RE: [NTSysADM] Allow Non-Admins to Install Apps

[James Rankin]

You can indeed use AppSense to do this, quite successfully - 
http://appsensebigot.blogspot.co.uk/2013/02/using-appsense-application-manager-to.html

I once managed to do this without AppSense by using CPAU from from JoeWare, but 
it’s not clean privilege elevation – a lot of security holes.

Power Users are just administrators with a couple of extra hoops to jump 
through anyway, IME.

Cheers,


JR

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Charles F Sullivan
Sent: 04 May 2015 22:21
To: ntsys...@lists.myitforum.com
Subject: RE: [NTSysADM] Allow Non-Admins to Install Apps

By default, yet. But as I understand it, you can change it so that it has the 
“old” behavior.

https://technet.microsoft.com/en-us/library/cc771990.aspx
“For legacy applications that require the same Power User rights and 
permissions that were present in previous versions of Windows, administrators 
can apply a security template that enables the Power Users group to assume the 
same rights and permissions that were present in previous versions of Windows.”

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>] 
On Behalf Of Kent, Mark
Sent: Monday, May 4, 2015 4:53 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: RE: [NTSysADM] Allow Non-Admins to Install Apps

The PowerUsers group is worthless.  It’s only a carryover on Vista+/Server2008+ 
for backwards compatibility.

Mark Kent (MCP)
Sr. Desktop Systems Engineer
Computing & Technology Services - SUNY Buffalo State

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Charles F Sullivan
Sent: Monday, May 4, 2015 4:28 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] Allow Non-Admins to Install Apps

Has anyone had to come up with a way for non-admins to install software on 
their application servers? We are trying to meet PCI requirements and someone 
in my group had the idea to enable the Power Users group as a solution for this 
(brings back bad memories of NT 4). If we could do that and remain PCI 
compliant I would do it, since we’re used to giving the app owners 
Administrator rights on their particular servers anyway, but I’m skeptical that 
we would be compliant.

Charlie Sullivan
Sr. Windows Systems Administrator