Allowing users in a Windows domain to install on only one specific computer

[yukichigai]

The title pretty much says it all, but to recap:

I need to give one specific user in a domain rights to install programs on one specific machine, and only that machine. (Running XP, domain controller is running 2k Server) How do I do it?

 

[spyordie007]

you could just give that user admin privilages over that machine

 

[yukichigai]

Originally posted by: spyordie007
you could just give that user admin privilages over that machine

What if I don't want to give that user other admin rights, like the ability to reset other local user passwords, or modify the local computer security policy?

 

[Winchester]

You could do a shift+right click and do a Run As and run it as an admin then you dont have to give any permissions.

 

[yukichigai]

Originally posted by: Winchester
You could do a shift+right click and do a Run As and run it as an admin then you dont have to give any permissions.

No no no, I want to allow the user to install whatever they want on their machine, without me having to be there. But only on their machine.

 

[Winchester]

Local Admin then

 

[nweaver]

would have to create a new user group on the local computer, with the settings you want, call it install_user. Add the domain user to that group. If you are locking users down to specific computers (i.e. don't want user A to install any software on user B's computer) you will have to add the group to each computer and the specific user to the group. If this is a "I want Users to have install rights on workstations" then make a group on the domain for users and the workstations and apply policies.

 

[yukichigai]

K, final question: where is the setting that determines whether or not a user can install software. Oddly enough it isn't located in the Local Security Policy setting, somehow.

 

[stash]

That's because it doesn't exist. Not sure what nweaver was getting at, but there's no magic user right in the local security policy to install software. Certain file locations and registry locations are ACL'ed to certain groups, which gives them the right to install software. Those groups are Administrators and Power Users.

If you don't want to make a user a local administrator (which you should only do as a last resort), you can use filemon and regmon to see exactly which file and registry locations the software in question needs rights to. You can then give the user the appropriate permissions to just those locations, while still keeping the account as a normal user.

 

[stash]

Really, you need to take a step back and take a look at what you are trying to do. Why do you trust this user to install whatever software he pleases on his workstation, but not to modify the local policy and reset local passwords? All three of those tasks (installing software, modifying security and resetting passwords) can have an effect on any user of that system, so they should require the same level of trust.

If you don't trust this user to do one of two of those things, why trust (and allow) him to do any of them? How often is he going to need to install things? Why not ask him for a list of applications that he wants installed, and then you make a one-time trip to his machine to do it?