How to give users software installation permission / privileges in Windows Server 2016




    We have a Server 2016 running in Microsoft Azure VM. On that server we have created an Active Directory and domain.

    We have around 10 users that have joined their computer to domain.

    As it is right now they are now allowed to install software or changing computers settings on their computer and be prompted that they need administration privileges. 

    I think we need to create a Group Policy that allow them to be able to install software but no other unnecessary permissions. We know that we can add the members to the Admin group. But this is not write and will give the users lots of other permission too.  We ned to perform this correctly.

    We also need to give Read/Write permission to owner of some folders (i. e. directory A) but only Read permission to other user for same A directory. 

    Please help us.

    Wednesday, March 8, 2017 12:30 PM

All replies

  • The computers joined to the domain, are they joined to the Azure Active Directory Domain or the Domain created in the DC you have setup in Azure VM ?

    If deploying the softwares remotely is a possibility for you, this might help:  Deploying an MSI through GPO


    Disclaimer: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

    Thursday, March 9, 2017 8:09 AM
  • Hi,

    Thank you for this interesting question.

    The users are not registered in Azure Active Directory. They are registered in the Windows Server 2016 in Azure VM and have joined the domain.

    Please tell us more about the advantages of having the users registered in Azure DC instead of having them in Windows Server 2016 or maybe at both?

    We found this manual on the Internet about giving users Admin privileges and after performing the steps in Windows Server 2016 in Azure, our users are now Admin and can install applications.

    But the problem is that this have giving the users to much power and privileges! On the Server in Azure we have couple of directories that have different permissions. As long as the users couldn't install software and hadn't Admin privileges the permissions of those directories worked. But now the uses can do everything with those directories and also delete them. 
    I will also later go through you link "Deploying an MSI through GPO"
    Please help us.
    Thursday, March 9, 2017 9:20 PM