How can I assign Individual Users the Ability to Add/Remove Programs?

Hello all! I need a way to assign about 5 different users the ability to do basic local computer rights (add remove programs, disable/enable services) on every computer in the domain (sans servers) in active directory. PDC/Schema Master is server 2003.

In every building we have a building tech that handles basic computer issues to save us a trip. They currently do this by logging on with the administrator user name and the administrator password, which gives them access to all the servers/DCs, etc. I want to get away from that and still have them be able to do what I need them to do.

I created a security group called Building Tech and made them all a member of it. I need to keep them in their current OU, as they need to map their teacher drives (one of them has to access the year book drive and newspaper drive as well and another has to map various PC drives as he teaches comp science).

Any help would be greatly appreciated.

 

Doesn't Power Users built-in group meet your needs?

If so, you can make use of Restricted Groups feature in Win2000/3 AD to make all of your 5 users members of each domain computer's Power Users group.

 

I was thinking the local machine administrator group, but power users may work.

I've never used the restricted groups before, how do I do this? It won't overwrite the teachers who are already administrators on their OWN machines, will it?

I appreciate your response, btw!

 

"It won't overwrite the teachers who are already administrators on their OWN machines, will it?" - no, it won't.

The goal of Restricted Groups is to "say" to operating system that some accounts should belong (or should not) to some group. So, for instance, if I make a GPO in Active Directory with Restricted Groups configured as "Power Users contain User1, User2 and User3" then every computer that have been applied this GPO will have these aforementioned users added to its built-in Power Users group.

Any other groups will stay untouched (the local Administrators group, for example).

You can have a look to this step-by-step guide here:
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

Should you have any questions please feel free to post them here.
Michael

 

Thank you sir, I will have a look and let you know!

 

Ok, I gave it a shot, nothing seems to be changing. I used the security group I created and added members to, as well as the individuals themselves. It never had a place for me to enter "power user" or local admin in the instructions, so I am not sure where it would pull those privileges from?

 

Seems I had that problem too when I was using RG for the first time... You should just TYPE the name of the group (or the group memeber), not to browse for it!

Step by step:

The goal: make User1-User3 members of local built-in Power Users group on every PC.

1) Create global group, for example, TechStaff, and make User1, User2, User3 members of it.
2) Create GPO, for example, TechGPO, and open its Restricted Groups section.

3) "Once at the Restricted Groups node, you will right-click on it and select Add Group. Enter the Group name, or browse for it in the Active Directory database. After you create the group, it will show up in the right hand pane under the Group Name column. "
- so, add here the TechStaff group (or "create" it here).

4) Double-click the TechStaff group name
5) At the "This group is a member of" section click ADD
6) TYPE [Power Users] (without brackets) here
7) Click OK.
8) Apply this GPO (TechGPO) to computer accounts you need (for example, add all relevant computer accounts to some OU and apply TechGPO to this OU.

Please let me know how the things will go

 

Admin: Please don't quote the previous message when there's no use for it.

Sadly, this did not work. Any ideas what I could have done wrong?

 

I just have followed my step-by-step to make sure it works - everything works fine in my local net, so here are the questions:

1) if you applied RG by means of GPO, has GPO been applied successfully (you can type "gpresult" in cmd-prompt and see whether this gpo is in the list of applied GPOs)?

If it has been applied,

2) what exactly "did not work "? Are your "Power User" groups empty notwithstanding GPO's application?

 

1) Yeah the GPO is hitting (one of the first things I did was the GPresult and I also, for S & Gs did a group policy modeling wizard). I enforced the GPO also.

2) When I sign on as a member of the "Building Tech" group, I have no authority to add/remove programs, stop services, etc. If I sign on as the domain administrator, I do not see "Building techs" in users>advanced.

I didn't set up this environment here, but there are some wonky things I see around here.