Local PC installs

[mjbosko]

We have a AD installed on our 2003 server. When trying to install security updates, and other software, on local PCs the user has to be logged on as the Administrator. We'd rather let them install onto their own PCs - but we don't want to give out the admin password.

I know there's a way for me to state that client pc users can have install access, but I can't find where.

Local Security Policy? If so, can this be set at the server, or do I have to go to each PC?

Hope I'm making sense here...

-m

 

[AJ1982]

You can put users into the Admin groups for their local machines under "Restricted Groups", carefull you dont apply that to the DC's tho

AJ

===

Fatman Superstar (Andrew James)

CCNA, CCAI

 

[mjbosko]

Thanks, where exactly would I do that?

Sorry, I'm very novice when it comes to a domain.

-m

 

[ashpp]

In GP Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups. Then add a group name Administrators and add everyone to it.

HTH

Ash.

 

[mjbosko]

Ok, I found Computer Configuration in the Group Policy Object Editor - then was able to drill down to:

Windows Settings | Security Settings

and found "Software Restriction Policies", but no "Restricted Groups"...

Is this something I have to add?

I basically want the users to have full control over their PCs and Laptops - to be able to do anything locally, when logged into the domain. Is this still the right place to allow this??

Thanks!!

Mike

 

[RoadRunner12]

You could put them all into a common user group in AD and then add this group to the Administrators local group on each machine. This will allow them to inherit local admin rights to their machines.

You can do this by connecting to each machine through computer management and adding the group from there.

 

[ashpp]

Yes thats the right place to look and no you don't have to add anything.
It should just be there...

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

 

[mjbosko]

Thanks.... the site helped explain it .. but I'm trying to make sure I edit the correct gp. On the site you sent, it shows the GPO Editor - and the first key is "Restricted Groups GPO".

I started MMC, and using the Add/Remove Snap-in, I added the Group Policy Object Editor - but by default, the wizard selects the Local Computer object. Selecting Browse, I'm offerred two options: Default Domain Policy and Domain Controllers.<mydomain>.

Which policy object do I add the group.

And the term Restricted Group just doesn't sound like its going to do what I'm wanting it to do. The term Restricted to me sounds like "can't". And just adding a group here and assigning users/OUs to it will allow them full access to their laptop's configuration? Seems like there should be more.

If there's something I should read, such as a how-to or something, I will be happy to do it. I just dont' want to mess this up for our users (We currently don't have an onsite system administrator so I'm playing the part).

 

[mjbosko]

Actually, this has become extremely frustrating. Maybe its because I'm a developer, rather than a system admin - but I can't understand why it wouldn't be less complicated to assign a user, or a group of users, as administrators of their own machines.

Are there really that many different types of group policy objects that could be assigned the same type of information? One works, the others could cause potential disaster to the domain and its security?? dang!

Ok, so lets say I only want to give one or two users (at this point) access to change the computers they are logged onto - I trust them. I want them to be able to configure their laptops to use a wireless network, change the network settings, install programs, etc.

I've even tried to set them up as administrators - testing still proves to disable these features. Why is this??

Boy, if anyone can give me some better insight, I would be truly grateful!