How would I go about allowing a 'domain user' to install software on their computer. I have active directory and group policy in place. Is there a setting in group policy that would allow this? I don't really want to make the domain users domain admins as well. There is a way to do this by adding the user to their local admins group under computer management. I need this for about 50 users so that gets to be a long process with that many users.
Server: Windows Server 2008 R2
Client Machines: Windows 7
Best Answer
Caveat: You really don't want your users to be "Administrators" on their PCs. You want to find a method to automate the distribution of software (see Mass installation on networked Windows computers? amongst other Server Fault answers) in lieu of allowing users to install the software themselves. (There are a variety of reasons why you don't really want this-- exposing the company to liability for unlicensed software, being able to install malicious software, and just plain screwing-up their computers are a few good ones.)
Having said that, Restricted Groups functionality in Group Policy is what you're looking for. It'll automate the group nesting on an arbitrary number of computers.
Instead of creating a nightmare for yourself later (not to mention a political situation where you can't ever take back the users' "Administrator" rights) I'd recommend you think strongly about learning how to centrally deploy software first.
Edit:
My answer re: managing updates for Adobe Reader is the same answer I'd give to you re: managing updates for the JRE and other "necessary evil" software like it. I'd develop a coordinated process of installing the software with Group Policy and updating it by deploying new packages when patches are released.