Group Policy to allow specific users to install specific software without admin privileges

Copper Contributor

I am a newly system administrator for an organization and I am trying to create a Group Policy that will allow specific users to download and use certain software like LogMeIn123 without having to use admin privileges. We don't want to give full admin rights, but only for this specific instance. I have done some research, but I am not sure the best way to set this up. The problem is our IT team consists of 3 members total and cannot be everywhere at once and this would be beneficial in key times.

 

I have seen some people recommend using a login script, but I am not sure how to do that. I have also seen some people recommend using a third-party tool which is out of the questions for our organization.

 

I am also open to other ways and ideas of having preforming this.

 

Can anyone please provide me with some instructions on how to set this up?

Thanks in advance for your help!

Additional information:

I am using Windows Server 2012R2.

I have a list of the specific users that I want to allow to install LogMeIn123.

I have the LogMeIn123 installation file located on a network server.

4 Replies

Hi @TurtleDeagon,

 

To deploy "LogMeIn123" to specific users without granting them full admin privileges, you can try to use the following steps:

Prepare the Software Package:

  1. Make sure you have a compatible installation package for LogMeIn123. If you have an MSI installer, that's ideal. If not, you may need to repackage the software into an MSI format. You can use tools like msiexec, WiX, or third-party applications for this purpose.
  2. Place the LogMeIn123 installation package on a network share accessible by the target computers. Ensure that the share permissions are set so that the user accounts you specify in Group Policy have read access to the folder containing the installation package.

Create a New Group Policy Object (GPO):

  1. On your Windows Server 2012 R2, open the Group Policy Management Console (GPMC). You can do this by running "gpmc.msc" from the "Run" dialog or a command prompt.
  2. Create a new GPO by right-clicking on the domain or OU where you want to deploy the software and selecting Create a GPO in this domain, and Link it here...
  3. Give the GPO a name and click OK.

Configure the GPO to Deploy LogMeIn123:

  1. Expand the GPO in the GPMC and navigate to Computer Configuration > Policies > Software Settings > Software Installation.
  2. Right-click on Software Installation and select New > Package.
  3. Browse to the network share location where the LogMeIn123 installation package is located and select it.
  4. Click Open.
  5. In the Deployment Properties dialog box, click the Assigned to tab.
  6. Click Add and select the security group that contains the users you want to allow to install LogMeIn123.
  7. Click OK to close the Deployment Properties dialog box.
  8. Click OK to close the Software Installation dialog box.

Link the GPO to the Appropriate OU:

  1. Right-click on the GPO in the GPMC and select Link an Existing GPO.
  2. Select the OU where the target computers are located.
  3. Click OK.

Test the Deployment:

  1. Log in as one of the users in the security group that you assigned the GPO to.
  2. Restart the computer.
  3. Log in again and check to see if LogMeIn123 is installed.


Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

I am having an issue turning the file back into msi. Is that necessary or is there another alternative? @LeonPavesic 

Hi @TurtleDeagon,

thanks for your update.

If you have the LogMeIn123 installation file in .exe format and need to convert it to .msi for deployment, there are a few methods you can use:

1. Manual Conversion Using Command Line: Some .exe installers allow extraction of .msi files using command line parameters.

For example, you can try running `<file.exe> /s /x /b"<folder>" /v"/qn"` in the command line, replacing `<file.exe>` with your .exe file and `<folder>` with the target folder where you want the MSI package to be saved.

2. Application Repackaging Tools: 
Some free tools include AppDeploy Repackager and Microsoft Orca.

3. LogMeIn123's Mass Deployment:
LogMeIn123 provides a guide for mass deployment of their software, which might be helpful.

Here are some links as a reference:
(1) 3 Ways to Create MSI Packages from EXE Installers - FixMe.IT Official Blog. https://blog.techinline.com/2019/09/24/create-msi-packages-from-exe-installers/.
(2) What is the best (free) tool to wrap an .exe into a MSI?. https://serverfault.com/questions/22313/what-is-the-best-free-tool-to-wrap-an-exe-into-a-msi.
(3) Mass Deployment of Host Software on Windows (Silent Install). https://support.logmeininc.com/central/help/mass-deployment-of-logmein-host-software-silent-install-....

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

@LeonPavesic

 

Sorry for taking so long to get back on this project. To clarify, I was able to turn the exe into the msi. I created a group policy under our domain. In the specific department I want the application to run, I linked it there in the OU. 

 

In the GPMC, in the security filtering I have the users that I want to be able to access this software. Another questions, if I only want the specific users to use this software should I remove authenticated users? Is there anything else that I might be missing?  I really do appreciate your time on this