what GPO settings must be applied to allow the user rights to write to system directories and load dll's/drivers necessary to install applications without being administrators. Making them power users is not working.....And allowing users to install with elevated privies isn't the answer either. HELP!!!
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
allowing users to install apps
- Thread starter mtollow
- Start date
ManageSoft 6.0 can be used to extend Group Policy to deploy software as "required" software which is installed automatically, or "optional" software which is made available for user selection from a webpage listing all approved optional software for the corporation. In both cases elevated user privileges are not required -- installation is automatic and transparent. HTH. See if you are interested.
Try looking at "runas" (under windows 200) and the SU service (under windows nT/2000)
Also, under windows 2000, power user is basically the same as "user" under windows NT. So power user should work under windows 2000 unless you are trying to access some privileged keys in the registry.
I wrote some code using the SU service in which a specialized process (a db2 connect "silent install"
had to run. The only problem is this "silent install" has to run under the context of administrator and our customer does not want its users with this level of authority on their PC.
Hope this give you a starting point.
Thanks. Gilbert M. Vanegas
Programmer Analyst III
County of San Bernardino - ISD
Email : gvanegas@isd.sbcounty.gov
Also, under windows 2000, power user is basically the same as "user" under windows NT. So power user should work under windows 2000 unless you are trying to access some privileged keys in the registry.
I wrote some code using the SU service in which a specialized process (a db2 connect "silent install"
had to run. The only problem is this "silent install" has to run under the context of administrator and our customer does not want its users with this level of authority on their PC. Hope this give you a starting point.
Thanks. Gilbert M. Vanegas
Programmer Analyst III
County of San Bernardino - ISD
Email : gvanegas@isd.sbcounty.gov
Guest_imported
New member
- Jan 1, 1970
- 0
Only local account mgt. includes power users. In an AD environment, there is no power user. The fix I found out from a GPO guru is this - create a security group called installers, add the users and computers you wish to grant this permission to (both user and computer have to be members).
Create a GPO, edit it, add a registry key, choose HKLM\SOFTWARE add the new security group and grant full permissions to the key.
**DO NOT REPLACE PERMISSIONS, you will in effect take out the everyone and system groups if you do.
Add the computer and users abilities to install with elevated privies and patch, etc...all the other switches that one would think would allow users to install locally by definition.
GOTO the properties of the GPO and remove authenticated users and add the defined security group with read/apply permissions.
The simple switch setting implies the ability to allow a user to install applications on their own but the domain user does not have permission to write to the system registry key HKLM\SOFTWARE. Ever had a problem with a user trying to accept the EULA ater installing the office suite? Or making Outlook the default email program after installing it? Or alow a user to goto windowsupdates? This will fix that. I don't want to have to deply every application through an MSI, RIS or Zenworks NAL. Coming from a consultant's point of view, I administer over a dozen networks up and down Northern California and some reaching Arizona and New York. I can't handhold every install that occurs, nor can I allow all users to be administers. Having a local administrator that works full time is nice but not all clients can afford to have both. I am curious for feedback on who else implements this workaround. I called Microsoft and spent four hours working on this issue, but formally this configuration is not supported by Microsoft - they want intellimirror to rule all installs.
Good Luck!
Matthew Tollow
CCNA, MCSE, CNA, A+
Staff Consultant
Portola Systems, Inc.
Create a GPO, edit it, add a registry key, choose HKLM\SOFTWARE add the new security group and grant full permissions to the key.
**DO NOT REPLACE PERMISSIONS, you will in effect take out the everyone and system groups if you do.
Add the computer and users abilities to install with elevated privies and patch, etc...all the other switches that one would think would allow users to install locally by definition.
GOTO the properties of the GPO and remove authenticated users and add the defined security group with read/apply permissions.
The simple switch setting implies the ability to allow a user to install applications on their own but the domain user does not have permission to write to the system registry key HKLM\SOFTWARE. Ever had a problem with a user trying to accept the EULA ater installing the office suite? Or making Outlook the default email program after installing it? Or alow a user to goto windowsupdates? This will fix that. I don't want to have to deply every application through an MSI, RIS or Zenworks NAL. Coming from a consultant's point of view, I administer over a dozen networks up and down Northern California and some reaching Arizona and New York. I can't handhold every install that occurs, nor can I allow all users to be administers. Having a local administrator that works full time is nice but not all clients can afford to have both. I am curious for feedback on who else implements this workaround. I called Microsoft and spent four hours working on this issue, but formally this configuration is not supported by Microsoft - they want intellimirror to rule all installs.
Good Luck!
Matthew Tollow
CCNA, MCSE, CNA, A+
Staff Consultant
Portola Systems, Inc.
Guest_imported
New member
- Jan 1, 1970
- 0
I work for a large multi national company (about 90,000 users) and we use a product called ADS by Broccoli Software , it works very well, it does the job, low price and the support is very good.
We needed an application that the users or the IT engineers could install software on the machine based on the nt groups he was in or by the machine name, its so easy, it has really taken problems away from the IT support teams.
Take a look at
We needed an application that the users or the IT engineers could install software on the machine based on the nt groups he was in or by the machine name, its so easy, it has really taken problems away from the IT support teams.
Take a look at
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question