+ Reply to Thread
Results 1 to 8 of 8
  1. dmw
    dmw is offline
    Member
    Join Date
    Aug 2005
    Location
    MA
    Posts
    81

    Certifications
    A+, Network +, MCP, MCSA, CCENT
    #1

    Default How to permit Temporary local administrator access to users

    How can you setup a group say "templocaladmin" that grants a user admin access to the computer they are logging into while logging into the domain not logging in locally on the computer?

    So I have a user who has no right to install programs. I need to install a program with them logged into the domain so I add them to the group templocaladmin, have them logoff and logon and install then remove them and have logoff and on again.

    I just can't seem to figure out what group(s) to add to templocaladmin to give the necessary rights.

    This is probably painfully obvious to some but I have been studying way to much this week and I thinnk I have reached the point of diminishing returns.
    Reply With Quote Quote  


  2. Login/register to remove this advertisement.
  3. Senior Member
    Join Date
    Nov 2005
    Location
    Birmingham, AL
    Posts
    1,088
    #2
    If I am understanding you correctly, you want to give them the ability to install applications? If so, just grant them the ability to do so via Group Policy and then apply that policy to either an existing OU or one that you create just for this task.
    Reply With Quote Quote  

  4. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #3
    1. Add their domain username to the local administrator group (power users group might be able to install the software depending on the modifications it makes to the OS)
    2. Allow them to install programs via group policy
    3. Group policy installation (either by using MSI package or using ZAP if you only have setup.exe)
    4. runas command (go to a command prompt and do runas /?) or shift + right click the setup utility and runas and enter credentials. Note: You can either go to their workstation and run this command so you don't have to log off, or you can just create a .bat file, send it to them to run or use it as a logon script for them.
    Reply With Quote Quote  

  5. dmw
    dmw is offline
    Member
    Join Date
    Aug 2005
    Location
    MA
    Posts
    81

    Certifications
    A+, Network +, MCP, MCSA, CCENT
    #4
    Thanks.

    I am aware of Runas but Runas doesn't always work depending on how the installer is setup, and what other group policies are locked down on the machine.

    Hadn't thought about the group policy. So I have this straight. Create an OU, edit the gp linked to that ou to allow installs, when I want to permit a user to do install add them to the OU, when finished remove them.

    Thanks for these answers icroyal and RTmarc
    Reply With Quote Quote  

  6. Self-Described Huguenot blargoe's Avatar
    Join Date
    Nov 2005
    Location
    NC
    Posts
    3,818

    Certifications
    VCAP5-DCA; VCP3/4/5; EMCSA:CLARiiON; MCSE:M 2000/2003; MCSE:S 2000/2003; MCTS:Exch2007; Security+; A+; CCNA (expired)
    #5
    I would do either via Group Policy (if it's an msi package) or via a computer startup script if it's trivial to throw together a batch or vb script that could install it silently. Neither of these options would require admin access since they would run under the system account context.
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Feb 2006
    Location
    Master Control
    Posts
    257

    Certifications
    A+, MCP (270 & 290), CST, Network+ and _______ (to be continued...)
    #6
    Are you going to also set a limit on when that account is accessible? Otherwise, what is to stop that user from logging in with that account whenever they want to install software and then log back off and continue what they were doing? Just a thought...
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Nov 2005
    Location
    Birmingham, AL
    Posts
    1,088
    #7
    Quote Originally Posted by dmw
    Thanks.

    I am aware of Runas but Runas doesn't always work depending on how the installer is setup, and what other group policies are locked down on the machine.

    Hadn't thought about the group policy. So I have this straight. Create an OU, edit the gp linked to that ou to allow installs, when I want to permit a user to do install add them to the OU, when finished remove them.

    Thanks for these answers icroyal and RTmarc
    I think I understand a little more now. You don't want them to always be able to install applications, it's just certain times. If that's the case I would go the route of pushing the apps out via group policy.

    3. Group policy installation (either by using MSI package or using ZAP if you only have setup.exe)
    This would be the method of "least administrative overhead" that Microsoft harps on. Instead of you constantly having to move users back and forth between OUs, push the app via GP. If you want them to always have the ability to install apps, give them the ability to do so via GP and assign it to their OU.
    Reply With Quote Quote  

  9. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #8
    Like RTMarc said, since you really don't want them installing applications all the time, there's 2 things you can do. As I said before, if the application has an MSI install package, you can deploy MSI packages via group policy installation. If it's an exe install file, you can create a ZAP text file that contains information about the setup.exe program. You can read up more about group policy and zap files via google.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks