Re: AD rights to install software on a machine

Hi Joe,

Could you advise please?

When I add a restructed group, I can then add this group to another group, I
have 2 options from this pint, one is 'members of this group, I assume this
means add members to the resricted group?

The other option is 'this group is a member of', when Ive dne this in the
past it wipes group member ship from thwe target group, please can you
confirm if Im missing something?


"jwd" <jwd@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4DAB6D41-A946-4753-8C7B-E04D1EF26DBF@xxxxxxxxxxxxxxxx

Hi Andrew,

Use the "Member of" setting rather than "Members" setting. Specify your
custom group to be a 'member of' the builtin\administrators group rather
explicity defining all the 'members' of the builtin\administrators. This
will only include the group and not exclude existing members

Best Regards
Joe Dunn MCSE

"Andrew Story" wrote:

Hi Joe,

Can't use restricted groups I'm afriad as it wipes out the existing
contents
of all the local groups, and some users are local admins/power users due
to
some applications requiring these permissions.

Is there any other way via a GPO, any other security setting that can be
applied just to install software?


"jwd" <jwd@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:545A8319-F764-4627-9DCA-89C94E760E42@xxxxxxxxxxxxxxxx

The account does not need rights in AD to install software instead they
need
rights on the workstations. You can use AD however to apply these
rights.

Create a group and put all the accounts that you wish to have
administrative
permissions on the workstations. Then use a Restricted Group policy
setting
in a GPO linked to the OU(s) that contain your Computer accounts to add
this
group to the local Administrators group of the workstations.

Best Regards
Joe Dunn

"Andrew Story" wrote:

Hi, do you know what rights a user account in AD needs to install
software
on a workstation?

I need to create an account that someone can logon as to install
software,
and would like to do this per OU when needed.

Thanks








.

Relevant Pages

  • Re: AD rights to install software on a machine
    ... and some users are local admins/power users due to ... The account does not need rights in AD to install software instead they ... permissions on the workstations. ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD rights to install software on a machine
    ... explicity defining all the 'members' of the builtin\administrators. ... The account does not need rights in AD to install software instead they ... permissions on the workstations. ...
    (microsoft.public.windows.server.active_directory)
  • Re: How to allow "Admin" account to install software?
    ... can I allow the "Admin" account to install software? ... members of WksAdmins; these users don't need to be members of other groups ...
    (microsoft.public.windows.server.general)
  • Re: Rid AD of Circular Group Membership
    ... and have use on members if it is used there. ... Administrators group is still intact), nor do they have empowerments over ... Admins is being used for by the 30+ can be delegated I(ex. ... The quess is each has an account and uses it, ...
    (microsoft.public.windows.group_policy)
  • Re: adminDSholder being over zealous!
    ... I have experienced the same problems, where users in members of groups ... without the account ACLs reverting to match AdminSDHolder. ... account operators can manage their own accounts or the ... >>A supported fix is now available from Microsoft, ...
    (microsoft.public.win2000.security)