Allow Domain Users to install software on their computers

active-directory domain

How would I go about allowing a 'domain user' to install software on their computer. I have active directory and group policy in place. Is there a setting in group policy that would allow this? I don't really want to make the domain users domain admins as well. There is a way to do this by adding the user to their local admins group under computer management. I need this for about 50 users so that gets to be a long process with that many users.

Server: Windows Server 2008 R2 Client Machines: Windows 7


Solution 1:

Caveat: You really don't want your users to be "Administrators" on their PCs. You want to find a method to automate the distribution of software (see Mass installation on networked Windows computers? amongst other Server Fault answers) in lieu of allowing users to install the software themselves. (There are a variety of reasons why you don't really want this-- exposing the company to liability for unlicensed software, being able to install malicious software, and just plain screwing-up their computers are a few good ones.)

Having said that, Restricted Groups functionality in Group Policy is what you're looking for. It'll automate the group nesting on an arbitrary number of computers.

Instead of creating a nightmare for yourself later (not to mention a political situation where you can't ever take back the users' "Administrator" rights) I'd recommend you think strongly about learning how to centrally deploy software first.

Edit:

My answer re: managing updates for Adobe Reader is the same answer I'd give to you re: managing updates for the JRE and other "necessary evil" software like it. I'd develop a coordinated process of installing the software with Group Policy and updating it by deploying new packages when patches are released.

Solution 2:

Best practice is to only allow them to install permitted applications. If you let them install any application, they could install lots of things you don't want them to (like viruses, limewire, keystroke loggers, etc.)

To permit them to install allowed applications, create a software installation in Group Policy. Set the installation type as published.

Here's a decent enough article describing the process:
http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Deploy-Applications.html

Related

RAID 5 with big SATA disks. Do or don't?
Transfer large amount of small files
Is it safe to delete "Account Unknown" entries from Windows ACLs in a domain environment?
Age replacement policy for hard disks and SSDs at servers
Just installed LSI 9211; no drives showing up to Linux
Why is NTP considering my server inadequate?
Open 443 on Google Compute Instance?
Why can't I browse my D: drive, even if I'm in the Administrators group?
Redirect specific e-mail address sent to a user, to another user
ZFS on Linux/Ubuntu: Help importing a zpool after Ubuntu upgrade from 13.04 to 13.10, device IDs have changed
random CONNECTION_RESET on apache2.4 debian 9
In Linux/Debian, did the passwords (/etc/passwd) ever been stored as plain text?