A
Allan Wolfram
How can i enable the users of my domain to install software? My domain is
windows 2003
Allan
windows 2003
Allan
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
L
Lanwench [MVP - Exchange]
Well, you could add the domain users group to the local administrators group
K
Keith Jakobs, MCP
Hi Allan,
We add each user exclusively and specifically to the Local Administrators
group of each machine. But this way not all users have full control over
everyone else's workstation. We use Group policies to lock down network
access, but at the PC level, if they break it, they get a new one with
standard software imaged on to it.
If they loose data because it was stored locally and not on the network then
too bad... they were told where to keep it and that is policy. Then we dont
have to worry about the local stations. If we cant fix it quick, we give em
a new box, and wipe out the old one.
If you want to give users that kind of control, that is the best we have
come up with.
Good Luck
We add each user exclusively and specifically to the Local Administrators
group of each machine. But this way not all users have full control over
everyone else's workstation. We use Group policies to lock down network
access, but at the PC level, if they break it, they get a new one with
standard software imaged on to it.
If they loose data because it was stored locally and not on the network then
too bad... they were told where to keep it and that is policy. Then we dont
have to worry about the local stations. If we cant fix it quick, we give em
a new box, and wipe out the old one.
If you want to give users that kind of control, that is the best we have
come up with.
Good Luck
F
Fao, Sean
Hi Allan,
We add each user exclusively and specifically to the Local Administrators
group of each machine. But this way not all users have full control over
everyone else's workstation. We use Group policies to lock down network
access, but at the PC level, if they break it, they get a new one with
standard software imaged on to it.
If they loose data because it was stored locally and not on the network then
too bad... they were told where to keep it and that is policy. Then we dont
have to worry about the local stations. If we cant fix it quick, we give em
a new box, and wipe out the old one.
If you want to give users that kind of control, that is the best we have
come up with.
This type of configuration is poor at best and I highly recommend
against it for nearly all configurations. Windows 2000 and XP were
designed to give the administrator more control over what previous
versions of Windows had provided (Windows NT provided enhanced security
over the 3.1/9x versions of Windows but 2000 really made things nice).
When configured in this way, the enhanced security is irrelevant because
anybody can do as he/she wishes. Sure, users only have administrative
rights on his/her machine; but, down time is wasted money; no matter how
you look at it. Also, depending on what type of system breach has
occurred it is possible that a remote user that is not part of your
business will be able to gain enough information on the network topology
to gain Domain Admin privileges and bring down the *entire* network.
Local Admin is merely a band-aide for a lazy administrator in nearly all
circumstances.
Also, in regard to saving items locally, IMNSHO, a network administrator
should be relieved of their duties if they recommend saving *anything*
work related to the work stations. There is no way for an administrator
to know what is on each of the work stations and it would be extremely
expensive to equip each of them with the proper agents to allow for
remote backups. I have run across many situations where months of work
has been lost because proper guidelines were either not in place or end
users refused to listen. I have also run across situations where an
employee has deleted all of their files just prior to leaving a company.
Had the administrator not had a backup, years of research would have
been lost. Situations like this are _not_ uncommon and administrators
should be doing their best to alleviate as much as possible; not
encourage it by being lazy.
Sean
L
Lanwench [MVP - Exchange]
Curt said:Sean,
if you do not like the local admin solution, how would you recommend
allowing a user to install software on there local machine?
I'm not Sean, but I'll answer anyway - I wouldn't allow it.
when I go in as the Administrator and install some software for the
user, then the user logs in and A) the software is not there, only
installed for the current user when installed. B) software still
does not run correctly.
The software should be tested upon install to make sure it will run for
domain users. This isn't usually a big deal to test. How much software are
you finding you have problems with? Test once after installing as an admin,
then try running it while logged in as a user. Done!
G
georgewood
Add them to security group
the current user when installed. B) software still does not run correctly.
allowing a user to install software on there local machine?Curt Winter said:Sean,
if you do not like the local admin solution, how would you recommend
then the user logs in and A) the software is not there, only installed forwhen I go in as the Administrator and install some software for the user,
the current user when installed. B) software still does not run correctly.
software locally on there workstation?Hence my need to allow a user to install software on there local machine.
Is there a policy setting in the AD someplace to allow users to install