How to create a user with installation privileges without granting full administrator privileges?

Question

Hello everyone! I'm Jhoan, new to this forum and new to the world of systems administration. My company is small, and we're looking for a solution to manage our clients' computers more efficiently.

We have remote access to our clients' PCs and a platform to run PowerShell scripts on them. We need to create a local user on each PC, without administrator privileges, which we'll call a "standard user." This user should be able to install, update, and uninstall software, but only when our designated "approver" (who has access to administrator credentials) authorizes it, by providing either their own credentials or those of a local administrator.

This would allow us to reduce support calls related to software installation. I've tried using local group policies, but haven't found an effective solution.

Does anyone have any suggestions or ideas on how we could achieve this? Any help would be greatly appreciated!

Answer 1

Hello Jhoan_Saavedra,

Thank you for posting in Microsoft Community forum.

You can try the group policy in the following link.

Software installation under user configuration or computer configuration.

Use Group Policy to remotely install software - Windows Server | Microsoft Learn

I hope the information above is helpful.

If you have any question or concern, please feel free to let us know.

Best Regards,

Daisy Zhou

Answer 2

Daisy Zhou,

Thank you for your response. I appreciate the suggestion to use group policy, but I'm afraid it doesn't fully address our specific needs.

The linked documentation focuses on installing software remotely with full administrative privileges, while we are looking for a solution that allows a non-admin user (our designated point of contact) to install software or update drivers with limited privileges. This user should only be able to perform these specific actions, not have full admin access.

Our current idea involves creating a local user account on each PC, with the password known only to our point of contact. This would allow them to enter their credentials when administrative actions are needed, without granting them unnecessary access to other parts of the system.

We're hoping to find a way to automate the creation and distribution of this local account to all our clients' PCs, ideally using PowerShell.

Do you have any suggestions or alternative approaches that might be suitable for our scenario? Any insights or creative ideas would be greatly appreciated!

Answer 3

Hello

Good day!

I think your desire to play is completely correct, but this account you need should be local administrator account, A non-admin account doesn't have enough permissions to do what you want.

You can create a custom account and account it to Local Administrators group on all the domain machines.

Here are the steps to test and you can try in your test environment.

Create a new user on the client with the domain in batches (in my example, the user account and password are the same, you can customize the account and corresponding password).

1. Create a new text file (.txt) on the domain controller and put the following content into the text file.

net user daisy123 daisy123 /add

2. Change the .txt in step 1 to .bat file.
3. Create a new Group Policy Object (you can name the Group Policy Object as "New Local User").
4. Find the GUID folder for that Group Policy and put the .bat file from step 2 to the following path.

C:WindowsSYSVOLdomainPolicies{2DE73B27-2E20-43E2-A4BA-CA07442B7AF7}MachineScriptsStartup

5. Edit the Group Policy Object.

6. Restart the client (be sure to restart the client), log in after booting, and you can see the newly created user account.

Add the same local user account on the client with the domain to the built-in local administrator group on the corresponding client in batches

1. Or create a new Group Policy Object (you can name the user to join the Administrators group).
2. Follow the screenshot below to edit this Group Policy Object.

3. Update the client group policy, and you can see that the local account has been added to the local administrator group on the client.

If you have any questions, please feel free to consult us.

Best Regards,
Daisy Zhou

Answer 4

Thank you very much, Daisy.

Your approach to distributing local users to our clients' PCs is great.

However, since this user is an administrator and we will give this account to a trusted person (but outside of our organization), would it be possible to make this local administrative account, which we will call "referral" for convenience, only able to install programs and update drivers? For example, those for printers, but not be able to make any other changes to the system from there.

I know it sounds strange, but since it is only possible to install programs using administrator privileges, what I am now thinking of is creating a limited administrator account, which is limited only to the installation of programs. Could this be possible with the approach you proposed?

I look forward to your response :)

Answer 5

Hello Jhoan_Saavedra,

Good day!

Many programs require administrator privileges to install and uninstall. But there are a lot of admin permissions (we call it "full control"), if you just want this admin account to only install programs and update drivers permissions, then you need to find all the actions/permissions/settings that the admin can do, and then see if you can reject the account, which I think is very difficult to do.

Best Regards,
Daisy Zhou