• Authorizing User Installations

    Home » Forums » Admin IT Lounge » Admin IT Lounge – Miscellaneous » Authorizing User Installations

    Author
    Topic
    Eric Selje
    AskWoody Plus
    February 19, 2014 at 5:02 pm #493462

    I manage an A/D domain here at work, and I think for the most part I’ve got everything pretty well set. One thing that bugs me though is that I can’t figure out why some users need to enter a domain administrator username & password in order to install software, while others merely need to acknowledge the installation by clicking Ok. UAC is set to the same level for all users, and all users have the same rights and are in the same groups. What difference am I missing?

    As a bit of a follow up, it seems they cannot just type any old domain administrator’s name and password, but it has to be THE Administrator account. I tried creating another account just for installing software and Windows doesn’t allow it. What am I missing there?

    Thanks!

    Eric

    Reply | Quote
    Viewing 1 reply thread
    Author
    Replies
    • Paul T
      AskWoody MVP
      February 20, 2014 at 6:04 am #1440013

      Maybe the user elevation only works for the local admin account “administrator”. This guarantees it will always work.
      If you must let users install software, add their domain account to an AD group that has admin rights on all PCs. As soon as they have finished installing the software, remove their AD account from the group. (Don’t let them install software at all is really the only option IMO.)

      cheers, Paul

      Reply | Quote
    • WShidden
      AskWoody Lounger
      May 23, 2014 at 5:52 pm #1454231

      I manage an A/D domain here at work, and I think for the most part I’ve got everything pretty well set. One thing that bugs me though is that I can’t figure out why some users need to enter a domain administrator username & password in order to install software, while others merely need to acknowledge the installation by clicking Ok. UAC is set to the same level for all users, and all users have the same rights and are in the same groups. What difference am I missing?

      As a bit of a follow up, it seems they cannot just type any old domain administrator’s name and password, but it has to be THE Administrator account. I tried creating another account just for installing software and Windows doesn’t allow it. What am I missing there?

      Thanks!

      Eric

      I got an solution for you which I always use for the people who need local administrator rights.
      Giving those people domain level administrator rights is way to risky.

      You make a new Group Policy,
      comp config -> Restricted groups
      You’ll add administrators as a new group.
      You link the OU with the workstations where they need installation rights.
      You make a AD Group called ‘Local Administrators’

      Make Local Administrators part of Administrators in the restrictred group and you’re set.

      here is more info:

      http://myitforum.com/cs2/blogs/rdixon/archive/2008/06/17/how-to-add-domain-accounts-to-local-administrators-group-using-gpo.aspx

      hope it helps :p

      Reply | Quote
    Viewing 1 reply thread
    Reply To: Authorizing User Installations

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information:




DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    April 2025
    S M T W T F S
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.