I'm looking for some help setting up an Active Directory policy that would allow specific team members, like Developers, QA Engineers, and Database Administrators, to install software on their Windows machines. However, I want to make sure they can't change important network settings, firewall configurations, or any other crucial system options. The goal is to give them enough admin rights to install applications without risking significant changes to their systems. Should I approach this through a custom Group Policy Object, or is there a standard method that would work better? We use Microsoft 365 E3 licenses with tools like Intune, Defender, and Entra. Any tips or examples of how to do this would be greatly appreciated!
4 Answers
It's a tough balance you're trying to strike here. Allowing the users to have limited admin rights to install software while stopping them from changing network settings is challenging since admin rights usually come with considerable power. You might consider using AppLocker, but it's a bit tricky. If you set up permissions incorrectly, you could unintentionally allow unwanted applications to run, making your network vulnerable.
Exactly! You might want to look into giving them a VM instead. That way, they can play around freely without jeopardizing the main system.
If you're aiming for just enough rights for installations while minimizing risks, giving local admin rights is not the best approach. You should consider what you're allowing and enforce policies accordingly. Maybe rethink your strategy for user permissions and prioritize security.
You can actually publish applications via Group Policy, which makes them available in the add/remove programs list for users. But as for modifying network or firewall settings, those do require admin access, so be careful. You might end up giving them more control than intended if you're not cautious with the setup.
One of the most effective ways to manage this is by using an endpoint privilege management tool like Delinea, ThreatLocker, or Admin By Request. These tools can allow your team to install software while preventing unauthorized changes to network and system settings. Relying solely on Group Policy won't be feasible for this kind of granular control.
Definitely! Group Policies just won't cover the complexity of what you're trying to achieve. An endpoint management tool will really simplify this process.
Agreed! These tools offer way more flexibility than GPOs when it comes to managing user permissions.
I feel you on this! AppLocker can be a nightmare to maintain if you have to set up specific rules for every application.