How to set user permissinon group on active directory

Kittiwat Suraruengchai 1 Reputation point
2021-02-09T03:52:18.597+00:00

can I create group For user

  1. user can install program only
    1. user can join domain and install program only

** Not use Domain admin **

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | Other
{count} votes

1 answer

Sort by: Most helpful
  1. Anonymous
    2021-02-09T07:48:26.807+00:00

    Hello @Kittiwat Suraruengchai ,

    Thank you for posting here.

    As I understand, you want to make a user group be able to install program on domain-joined machines, if anything I misunderstood, please correct me.

    Here are the answers for your references.

    1. User can install program only.

    Based on my understanding and experience, almost all or most of the programs require the right of the local administrator to install programs on the machines.

    So we can create a or more users and add this user or those users into one AD group, then add this user group to local Administrators group on the machines via GPO.

    Via Local Users and Groups GPO.

    Create an OU and put all the domain machines to this OU.
    Create an GPO and link this GPO to the OU above.
    Edit the GPO and navigate to Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups\right click Local Users and Groups\New\Local Group.
    65675-loc1.png

    In my case, the daisy123 is the domain user group, I add the daisy123 into local Administrators on all the domain-joined machines.
    65676-loc2.png

    On the client, update the GPO by running gpupdate/force. We can see the domain group is added to local Administrators on domain client.
    65610-loc3.png

    Or via Restricted Groups GPO.

    Create an OU and put all the domain machines to this OU.
    Create an GPO and link this GPO to the OU above.
    Edit the GPO and navigate to Computer Configuration\Policies\Windows settings\Security Settings\Restricted Groups\right Restricted Groups\Add Group and select the user group (in my case , it is B\test3).
    65733-loc5.png

    On the client, update the GPO by running gpupdate/force. We can see the domain group is added to local Administrators on domain client.

    References
    Active Directory Group Policy Restricted Groups
    https://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx

    Using Group Policy Preferences to Manage the Local Administrator Group
    https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/using-group-policy-preferences-to-manage-the-local-administrator/ba-p/259223

    2.user can join domain and install program only.

    By default, any authenticated user (Authenticated Users) has this right “Add workstations to domain” and can create up to 10 computer accounts in the domain.

    However, members in Administrators or Domain Adminis have no restrction about "10 computer accounts".

    Edit Default Domain Controller Policy and we can see it as below.
    If you do not want all the Authenticated Users have such right, you can remove "Authenticated Users" and add the domain user group by editing "Default Domain Controller Policy".

    After changing the setting, we can update the GPO by running gpupdate /force on DC.
    65683-loc6.png

    If you want to change the number 10, we can edit the Properties "ms-DS-MachineAccountQuota" in ADSI as below.
    65710-loc7.png

    Add workstations to domain
    https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain

    Hope the information above is helpful.

    should you have any question or concern, please feel free to let us know.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.