Results 1 to 3 of 3
  1. #1
    New Lounger
    Join Date
    Dec 2009
    Location
    Madison, WI
    Posts
    8
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Authorizing User Installations

    I manage an A/D domain here at work, and I think for the most part I've got everything pretty well set. One thing that bugs me though is that I can't figure out why some users need to enter a domain administrator username & password in order to install software, while others merely need to acknowledge the installation by clicking Ok. UAC is set to the same level for all users, and all users have the same rights and are in the same groups. What difference am I missing?

    As a bit of a follow up, it seems they cannot just type any old domain administrator's name and password, but it has to be THE Administrator account. I tried creating another account just for installing software and Windows doesn't allow it. What am I missing there?

    Thanks!

    Eric

  2. #2
    Platinum Lounger
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    3,733
    Thanks
    7
    Thanked 240 Times in 228 Posts
    Maybe the user elevation only works for the local admin account "administrator". This guarantees it will always work.
    If you must let users install software, add their domain account to an AD group that has admin rights on all PCs. As soon as they have finished installing the software, remove their AD account from the group. (Don't let them install software at all is really the only option IMO.)

    cheers, Paul

  3. #3
    New Lounger
    Join Date
    May 2014
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by SaltyDog View Post
    I manage an A/D domain here at work, and I think for the most part I've got everything pretty well set. One thing that bugs me though is that I can't figure out why some users need to enter a domain administrator username & password in order to install software, while others merely need to acknowledge the installation by clicking Ok. UAC is set to the same level for all users, and all users have the same rights and are in the same groups. What difference am I missing?

    As a bit of a follow up, it seems they cannot just type any old domain administrator's name and password, but it has to be THE Administrator account. I tried creating another account just for installing software and Windows doesn't allow it. What am I missing there?

    Thanks!

    Eric
    I got an solution for you which I always use for the people who need local administrator rights.
    Giving those people domain level administrator rights is way to risky.

    You make a new Group Policy,
    comp config -> Restricted groups
    You'll add administrators as a new group.
    You link the OU with the workstations where they need installation rights.
    You make a AD Group called 'Local Administrators'

    Make Local Administrators part of Administrators in the restrictred group and you're set.

    here is more info:

    http://myitforum.com/cs2/blogs/rdixo...using-gpo.aspx

    hope it helps

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •