YES!!! I did it!!! Here is what I did:
- Click
Start
and type cmd
. When cmd.exe
shows up, right-click and select Run as Administrator
(this allows you to run Command Prompt at an elevated level).
- Type
net localgroup Power Users /add /comment:"Standard User with ability to install programs."
and hit enter.
- Now you need to assign user/group rights. Download
ntrights.exe
from here. These are the instructions from sevenforums:
A) Open the downloaded .zip file, and extract (drag and drop) the
ntrights.exe file to your desktop.
B) Right click on the ntrights.exe file, click on Properties, General
tab, and click on the Unblock button if available. NOTE: If you do not
have a Unblock button under the General tab, then the file is already
unblocked and you can continue on to step 1C.
C) Right click on the ntrights.exe file and click on Move.
D) Open Windows Explorer and navigate to and open the
C:\Windows\System32 folder, then Paste the ntrights.exe file to move
it here.
E) If prompted, click on Continue and Yes to approve moving the
ntrights.exe file into the System32 folder, then close the Windows
Explorer window.
- In an elevated command prompt (see step 1), type
ntrights -U "Power Users" +R SeNetworkLogonRight
and hit enter. Type in the same thing again, only change SeNetworkLogonRight
with something else. You can try the following:
SeInteractiveLogonRight
SeChangeNotifyPrivilege
SeSystemtimePrivilege
SeTimeZonePrivilege
SeCreatePagefilePrivilege
SeCreateGlobalPrivilege
SeCreatePermanentPrivilege
SeIncreaseWorkingSetPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeSystemEnvironmentPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeSystemProfilePrivilege
SeShutdownPrivilege
For a complete list of User Rights and explanations, see my comment below (I can't post more than two links; if someone wants to edit this to add the link, please feel free).
- Once that is complete, you then need to give your new "Power Users" group permission to write to the C drive. Open my computer, right click on the C drive, and go to
Properties
. Click on the Security
tab. Click on Edit...
then Add...
and in the big box under Enter the object names to select
type Power Users
and click Check Names
and click OK
.
- Under the heading
Group or User Names
, you will see "Power Users." Click on it, and click on the checkmark beside Full Control
. It should automatically check off everything else, but if not, manually check everything else. The only thing that you can't check because it is grayed out is Special Permissions
. Click Apply, and it will give your group permissions. Ignore any errors that come up and continue anyway (I think assigning group rights in step 4 took care if this).
7.Open an elevated command prompt again (step 1), and type net localgroup "Users" "Power Users" /ADD
This nests your Power Users Group within Users so that way it is basically a Standard User account, but with additional privileges.
- Type
net localgroup "Power Users" user_000 /ADD
(user_000 being the user name for the account you are trying to keep as a Standard User and allow to install programs). This will still keep your user in the Users group, but will also add the user to the new Power Users group (so it is part of multiple groups). Note: If your user is signed in with a Microsoft Passport, you can find out your username by clicking on Start
and typing control userpasswords2
and hitting enter. Then click on the user account you need to find the name for, and click Properties
and you'll see your actual user name.
ALL DONE! And you will notice that Family Safety is still enforced, yet the user can't change its settings or give additional time or unblock websites or whatever. Nor can the user add another user with the User Accounts feature. Yet the user can install programs. :)
The version of Windows your friend has does not have this capability. You have the Professional version which does include it. While this question and answer talks about
– Ramhound – 2015-02-18T13:31:18.420Windows 7
the solution is the same. You have to manually grant the permission. Just locate the updated support article.possible duplicate of Alternative to gpedit.msc for Windows Home editions?
– Ramhound – 2015-02-18T13:33:45.723This isn't a duplicate of that question. The OP already managed to get GPEDIT.MSC on the computer noting I figured out how to install it. The OP assumes the problem can be solved using Group Policy, but that's a presupposition being brought into the question. The root query is how to permit a standard user to perform tasks that require Administrative privileges, something that can be accomplished without group policy. – I say Reinstate Monica – 2015-02-18T13:36:37.340
@Twisty - The question that is a possible duplicate has a solution that will work for this user. – Ramhound – 2015-02-18T13:40:57.100
@Ramhound It possible dup tells you how to apply GP settings to a non-Pro version of Windows. It says nothing about which settings would need to be applied to satisfy the OP's request...so I'm not following you here. – I say Reinstate Monica – 2015-02-18T13:44:16.273
possible duplicate of Grant admin rights on an application
– I say Reinstate Monica – 2015-02-18T13:45:55.017@threehappypenguins I've linked your question to another one that offers a solution for a non-admin user to run already-installed programs with admin rights. I don't think there's going to be a simple way to facilitate installing a program without admin rights. For that, I suggest having your friend log in and perform the initial installation with his Admin account.
– I say Reinstate Monica – 2015-02-18T13:49:08.323@Twisty - I assumed the author knew which permission he needed to add just wanted to know how to do that. He doesn't specifically ask what permission he needs to add just how to add that permission. – Ramhound – 2015-02-18T13:49:17.717
@Ramhound OK, I follow you now. I don't think that's the case, but perhaps the OP can clarify for us. – I say Reinstate Monica – 2015-02-18T13:50:31.457
1Thank-you, Twisty. You get what is going on here. You said that it's "something that can be accomplished without group policy." I was hoping that at first, but I couldn't find anything. Isn't there some way to accomplish this using the registry? For example, if you look up how to have UAC password prompt, everything points to, "You need gpedit." But it can be enabled by a simple registry hack by changing ConsentPromptBehaviorAdmin to 1. – threehappypenguins – 2015-02-18T14:09:06.723
Also, while giving admin rights to already installed programs is helpful, my friend's son is going to be bothering me every time he wants to install a program; I'm just too busy for that. I just want to set this up and leave it. And my friend procrastinates on dealing with his son's computer (ie, giving permission to install a program... my friend is really technologically challenged) (P.S. I'm a woman, lol) – threehappypenguins – 2015-02-18T15:00:50.610
I opened MMC.exe, went to File > Add/Remove Snap-in > Local Users and Groups > Add > Finish. Then I get the error (because I have Basic, obviously) "This snapin may not be used with this edition of Windows 8.1." Someone gave this link for registry edits whereas the GP is just an interface for it. I thought that maybe there is some way to enable the Local Users and Groups snapin. I got as far as HKCU\Software\Policies\Microsoft\MMC\ (I can create the keys), but the instructions are only for Restrict_Run. Any ideas?
– threehappypenguins – 2015-02-18T15:27:43.400I'm still plugging away here. I have also tried going to Start > control userpasswords2 and then fiddling around in there. I can click on the desired Standard User, go to Properties > Group Membership > Other and choose from a list. But I don't see anything about Power Users or anything I need from that list. So I went back to control userpasswords2, and went to Advanced > Advanced, and THAT opened the lusrmgr dialogue box (Local Users and Groups). Lo and behold, it said this snapin couldn't be used with my Windows edition. Isn't there a registry hack to force the snapin to be enabled? – threehappypenguins – 2015-02-18T18:54:09.843
I'm not aware of a way to allow non-administrators to install programs (unless the program is designed to be installed without Admin rights). The answer I linked you to earlier is helpful for allowing your standard user to update programs. I can appreciate what you're trying to accomplish here but you're essentially asking for a way to make your friend's son an Administrator without making him an Administrator--an unfortunate contradiction. – I say Reinstate Monica – 2015-02-19T01:33:47.423
I can save you some frustration and assure you that granting him membership in the
– I say Reinstate Monica – 2015-02-19T01:43:47.593Power Users
group in Windows Vista and later (e.g. Windows 7) will not let him install programs that require administrative permissions. Membership in this group did grant such permission in Windows XP and that leads to a lot of confusion as the Internet is still full of such claims.Here's a better reference showing that Power Users are powerless in Windows Vista and later.
– I say Reinstate Monica – 2015-02-19T01:52:08.950