problem with group policies

[vinrx7]

Im trying to add a few users to a user group that would allow them to download and install programs as needed without permission from the admin every time. I added the user to the power user group (templete) but it still does not allow him to install a program from the web (example :adobe reader). I must be using the wrong user group but it doesnt specify what tasks can be accomplished by the user groups to choose from. Any info would be great.
thanks.
BTW, im right out of school so still a little green.

 

[ncotton]

if you are applying a group policy to the users that disables this setting, then the user status will be overriden. Create a new policy object, set the settings for downloading and installing from the internet, apply it to the OU, then remove the Authenticated Users filter, and apply a filter just on the Power Users group.

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[porkchopexpress]

I think you will find that Adobe reader and many other apps require admin rights to install.

Power users allows the user write access to most areas in the program files dir but not all areas of the windows dir so some software fails to install. Also some software checks to see if you are an admin and if not it will fail anyway.

You know what Jack Burton always says at a time like this...

 

[vinrx7]

thanks for the help. I decided to just add everyone to the enterprise admins group just to get things rolling then tighten it up after everything is in place.
thanks for the info

 

[porkchopexpress]

Hold up. You really should consider using restricted groups to add users to the local admins group on their stations, adding them to the enterprise admins group is asking for a disaster one wrong move or virus infection could wipe everything out, data, active directory the lot.
The danger is that by the time you get around to tightening up your systems could already be compromised, prevention is a far more effective defence than reactive measures especially with current malware.

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

 

[vinrx7]

well, the problem is there are programs that i have been working on that need every user to have full admin rights in order for it to be installed and setup to work properly (during setup phase of software). Right now i have enough trouble getting this thing to work correctly without wondering if permissions could be a part of each problem. Once the users are setup completely, i will tighten it up.

 

[porkchopexpress]

If you use restricted groups then you can make your users admins on every desktop without them being domain / enterprise admins, this means that they can install anything on your work stations but cannot ruin your file servers or DC's this will massively reduce the chance of a domain wide disaster while allowing your users to complete their tasks.

I've learnt the hard way that what users can do they will and this can spell big trouble.

 

[vinrx7]

I will try to restrict them to local machine admins and see if i can still get them setup with joboss. I appreciate the suggestions.