1

On my active directory network, I want to satisfy my boss by giving him semi-administrative permissions that will allow him to Install programs as administrator in emergency situations on all computers, but not sacrifice the integrity of the network. Is there any type of Admin Group setting or Group that I could create that would allow him basic user permissions + the ability to install programs/drivers as administrator? I don't want to give him Domain Admin or anything crazy, just bypass UAC.

I was going to give him permission to bypass UAC via GPO, but would I need to make an entire GPO just for him? Is that too much?

TheFrack
  • 289
  • 5
  • 7
  • 21
  • You can allow normal users to install drivers, and put the drivers in a share where every PC can retrieve them. See http://technet.microsoft.com/en-us/library/cc725772.aspx or see Computer Configuration, Administrative Templates, System, Driver Installation in GPO. – Patrick Seymour May 08 '14 at 20:20

1 Answers1

3

IMO, if you're letting him install stuff (and you don't trust him), then you've already compromised the network's integrity. :)

Having said that, here's a suggestion:

Use the GP Restricted Groups settings to add his domain account to the "Power Users" group on the workstations.

Caveat: This may not let him install drivers though, as they are system-level, and require Administrator permissions.

Power Users can install software but are not full admins. For more info on the deifferences, see this SU question: Difference between Power user and Administrator

Tutorial links:

Community
  • 1
Ƭᴇcʜιᴇ007
  • 111,883
  • 19
  • 201
  • 268
  • @guntbert "Power Users" still exists. See [Default local groups](http://technet.microsoft.com/en-us/library/cc771990.aspx) for a list. – Ƭᴇcʜιᴇ007 May 08 '14 at 20:13
  • Indeed, I stand corrected :-) – guntbert May 08 '14 at 20:15
  • Sorry I'm really new to this AD stuff, poorly self-taught. Is it this folder in the GPO: http://i.imgur.com/WktqcoT.png ? By the way... that group that's in my folder, is that normal? Looks weird. And yes, I don't trust my boss because his password is too weak and he doesn't know about computers. I have no say over it if he wants to install stuff. – TheFrack May 09 '14 at 12:08
  • Yeah, that's the one. And that weird entry looks to be an entry in GP that refers to a group that no longer exists (so you're seeing the SID instead of a name), I'd say you're safe to delete that entry. Also, I'll update my answer with a couple tutorial links on how to actually implement my answer. :) – Ƭᴇcʜιᴇ007 May 09 '14 at 12:47
  • Thanks, I just did like the tutorial said and added one user to it. Will this significantly slow down my network login if it's on the default GPO? I had to make it domain-wide. – TheFrack May 09 '14 at 13:39
  • You shouldn't be editing your Default Policy. Instead, make a new policy that's ONLY for this (and related items), and link it as required to the OU's containing the computers you want this to apply to. If you only edit the Computer configuration part, disable the User configuration part to help reduce processing times. Really though, you'd need 100's of policies in place before they'd be a concern of slow down (slow logins caused by GPOs are way more about what they're doing, than how many there are). – Ƭᴇcʜιᴇ007 May 09 '14 at 13:55
  • I actually need this to apply this to all computers in my network, so I figured I'd do it on the default. Well I guess not the domain controller, but it probably doesn't really matter. Anyway, thanks. – TheFrack May 09 '14 at 17:05