![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 84%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKS%3C/text%3E%3C/svg%3E)
7,023 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello @Kittiwat Suraruengchai ,
Thank you for posting here.
As I understand, you want to make a user group be able to install program on domain-joined machines, if anything I misunderstood, please correct me.
Here are the answers for your references.
- User can install program only.
Based on my understanding and experience, almost all or most of the programs require the right of the local administrator to install programs on the machines.
So we can create a or more users and add this user or those users into one AD group, then add this user group to local Administrators group on the machines via GPO.
Via Local Users and Groups GPO.
Create an OU and put all the domain machines to this OU.
Create an GPO and link this GPO to the OU above.
Edit the GPO and navigate to Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups\right click Local Users and Groups\New\Local Group.
In my case, the daisy123 is the domain user group, I add the daisy123 into local Administrators on all the domain-joined machines.
On the client, update the GPO by running gpupdate/force. We can see the domain group is added to local Administrators on domain client.
Or via Restricted Groups GPO.
Create an OU and put all the domain machines to this OU.
Create an GPO and link this GPO to the OU above.
Edit the GPO and navigate to Computer Configuration\Policies\Windows settings\Security Settings\Restricted Groups\right Restricted Groups\Add Group and select the user group (in my case , it is B\test3).
On the client, update the GPO by running gpupdate/force. We can see the domain group is added to local Administrators on domain client.
References
Active Directory Group Policy Restricted Groups
https://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx
Using Group Policy Preferences to Manage the Local Administrator Group
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/using-group-policy-preferences-to-manage-the-local-administrator/ba-p/259223
2.user can join domain and install program only.
By default, any authenticated user (Authenticated Users) has this right “Add workstations to domain” and can create up to 10 computer accounts in the domain.
However, members in Administrators or Domain Adminis have no restrction about "10 computer accounts".
Edit Default Domain Controller Policy and we can see it as below.
If you do not want all the Authenticated Users have such right, you can remove "Authenticated Users" and add the domain user group by editing "Default Domain Controller Policy".
After changing the setting, we can update the GPO by running gpupdate /force on DC.
If you want to change the number 10, we can edit the Properties "ms-DS-MachineAccountQuota" in ADSI as below.
Add workstations to domain
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain
Hope the information above is helpful.
should you have any question or concern, please feel free to let us know.