How do I behave with software that require administrative privileges and domain users who do not have these rights?
Many users with workstations have solidworks and draftsight software that for starters require administrator password. The only solution found was to add them to the domains admins group. But it goes a long way against the policy that we are trying to implement.
What solution do you recommend?
Your workstations are using windows?
Years ago I use this:cpau
Some more info (I haven’t readed yet)
I am solving this by using TightVNC on WinStations and Remmina on my laptop → users at my company are not allowed to install anything… and we are also using SW and DS 
yes @MrE , all windows machine
@des i have already installed tightvnc on all win machine via GPO (win7 win10 winXP)
but more software require admin right for start, example
- delphi
- solidworks
- draftsight
But, i can not connect whenever the user has to start one of these software
i use https://mremoteng.org/ for windows
alternative group for domain admin in nethserver?
hmmm this is strange behavior my SW and DS do not require admin right to run - only if i am setting up something then i need to enter admin login and pass but after that it does’nt require admin rights to run…
you mean you cannot connect to that machine via VNC?
Yes , I can always connect!
But it may happen that mechanical engineers reboot the program because it crashes, maybe on a business day they restart the pc 4 or 5 times.
They can not wait for me to connect.
I also tried to give permissions to the c:\program files\solidworks full control folder for the user but it does not resolve
Did you spoke with your SW & DS support about that? Maybe they have similar issue like you have ( i have asked my SW support and they said that they will check end let me know if they had problems like that)
What goes in my mind is to check your GPO if you don’t forbid to much on the AD, and second is this issue on all your SW machines or only on some of them?
ok i found this https://wiki.samba.org/index.php/Managing_local_groups_on_domain_members_via_GPO_restricted_groups
for more restricted permission https://www.ibm.com/support/knowledgecenter/en/SSNE44_5.2.0/com.ibm.tpc_V52.doc/fqz0_t_granting_admin_privileges_domain_account.html
Having this issue with software that we compile and windows asking for administrator rights, we use a workaround meanwhile we manage to solve it (we need to sign our app), installing in an alternative location, by example: c:\apps\our_app_dir, but not all software allows to change the installation directory.
Hopefully can works for you.
I am curious if you solved you issue?
1 Like
Now i have created a “Wks Admin” group in NS.
Via GPO i added “Wks Admin” to Local Machine Administrators group.
All user added to Wks Admin are Machine Administrator and not more Domain Admin.
Surely an improvement, considering that the machines are still subject to the limitations I impose via gpo
1 Like
Nice!
I am thinking about another solution - when i have for a short time AD controller on CentOS7 (for testing)with RSAT on Win7 when i was setting up new machine i was doing it like that:
- create user in AD
- add to group
- on Win7 connect machine to AD
- create user via Control panel and connect it to AD
- choose if the user is local admin or standard user - user was not added inne AD to any admin groups - he was only local admin and it was working - he was able to install any software but was not able to change anything on the AD.
I am currently waiting for a new server which will act as a AD controller working on Nethserver 7 so i am curious if it will work as i assume it should.
Can you add the domain user to the local administrator group? Then you don’ t have to give the domain user domain admin rights, but the account can use software that requires (local) admin rights.
@robb It’s basically what I did. I checked on the workstations and it seems to work. only who i say is a Wks Admin.
Beginning to have many workstations I want to limit too many steps on individual PCs. I would like to be able to do everything with RSAT and GPO
And above all I want to exploit the potential of unified credentials