Need help on Power users to install software

B

Barry

I have a need to have a power user to install software. I
have not found how to 'un-select' using the Local secutiry
settings/ user rights assignments. Please someone help....
Thanks.
 
S

Steven L Umbach

If a power user can not install the software, then you may have to use an
administrator account unless you are in a domain where .msi software packages can be
assigned or published in Group Policy. There is no magic user right assignment to
allow users to install software. That would take modifications of ntfs permissions
and registry permissions. --- Steve
 
B

Barry

Mr. Umbach
I need to know how to set this up quickly. Do you know
where or who I might find the information on making the
modification of permissions and registry edits? What I
need to set up a user that can install software but can
not delete or create administrator user accounts also be
able to create user accounts. So I figured that a power
user had all of these but the installing software option.
You can call email me. Hope to here back.
Thanks, Barry
 
S

Steven L Umbach

There is no easy answer unfortuneatley. If you can contact the software
publishers for the packages, then maybe they can help. If you want to try to
figure out needed permissions yourself , you could try using a couple of
tools from Sysinternals such as filemon and regmon. This process can be very
tedious. You would have to log onto a computer as a power user and then
invoke filemon [or regmon] with runas using administrator credentials just
before you try to install a program and then view the log for access denied
messages and then keep retrying while documenting the areas where permission
changes are needed and then if you are successful, implement the changes to
see if it works.

Realistically you may find the changes you make are going to make a user
very powerful on the computer to the point where he could run programs or do
things to give himself administrator access. Being a local administrator
does not give a user any extra powers in a domain or on other computers
[assuming passwords are not the same!]. You may be better off making the
user a local administrator and monitoring the computer by enabling auditing
things like account management , policy changes, and logon events to see if
he is abusing his power. There are fairly easy ways for you to reset the
local administrator password if you are concerned about another
administrator locking you out. --- Steve

http://www.sysinternals.com/
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Local Power User on domain 1
How to deprive Power Users of the rights to install any software 3
Remove permissions to install software from Power Users group 5
Program un-unstall software 24
User installing software 3
windows security alert displays every 2 minutes - cannot stop it 2
Logon interactively probmel after domain install 5
Restricted Users Changing Power Scheme 3

Top