add a user administrator rights to install program on anyones pc in OU

  • Thread starter Thread starter bowlerman
  • Start date Start date
B

bowlerman

i need to add a user in my ou's that needs to have the rights to
install programs. i have those rights because im a domain admin. my
other helper i made him a domain admin because of that and other
reasons. i dont want to give domain admin rights to this user but want
him to allow users to install programs. now, i added him to the
administrators\builtin group but it doesnt work. do i have to delegate
control to him and what do i pick to get it to work? thanks
also he needs to be able to go to any computyer, type in his
credentials under ran as and allow to user to install a program
 
bowlerman said:
i need to add a user in my ou's that needs to have the rights to
Click to expand...

OUs are NOT about "giving rights" (for the members of the OU) to do
something. They are about delegating control over the users and other
objects to someone else -- or linking GPOs.
...install programs. i have those rights because im a domain admin. my
other helper i made him a domain admin because of that and other
reasons. i dont want to give domain admin rights to this user but want
him to allow users to install programs.
Click to expand...

Why not assigne the programs to the computers or with elevated privileges
(using an admin account)?

Then the users won't need anything for this to happen for them.
now, i added him to the
administrators\builtin group but it doesnt work.
Click to expand...

That group isn't a "computer Administrator" Domain Admins gets put into
the Computer Administrators groups of domain machines.
do i have to delegate
control to him and what do i pick to get it to work? thanks
also he needs to be able to go to any computyer, type in his
credentials under ran as and allow to user to install a program
Click to expand...

Depends on the program. Not all programs require an Admin, and
in general this is a poor idea to grant extra admins for this purpose.

You could just put his account into the COMPUTER Administrators
groups (perhaps using a Restricted Groups GPO to make it easy.)
 
OUs are NOT about "giving rights" (for the members of the OU) to do
something. They are about delegating control over the users and other
objects to someone else -- or linking GPOs.


Why not assigne the programs to the computers or with elevated privileges
(using an admin account)?

Then the users won't need anything for this to happen for them.


That group isn't a "computer Administrator" Domain Admins gets put into
the Computer Administrators groups of domain machines.


Depends on the program. Not all programs require an Admin, and
in general this is a poor idea to grant extra admins for this purpose.

You could just put his account into the COMPUTER Administrators
groups (perhaps using a Restricted Groups GPO to make it easy.)
Click to expand...

sorry for being dumb but i am new to all this and am doing a migration
from workgroups to a new domain. What i did for right now was put
that user in domain admin group and that allowed him to go to a
machine and install a program using run as.
the Computers administrators group? what is that. i prob know but are
confused about what you are referring. I dont want to give this user
domain admin rights but dont know how else to get this to work? more
help?
 
sorry for being dumb but i am new to all this and am doing a migration
from workgroups to a new domain.
Click to expand...

No apology necessary -- if you knew the answers you wouldn't be asking
the questions. And I will not apologize for correcting your mistakes
either.

You want to learn -- we want to help.
What i did for right now was put
that user in domain admin group and that allowed him to go to a
machine and install a program using run as.
the Computers administrators group?
Click to expand...

So you made him a domain admin? Why not just make him a COMPUTER
admin?
what is that. i prob know but are
confused about what you are referring. I dont want to give this user
domain admin rights but dont know how else to get this to work? more
help?
Click to expand...

Put him in a particular computer Administrators group -- then see if this
does the job.

If it does we can tell you how to do this for 1000's of machines, but if you
only have 5-10 machines you can do it manually on each one.
 
No apology necessary -- if you knew the answers you wouldn't be asking
the questions. And I will not apologize for correcting your mistakes
either.

You want to learn -- we want to help.


So you made him a domain admin? Why not just make him a COMPUTER
admin?


Put him in a particular computer Administrators group -- then see if this
does the job.

If it does we can tell you how to do this for 1000's of machines, but if you
only have 5-10 machines you can do it manually on each one.
Click to expand...

so this means go to every computer and add him to the local
administrators group right? i have to do this to 100 computers then?
that would be great if u could show me?
 
No apology necessary -- if you knew the answers you wouldn't be asking
the questions. And I will not apologize for correcting your mistakes
either.

You want to learn -- we want to help.


So you made him a domain admin? Why not just make him a COMPUTER
admin?


Put him in a particular computer Administrators group -- then see if this
does the job.

If it does we can tell you how to do this for 1000's of machines, but if you
only have 5-10 machines you can do it manually on each one.
Click to expand...

well i went on my test computer took him out of domain admins and put
him in the local admin group fgor that machine and tried to install a
porogram using run as and it worked for him. so how do i do this to a
group of computers or all that i have here? thanks
 
bowlerman said:
so this means go to every computer and add him to the local
administrators group right? i have to do this to 100 computers then?
that would be great if u could show me?
Click to expand...


That's one way. There are (at least) two others:

You could write a script but there is a newer method.

Group Policy "Restricted Groups" -- restricted means that
you can both require certain people to be in a group and limit
the membership to precisely THAT list.

Have you done an GPOs yet?

Generally we can run the GPEdit from any machine including
DCs, but this is a special case where we have to run it from
a Workstation or (ordinary) server.

If you want to work from XP or Win2000 do this:

Install AdminPak.msi from Win2003 DC on your XP or
from Win2000 on a Win2000 workstation (it's located in
%systemroot%\System32\

Create a GPO, link it to the domain, in the computer section
restricted groups you will need to setup to include Domain
Admins, the user, and anyone else you want in that group.

Let it propagate to all DCs and get refreshed on your machines
and it should do the job.

This Google search will get your some help but remember we
will help too so you don't have to do learn it all by yourself:

[ "restricted groups" 2000 site:microsoft.com ]
 
You either can use Restricted groups in ADUC and GPO, use tools like
A2LG http://www.petri.co.il/a2lg.htm or use say Desktop Authority to
do that remotely. In the first case you need to create GPO with GPMC
(gpmc.msc), open Group Policy Object Editor (gpedit.msc) for that
created GPO by choosing Edit command from its context menu, open
Computer Configuration\Windows Settings\Security Settings\Resitricted
groups folder. Then read the 'Updates to Restricted Groups ("Member
of") behavior of user-defined local groups' http://
support.microsoft.com/kb/810076 article to find how to manage this.
With desktop authority that can be done remotely in the way like you
would do it on user's computer if you would go to its screen directly.
It's handy because you can control the whole process in real time.
 
Back
Top