....another option. Make your temp admin's permanent and have your techs reset the password shortly after they give it to someone to install software.
As for elevated rights to install...we put the install packages that require that on a webpage. The shortcut on the web page runs it elevated for the user, so we just direct them to the webpage. We use a program called Encrypted RunAs to make the shortcuts. It is around 400 bucks for a domain wide license. From: Miller Bonnie L. [mailto:mille...@mukilteo.wednet.edu] Sent: Friday, November 05, 2010 3:30 PM To: NT System Admin Issues Subject: RE: Script to remove all users from a group Ah, okay, so let me clarify. With our XP workstations, we're already using restricted groups in group policy to append groups to our workstations, but it doesn't prevent people who already have access from adding additional local administrators, or adding users to other groups. As we roll out Win7, we're now implementing a restricted groups policy that will replace instead, to lock things down more. Using a WMI filter on the policies to select XP vs non-XP machines-that is working great. But, we always have those one-off scenarios where someone needs to be a local admin just long enough to get a piece of software installed, then you can drop the permissions. It's possible that run-as may work for some (not sure on this yet-might not add to the correct registry areas), but we have some really ancient software around that may not play well at all. I'm not the software packager/deployer, so that will be sorted out by others. My plan is to have a "temporary local admins" group in AD that is also already added via restricted groups. Techs will have access to add users to this group, but we want an automated process to dump the group membership every day, say 2am, so people don't get left there. -Bonnie From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Friday, November 05, 2010 11:44 AM To: NT System Admin Issues Subject: Re: Script to remove all users from a group You can do this more easily via Group Policy... What specific group are you thinking of doing this with? ASB (My XeeSM Profile)<http://XeeSM.com/AndrewBaker> Exploiting Technology for Business Advantage... On Fri, Nov 5, 2010 at 2:33 PM, Miller Bonnie L. <mille...@mukilteo.wednet.edu<mailto:mille...@mukilteo.wednet.edu>> wrote: I need something that will take a specific domain global group (domain\groupname) and remove all members from that group. I'd like to schedule the task with Windows (2008 R2) Task Scheduler to run at a certain time every day. I'm thinking something that will run via cmd, PS, or even cscript, but I know very little about the second two-anything quick and easy out there to get the job done? -Bonnie ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin