V
V
Vi2016-01-15 12:19:46
Active Directory
Vi, 2016-01-15 12:19:46

How to let a user install programs in Active Directory?

I don't quite understand why this is not possible? How to promote a user to admin, but so that he could not do anything on the server?
And that is, programmers who need to be given more freedom on the local computer, how is this done, tell me?

Answer the question

In order to leave comments, you need to log in

5 answer(s)
O
other_letter, 2016-01-15
@redsabien

You open local users, there you add a domain account to local admins.
Everything.
You can google "add domain user to local admins" and find something with pictures and arrows.

I
Ivan Bazaichenko, 2016-01-15
@Banzaii

In local security policies, a more flexible setting of user rights is possible. There are also security patterns.
The question is how high are the security requirements in the organization.
That is, to give admin rights on the local machine, this basically means that the machine is susceptible to virus infection under this user.

M
MrDywar Pichugin, 2016-01-15
@Dywar

Distribute software through install/remove software. I don’t remember exactly, but you can add software for installation there, checked by you. The user will simply go there and bet. The network has a free course from Sergey Shein on administration.
About thoughts:
When the user is Admin on the local machine, he can do whatever he wants. Mimic dump your password if you connected to it. As a user, enable logging of keystrokes in PuntoSwitcher and ask a person with higher rights to do something on their PC. If available, it counts all users of the domain via PowerShell, and slowly starts to brute them.

C
CityCat4, 2016-01-16
@CityCat4

Make the programmer the administrator of your computer. At the same time, warn him about what it brings with him. If the office is sufficiently bureaucratic, get a service with signatures from the management. If not - still warn that if he destroys his computer, then he will be restored last.

S
Sergey, 2016-01-20
@goodcat32

To do the required without getting up, you can use the GPO Management Console on the DC. Go to config. Computer-Settings-Local Users and Groups. Add a new group, select Administrators in the list, and select the members of this group from the directory (the desired programmer) in the window below. Then set the account in the Security Filter. writing the desired PC to read this group policy object so that it does not scatter all at once. All. After the reboot, the programmer has all the rights to his PC, but you were warned about security, he can steal and kill on his PC.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question