6

How would I go about allowing a 'domain user' to install software on their computer. I have active directory and group policy in place. Is there a setting in group policy that would allow this? I don't really want to make the domain users domain admins as well. There is a way to do this by adding the user to their local admins group under computer management. I need this for about 50 users so that gets to be a long process with that many users.

Server: Windows Server 2008 R2 Client Machines: Windows 7

EEAA
  • 108,414
  • 18
  • 172
  • 242

3 Answers3

9

Caveat: You really don't want your users to be "Administrators" on their PCs. You want to find a method to automate the distribution of software (see Mass installation on networked Windows computers? amongst other Server Fault answers) in lieu of allowing users to install the software themselves. (There are a variety of reasons why you don't really want this-- exposing the company to liability for unlicensed software, being able to install malicious software, and just plain screwing-up their computers are a few good ones.)

Having said that, Restricted Groups functionality in Group Policy is what you're looking for. It'll automate the group nesting on an arbitrary number of computers.

Instead of creating a nightmare for yourself later (not to mention a political situation where you can't ever take back the users' "Administrator" rights) I'd recommend you think strongly about learning how to centrally deploy software first.

Edit:

My answer re: managing updates for Adobe Reader is the same answer I'd give to you re: managing updates for the JRE and other "necessary evil" software like it. I'd develop a coordinated process of installing the software with Group Policy and updating it by deploying new packages when patches are released.

Community
  • 1
Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • I was having issues just installing a Java update. I'm not sure what else I will come across when configuring the computers but are there ways around these updates. We have a WSUS server that will be put in place fairly soon. Anyway to implement it with that? Thanks for the response –  Jul 28 '10 at 21:23
  • WSUS won't do anything for updates that aren't Microsoft's. For that you'd want to look for something like System Center's Essentials or even GPOs. – GregD Jul 28 '10 at 21:26
  • 1
    +1 for bringing up the political issue. Been there, done that and have the scars to prove it. – John Gardeniers Jul 28 '10 at 21:26
  • Evan is absolutely right with this. DO NOT shortcut this by allowing your users to install software. It is worth the time and effort required to centrally deploy software. – GregD Jul 28 '10 at 21:28
  • @GregD: Actually, there's an API that WSUS can use to publish third-party updates that's accessible without the System Center products, but Microsoft hasn't made it very easy to use. The functionality is called "Local Publishing". See http://www.homerfilms.com/clients/eminentware/third-party-patch-management.html and http://www.wsus.info/index.php?showtopic=14369 – Evan Anderson Jul 28 '10 at 21:31
  • @Evan - Thanks for that. At that rate, you're better off leaving WSUS doing what it does well (update MS products) and use GPOs for everything else. – GregD Jul 28 '10 at 21:33
  • I object to the answer. There are plenty of reasons to allow users to install. Chat would never have gotten off the ground if users didn't actively seek to work around IT departments anywhere. Scan users if you must to avoid illegitimate software. Hire people who know what to install. Do not set yourself up as the guardian of all things. That is a very IT centric and not customer centric way of thinking. – nick Jan 14 '15 at 22:05
  • In fact do everyone a favor and read this: https://plus.google.com/+RipRowan/posts/eVeouesvaVX – nick Jan 14 '15 at 22:26
2

Best practice is to only allow them to install permitted applications. If you let them install any application, they could install lots of things you don't want them to (like viruses, limewire, keystroke loggers, etc.)

To permit them to install allowed applications, create a software installation in Group Policy. Set the installation type as published.

Here's a decent enough article describing the process:
http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Deploy-Applications.html

Jason Berg
  • 18,954
  • 6
  • 38
  • 55
  • I would argue that best practice is not to allow them to install ANY software, especially when there are free solutions (or built-in) for centrally deploying software... – GregD Jul 28 '10 at 21:30
  • This is a form of central deployment. Everything gets done through group policy still. Just the users can decide if they want a piece of software...but only software that is already setup to be deployed. – Jason Berg Jul 28 '10 at 21:34
  • Would Applocker come in handy for something like this? –  Jul 28 '10 at 22:02
0

I would have to recommend Manage-engine Desktop Central, it scans all machines and then collects programs installed on the domain. You can then easily deploy software on either msi or exe files with there prefigured scripts (command lines). Makes my life a hell of a lot easier especially with adobe and java updates all the time. By the way its free for upto 25 machines and is accessible from a browser.

jammer
  • 11