Grant Software Install to Help Desk group

Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

I want to be able to grant a group of users let's say 3 people the ability to install or update software on all computer workstations on the windows server 2003 active directory domain, without making these users members of the domain admins group. I am an administrator that needs to give our help desk and 2 programmers the right to local administration or ability to install software on all client workstations, but without the domain admins at the domain level. How do I do this, does anyone know the process? Thanks.
3 answers Last reply
More about grant software install desk group
  1. Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

    Create a group, call it IT Helpdesk. Add your members to this group. Then
    add IT Helpdesk group to the Administrators group on each computer (you can
    do this part through Group Policy - Restricted Groups).

    "Erasmo" <emedina@cyberdude.com> wrote in message
    news:E5561D4F-9F7A-4B00-86F5-41779207773D@microsoft.com...
    > I want to be able to grant a group of users let's say 3 people the ability
    to install or update software on all computer workstations on the windows
    server 2003 active directory domain, without making these users members of
    the domain admins group. I am an administrator that needs to give our help
    desk and 2 programmers the right to local administration or ability to
    install software on all client workstations, but without the domain admins
    at the domain level. How do I do this, does anyone know the process? Thanks.
  2. Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

    OK. How, do I just create a GPO and where in there I assign this setting? Thank you
  3. Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

    Beware of restricted groups. It will replace rather than add to the
    membership of the local administrators group.

    Here's the way I do it.

    First, I create a group, called "Workstation Admins" on the domain. I place
    all the
    workstations I want managed this way into their own OU. Then, I apply a GPO
    to that OU containing a computer startup script that runs the following
    line:

    net localgroup administrators "mydomain\Workstation Admins" /add

    Enter the "net" as the command and the rest as the parameter.

    When these machines next boot, they will have the Workstation Admins group
    in their local administrators group. Just place your administrative
    accounts in this group and you're sorted.

    The first thing to be wary of is that if a machine is removed from the OU,
    nothing changes. Members of Workstation Admins will still be administrators
    of the box.

    The second is something that may not be obvious. You want to prevent these
    people being domain admins. If they're smart, they will be domain admins
    quite soon anyway. If you or other domain admins ever log into PCs that
    untrusted people are local administrators or power users of, then you need
    to be careful. This is common sense, but something that so many people
    overlook.

    Hope this helps

    Oli


    "Erasmo" <anonymous@discussions.microsoft.com> wrote in message
    news:A0919886-72E0-4741-A8C1-F6CA26C23D7E@microsoft.com...
    > OK. How, do I just create a GPO and where in there I assign this setting?
    > Thank you
Ask a new question

Read More

Domain Help Desk Software Windows