Allow power user to install software

Question

I need to grant an user some admin rights, so he can enter his credentials when someone is prompted to install a software (and just that), he is no admin, I don't want him to have too much access.

My domain controller runs on Windows server 2008 R2 and the computers on Windows 7

I tried to make him a power user, but apparently power user are just basic user now... Or maybe I missed something.

Is making him a local admin on some computers a good idea? Is there a better (another) way to do that?

Also, I read about AppLocker, is it a good way to let regular users install some software?

Sorry i totaly forgot, windows server 2008 R2 and the computers are on windows 7 — Gnoci, Sep 22 '14 at 14:38

score 2 · Accepted Answer · answered Sep 22 '14 at 17:05

To install system wide software mostly requires the user must have full access to the registry and filesystem.

Basically with the above access the user IS administrator. Perhaps you could come up with some group that granted the above without adding them to the actual administrator group, but that would be pointless. With full filesystem access they could simply do one of hundreds of different things to compromise the system and grant them admin access.

If the user must be able to install software make them admin. BTW you can make them an admin of only the machines they need to install software on. Don't needlessly make them a Domain Admin. You can use the Group Policy Preferences to easily add them to the local administrators group on machines they are to have admin access on.

I like this. In addition, if the users can't be trusted enough to have local admin, they shouldn't be installing software anyway! — Nathan C, Sep 22 '14 at 17:15

Allow power user to install software

1 Answers1