Active Directory Allow User to Install Only

Question

On my active directory network, I want to satisfy my boss by giving him semi-administrative permissions that will allow him to Install programs as administrator in emergency situations on all computers, but not sacrifice the integrity of the network. Is there any type of Admin Group setting or Group that I could create that would allow him basic user permissions + the ability to install programs/drivers as administrator? I don't want to give him Domain Admin or anything crazy, just bypass UAC.

I was going to give him permission to bypass UAC via GPO, but would I need to make an entire GPO just for him? Is that too much?

Answer 1

IMO, if you're letting him install stuff (and you don't trust him), then you've already compromised the network's integrity. :)

Having said that, here's a suggestion:

Use the GP Restricted Groups settings to add his domain account to the "Power Users" group on the workstations.

Caveat: This may not let him install drivers though, as they are system-level, and require Administrator permissions.

Power Users can install software but are not full admins. For more info on the deifferences, see this SU question: Difference between Power user and Administrator

Tutorial links:

• Adding users to local security groups using Group Policy (Speaks specifically to adding users to the Power Users group)
• Doing it with Group Policy Preferences instead