How to set user permissinon group on active directory

Kittiwat Sur 1 Reputation point
2021-02-09T03:52:18.597+00:00

can I create group For user

  1. user can install program only
    1. user can join domain and install program only

** Not use Domain admin **

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,407 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,011 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Daisy Zhou 19,276 Reputation points Microsoft Vendor
    2021-02-09T07:48:26.807+00:00

    Hello @Kittiwat Sur ,

    Thank you for posting here.

    As I understand, you want to make a user group be able to install program on domain-joined machines, if anything I misunderstood, please correct me.

    Here are the answers for your references.

    1. User can install program only.

    Based on my understanding and experience, almost all or most of the programs require the right of the local administrator to install programs on the machines.

    So we can create a or more users and add this user or those users into one AD group, then add this user group to local Administrators group on the machines via GPO.

    Via Local Users and Groups GPO.

    Create an OU and put all the domain machines to this OU.
    Create an GPO and link this GPO to the OU above.
    Edit the GPO and navigate to Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups\right click Local Users and Groups\New\Local Group.
    65675-loc1.png

    In my case, the daisy123 is the domain user group, I add the daisy123 into local Administrators on all the domain-joined machines.
    65676-loc2.png

    On the client, update the GPO by running gpupdate/force. We can see the domain group is added to local Administrators on domain client.
    65610-loc3.png

    Or via Restricted Groups GPO.

    Create an OU and put all the domain machines to this OU.
    Create an GPO and link this GPO to the OU above.
    Edit the GPO and navigate to Computer Configuration\Policies\Windows settings\Security Settings\Restricted Groups\right Restricted Groups\Add Group and select the user group (in my case , it is B\test3).
    65733-loc5.png

    On the client, update the GPO by running gpupdate/force. We can see the domain group is added to local Administrators on domain client.

    References
    Active Directory Group Policy Restricted Groups
    https://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx

    Using Group Policy Preferences to Manage the Local Administrator Group
    https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/using-group-policy-preferences-to-manage-the-local-administrator/ba-p/259223

    2.user can join domain and install program only.

    By default, any authenticated user (Authenticated Users) has this right “Add workstations to domain” and can create up to 10 computer accounts in the domain.

    However, members in Administrators or Domain Adminis have no restrction about "10 computer accounts".

    Edit Default Domain Controller Policy and we can see it as below.
    If you do not want all the Authenticated Users have such right, you can remove "Authenticated Users" and add the domain user group by editing "Default Domain Controller Policy".

    After changing the setting, we can update the GPO by running gpupdate /force on DC.
    65683-loc6.png

    If you want to change the number 10, we can edit the Properties "ms-DS-MachineAccountQuota" in ADSI as below.
    65710-loc7.png

    Add workstations to domain
    https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain

    Hope the information above is helpful.

    should you have any question or concern, please feel free to let us know.

    0 comments No comments