User account with rights for install SW on any domain PC without RDP rights?

%3CLINGO-SUB%20id%3D%22lingo-sub-1866905%22%20slang%3D%22en-US%22%3EUser%20account%20with%20rights%20for%20install%20SW%20on%20any%20domain%20PC%20without%20RDP%20rights%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1866905%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EHello%20everyone%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHope%20you're%20doing%20well.%20Is%20any%20chance%20assign%20rights%20to%20one%20user%2C%20who%20could%20install%20SW%20on%20any%20domain%20PC%20as%20administrator%3F%20But%20without%20RDP%20rights%20or%20any%20access%20to%20servers.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EThis%20can%20be%20solved%20with%20local%20admin%20on%20PCs%2C%20but%20this%20isn't%20ideal%20solution.%20I%20need%20assign%20or%20remove%20this%20user%20at%20any%20time%20quickly%20and%20easy.%3C%2FP%3E%3CP%3EI%20tried%20groups%20%22Key%20Admins%22%20and%20%22Enterprise%20Admin%22%20but%20without%20positive%20success.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20use%20Windows%20Server%202016.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20you%20please%20help%20me%20in%20this%20issue.%3C%2FP%3E%3CP%3EThank%20you%20very%20much.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1866905%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1867803%22%20slang%3D%22en-US%22%3ERe%3A%20User%20account%20with%20rights%20for%20install%20SW%20on%20any%20domain%20PC%20without%20RDP%20rights%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1867803%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F862569%22%20target%3D%22_blank%22%3E%40VTT_Vulcan%3C%2FA%3E%26nbsp%3BLocal%20Admin%20is%20probably%20the%20easiest%20method%20as%20it%20sounds%20like%20you%20have%20already%20discovered.%20If%20you%20wish%20to%20more%20easily%20add%2Fremove%20users%20from%20a%20local%20group%20I've%20found%20the%20best%20way%20to%20accomplish%20this%20is%20by%20using%20group%20policy.%20You%20would%20need%20to%20create%20a%20new%20domain%20security%20group%20and%20a%20new%20group%20policy%20object%20(or%20use%20existing%2C%20your%20preference).%20In%20the%20policy%20you%20can%20add%20the%20domain%20SG%20as%20a%20member%20of%20the%20%22Administrators%22%20local%20group.%20(this%20would%20be%20under%20restricted%20groups)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBy%20doing%20this%20you%20can%20easily%20add%2Fremove%20people%20from%20a%20domain%20group%20which%20in%20turn%20will%20add%2Fremove%20the%20permissions%20from%20the%20local%20%22Administrators%22%20group%20of%20wherever%20the%20policy%20is%20applied.%20Keep%20in%20mind%20however%20that%20members%20of%20local%20admins%20will%20have%20the%20ability%20to%20RDP%20by%20default.%20If%20this%20is%20a%20deal%20breaker%20you%20will%20need%20to%20find%20an%20alternate%20method.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hello everyone,

 

Hope you're doing well. Is any chance assign rights to one user, who could install SW on any domain PC as administrator? But without RDP rights or any access to servers.

This can be solved with local admin on PCs, but this isn't ideal solution. I need assign or remove this user at any time quickly and easy.

I tried groups "Key Admins" and "Enterprise Admin" but without positive success.

 

I use Windows Server 2016.

 

Could you please help me in this issue.

Thank you very much.

1 Reply
Highlighted

@VTT_Vulcan Local Admin is probably the easiest method as it sounds like you have already discovered. If you wish to more easily add/remove users from a local group I've found the best way to accomplish this is by using group policy. You would need to create a new domain security group and a new group policy object (or use existing, your preference). In the policy you can add the domain SG as a member of the "Administrators" local group. (this would be under restricted groups)

 

By doing this you can easily add/remove people from a domain group which in turn will add/remove the permissions from the local "Administrators" group of wherever the policy is applied. Keep in mind however that members of local admins will have the ability to RDP by default. If this is a deal breaker you will need to find an alternate method.