How to permit Temporary local administrator access to users

dmw

How can you setup a group say "templocaladmin" that grants a user admin access to the computer they are logging into while logging into the domain not logging in locally on the computer?

So I have a user who has no right to install programs. I need to install a program with them logged into the domain so I add them to the group templocaladmin, have them logoff and logon and install then remove them and have logoff and on again.

I just can't seem to figure out what group(s) to add to templocaladmin to give the necessary rights.

This is probably painfully obvious to some but I have been studying way to much this week and I thinnk I have reached the point of diminishing returns.

RTmarc

If I am understanding you correctly, you want to give them the ability to install applications? If so, just grant them the ability to do so via Group Policy and then apply that policy to either an existing OU or one that you create just for this task.

royal

1. Add their domain username to the local administrator group (power users group might be able to install the software depending on the modifications it makes to the OS)
2. Allow them to install programs via group policy
3. Group policy installation (either by using MSI package or using ZAP if you only have setup.exe)
4. runas command (go to a command prompt and do runas /?) or shift + right click the setup utility and runas and enter credentials. Note: You can either go to their workstation and run this command so you don't have to log off, or you can just create a .bat file, send it to them to run or use it as a logon script for them.

dmw

Thanks.

I am aware of Runas but Runas doesn't always work depending on how the installer is setup, and what other group policies are locked down on the machine.

Hadn't thought about the group policy. So I have this straight. Create an OU, edit the gp linked to that ou to allow installs, when I want to permit a user to do install add them to the OU, when finished remove them.

Thanks for these answers icroyal and RTmarc

blargoe

I would do either via Group Policy (if it's an msi package) or via a computer startup script if it's trivial to throw together a batch or vb script that could install it silently. Neither of these options would require admin access since they would run under the system account context.

jpeezy55

Are you going to also set a limit on when that account is accessible? Otherwise, what is to stop that user from logging in with that account whenever they want to install software and then log back off and continue what they were doing? Just a thought...

RTmarc

dmw wrote:

Thanks.

I am aware of Runas but Runas doesn't always work depending on how the installer is setup, and what other group policies are locked down on the machine.

Hadn't thought about the group policy. So I have this straight. Create an OU, edit the gp linked to that ou to allow installs, when I want to permit a user to do install add them to the OU, when finished remove them.

Thanks for these answers icroyal and RTmarc

I think I understand a little more now. You don't want them to always be able to install applications, it's just certain times. If that's the case I would go the route of pushing the apps out via group policy.

3. Group policy installation (either by using MSI package or using ZAP if you only have setup.exe)

This would be the method of "least administrative overhead" that Microsoft harps on. Instead of you constantly having to move users back and forth between OUs, push the app via GP. If you want them to always have the ability to install apps, give them the ability to do so via GP and assign it to their OU.

royal

Like RTMarc said, since you really don't want them installing applications all the time, there's 2 things you can do. As I said before, if the application has an MSI install package, you can deploy MSI packages via group policy installation. If it's an exe install file, you can create a ZAP text file that contains information about the setup.exe program. You can read up more about group policy and zap files via google.