Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Allow users software installation

Status
Not open for further replies.
smokeyd

smokeyd

Technical User
May 31, 2005
7
NL
Hi all,

I have deployed Windows XP Pro on a small network with some 30 pc's. Authentication is done against a Samba PDC. I don not want to make users Power User of Administrators for security reasons, but I would like to give them the flexibility to install software if they really need it. To make this possible I added a domain user that is member of the local Power Users group of all the Windows XP Pro machines. It turns out though that Power Users can only install certain software though. I do not want to give the users more rights than they need, and certainly not the right to add users to the Administrators group.
Is there a way to enable power users to install al software? Or is there an alternative way I can accomplish the same. Could I perhaps put the domain user in the Administrators group instead of the power users group, and then disable user management for that user, and maybe also other things?
Thanks,

Dolf.
 
Sort by date Sort by votes
Publish the appliation. From the MSDN notes on IntelliMirror:

If you use Active Directory, you can use the Software Installation and Maintenance feature of IntelliMirror to make applications available to users. You can assign critical applications to users and publish applications users might need to access.

Publishing an application
When you publish applications, users can install the application by using Add or Remove Programs in Control Panel. For more information about using Software Installation and Maintenance to make applications available to your users, see the Distributed Systems Guide of the Microsoft® Windows® 2000 Server Resource Kit.

Assigning an application to a user
When you assign an application to a user, it appears to the user that the application is already installed, and a shortcut appears in the user's Start menu. When the user clicks the shortcut, the application is installed from a server share.

 
Upvote 0 Downvote
I am using a Samba PDC for authentication, so no Active Directory. Besides, I want users to be able to install software themselves, without intervertion of myself. If I have to intervene, I can as well install it myself on their pc.
 
Upvote 0 Downvote
I misunderstood your original question.

I was concerned about this part of your question: "Is there a way to enable power users to install al software? Or is there an alternative way I can accomplish the same. Could I perhaps put the domain user in the Administrators group instead of the power users group, and then disable user management for that user, and maybe also other things?"

I saw no necessity for the approach taken. The Power User Group was redefined in XP relative to its permissions under Win2k:
The Power User class can perform any task except for those reserved for Administrators. They are allowed to carry out functions that will not directly affect the operating system or risk security. This is a less restricted role than under Win2k. It is essentially the ability to modify legacy applications, but not true Win32 appliations, nor to elevate users to the Administrators group or perform Domain level functions.

Power Users Can:
Create local user accounts
Modify user accounts which they have created
Change user permissions on users, power users, and guests
Install and run applications that do not affect the operating system
Customize settings and resources on the Control Panel, such as Printers, Date/Time, and Power Options
Do anything a User can

Power Users Cannot:
Access other users' data without permission
Delete or modify user accounts they did not create
Click to expand...

Some suggestions:

1. Use forum member Greg Palmer's RUNAS wrapper application:

2. Or, use the XP native tool IEXPRESS. A good walk-through:
3. Or use the Microsoft freeware LE tool from On-Demad for MSI packaging or third-party packagers:
4. Or, Trace registry and file changes during and installation. You could then push permission changes to the registry and file system as needed for the install to complete.

I use RegMon and FileMon from sysinternals.com, freeware:


These can be a little intimidating at first until you set Filters.

5. These MS KB articles for allowing limited users to install MSI packages may help:

How to all non-administrators to install .MSI packages:

How to Manage Local Policy for Windows Installer

How to run custom actions as Local System in .MSI packages

Best regards,
Bill Castner
 
Upvote 0 Downvote
Simply drop them into the local Administrator group and they will be able to install anything. They CANNOT do any changes to your domain groups since they are only administrator LOCALLY, not the entire domain.
 
Upvote 0 Downvote
Dennisbbb is right. This kind of sucks because you'll have to do it on 30 machines, but that's actually the easiest. You will be able to go in and add their user account to the local admin group. You can do that by right-clicking on my computer, going to manage, and then going into Local Users and Groups, then Groups. Then double-click on admnisitrators and add their account to the members.
 
Upvote 0 Downvote
I also don't want users in the Local Admin group because then they can modify local users' rights. They can give their own account Local Administrative rights, creating security problems with virus and spyware spreading. That was the whole problem. Well, I'll just stick to creating a domain user which has just normal users rights on the domain, but is a member of the local Power Users group on the workstations. With that account they should be able to install some software. Since I'm using images in rolling out the pc's, all of that is not a big problem. If they really need to install something for which they need Administrative privileges, I'll install it manually for them or incorporate it in the images. I think that is the most practical solution. Thanks for all your help. I think though there should be a better way to control the rights different groups have on a pc, like on linux machines. But that is just something for uncle Bill. Thanks for all your help.
 
Upvote 0 Downvote
Well, I have about 300 workstations and not all of those are in the same building, half of them are spread out across ten locations, some over 30 miles away. It could be worse :) At least you're in the same building. And honestly, installing software doesn't take that much of your time and it doesn't seem to be a request that happens all that often.
 
Upvote 0 Downvote
Indeed. All my workstations are in one location and installing something isn't such a big problem. It indeed doesn't happen that often as long as you make sure most standard tools are installed in the image. I just keep trying to put myself out of a job though by making sure I need to intervene as little as possible :).
 
Upvote 0 Downvote
Just roll out an image once in a while and pretend you've made some major security improvements in the new image and everybody's happy. :D No, fortunately, that's not the way it works at the moment. :)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Rick_
  • Locked
  • Question
Reliance Automax Exec V3 software
Replies
6
Views
509
Andrzejek
Andrzejek
johncp
  • Locked
  • Question
W10 Defender blocking installation of uTorrent
Replies
9
Views
726
mikrom
mikrom
xarzu
  • Locked
  • Question
How is remote debugging allowed on Microsoft SQL Management studio?
Replies
2
Views
376
xarzu
xarzu
Xankey
  • Locked
  • Helpful tip
Which are the best software for computer
Replies
12
Views
373
Smith_J
Smith_J
ecnereht
  • Locked
  • Question
Best Free Internal Messaging Software 4
Replies
15
Views
397
bfordz
bfordz

Part and Inventory Search

Sponsor

Back
Top