on as an administrator, logon as your standard account and use runas to execute administrative tasks where feasible.

    Avatar
    Anonymous
    #367534

    Re: Allowing Domain Users to Install Software on Workstations

    gforceindustries;184644 wrote:
    Exactly. You can train them as much as you want, but they still won’t fully understand it until it goes wrong. Unless they happen to have been IT staff at some point.

    And that’s why it’s critical to lock the system down as tightly as you can without being too draconian.

    Think that was meant to read should not be ;)

    To expand on that, first off, give all of your administrators their own admin account so that you can log exactly who does what – don’t give them all the Administrator password. And rather than logging on as an administrator, logon as your standard account and use runas to execute administrative tasks where feasible.

    oops! :oops: I meant to put should not be :)

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.