Non domain admins installing software on domain controllers

From: Jason Kane (Jason.Kane-at-btopenworld.com)
Date: 01/17/03 

From: Jason Kane <Jason.Kane-at-btopenworld.com>
Date: Fri, 17 Jan 2003 14:12:13 +0000

If anyone can offer any advice to an issue we have I would be most
gratefull.

We are mid way through a Windows 2000 deployment. We have a number
of domain controllers and member servers distributed through out
Europe and the Middle East. Security wise we delegate control of AD
object for administrators within each country and for member server we
add them to the local administrators group, AD wise we also add them
into the server operators group.

The problem we have is with regards to software/patch installaton on
domain controllers in that they cannot perform the action because they
are not administrators over domain controllers (as they are not domain
administrators). It is fine on member servers as they are members of
the local admin group (DC's dont have such a concept). For obvious
reasons we do not want to add them to the domain admins group, however
we do want them to be able to install their own software and obviously
install patches as and when they become available. We have already
given privileges for MSI packages, however as most software (including
hotfixes) does not use the MSI format they cannot install them.

Has anybody else come across this issue, or know of any resolutions?

Many thanks, Jason

Relevant Pages

  • Re: Non domain admins installing software on domain controllers
    ... > of domain controllers and member servers distributed through out ... > object for administrators within each country and for member server we ... > domain controllers in that they cannot perform the action because they ... > install patches as and when they become available. ...
    (microsoft.public.win2000.security)
  • Re: admin. right error
    ... There is nothing to install. ... > we do not have a local admin group, ... >>that you are a member of local administrators group. ... >>Microsoft MVP - Windows NT Server ...
    (microsoft.public.win2000.setup)
  • Re: Script Logic
    ... I have used ScriptLogic but not to control user rights or access. ... the user in the admin group temporarily, do the install, then remove them ... > Another would be to remove the users from the administrators group. ... >> user/users to install applications. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Admin Privs without being in the administrator group
    ... If someone can install a driver, ... to modify domain controllers. ... IOW if you let me>>add to your kernel on a DC (i.e. install drivers) then I can find things>>to install that let me have any credentials I want anywhere in forest. ... I>>>think the easiest and clearest option is to add this user to the>>>administrators group. ...
    (microsoft.public.windows.server.security)
  • Re: Exchange 2000 containers (Fields) not showing up in active directory!!
    ... using a domain admin account outside of a secure server room/datacentre. ... Install it on your workstations, ... > be managing users directly from domain controllers, ... >> On all of your Domain Controllers you need to drop in the Exchange 2000 ...
    (microsoft.public.win2000.active_directory)