I have a specific OU with several machines in it.
I just created a domain-user who is meant to have normal standard-rights like an absolutely normal local-user on all the machines – the only thing he needs to be able to do, is installing any kind of software he wants, but without being either a domain or a local Administrator at the same time.
I thought maybe I could realize this, using a GPO for that user but I haven't come very far yet.
Is there a way to give the newly created user the permission of installing things on machines being located in that specific OU, without giving him all the other administrator-rights?
Best Answer
No, the problem you have is that to install a program the installer usually needs to write to C:\Program Files, C:\Program Files (x86), and C:\Windows. All of those directories are protected by the Operating System and can only be written to by an administrator. Additionally, if you make a change for all users on the computer (e.g. installing a program) usually the installer will write to HKEY_LOCAL_MACHINE in the registry. The HKEY_LOCAL_MACHINE registry hive is also protected by the Operating System and requires administrative access to write to.
Your other option is to push the software through Group Policy. That would allow to you to install the software on computers in the OU without users having administrative access. To do you will need MSI installation packages for each program you want to install.