Faced with a situation.need help!!

You want an employee(field technician) to be able to add or remove applications or programs from all domain computers as neccessary. Which group should you make him apart of without giving out too many rights...

He is not be a admin on the domain. How can i make this happen...or deploy a group policy or what??

Trying some stuff but it wont work.

Thanks.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

ilcram19

somewhere in the domain security policies

sprkymrk

Use restricted groups and make his account a member of the local admins on the workstations.

theseman

I would use restricted groups. Create a OU and group policy that encompasses all neccessary client PC's (could also do this at domain level). Using this method he could be added to the local administrator group for those client machines.

Travis

EDIT: Note to self, use preview button, as I am too slow

kenny504

well tried that it still will give out too much rights...any other way??
He can uninstall programs but now he can add connections local users configure settings...way too much

sprkymrk

If it's only MSI's then you can have MSI installs with elevated priveledges, but that applies to everyone not just him.

You generally have to be an admin to install programs. If you don't trust this guy find someone else to do it or automate the installs remotely. Not much other choice as far as I can see.

ilcram19

u can try delagation and add the task that u want him to do

theseman

Delegations are more related to AD tasks (i.e. Resetting passwords, modifying group memberships).

I have to say local admin is the way to go. Like Mark said above, if he is that untrustworthy find someone else. Local admins have full permissions to that machine, but not domain services like DNS, AD, etc.

Travis