![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
144 questions
Hi Jakub Škácha,
Thank you for posting in the Microsoft Community Forums.
- Creating a user account
First, create a new user account in AD. This can be done through the Active Directory Users and Computers management tool.
Log on to the AD domain controller on Windows Server.
Open Administrative Tools > Active Directory Users and Computers.
In the appropriate container (e.g. “Users” container), right-click and select “New” > “User”.
Enter the necessary information about the user, such as name, username, and password.
- Configure User Privileges
Next, you need to make sure that the user account has permission to install/uninstall software, but not to manage the user account.
Installing/Uninstalling Software Privileges
Normally, installing software requires “local administrator” privileges or membership in the “Power Users” group. However, in order to limit its user management capabilities, you should avoid adding users to the “Local Administrators” group.
Consider adding users to a custom security group and configuring that group with the necessary permissions to allow software installation. This usually involves modifying the local security policy or using group policy to authorize the ability to install software.
Restricting user administrative privileges
Ensure that the user is not a member of Domain Admins, Enterprise Admins, or any other group with broad user administrative privileges.
You can further restrict the user's access to user accounts by modifying the user's access control lists (ACLs). For example, the user can be denied “write” and “delete” privileges to user administration-related objects (such as user accounts, organizational units, etc.).
- Using Group Policy
Group Policy can be used to control user privileges and behaviors in a more granular way.
Create a new Group Policy Object (GPO) and link it to the OU (Organizational Unit) or higher-level container that contains the user account.
In the GPO, configure the following settings to restrict user administrative privileges:
User Rights Assignment: Ensure that users are not added to the user rights that allow the management of user accounts (e.g., “Log on as a batch job,” “Allow local logon,” etc.).
Security Settings: In Security Settings > Local Policies > User Rights Allocation, ensure that users are not given rights to manage user accounts (e.g., “Change Password”, “Allow Local Logon”, etc.). “Change Password”, ‘Create User Account’, etc.).
Software restriction policies (if required): Software restriction policies can be used to prevent users from running specific administrative tools, such as the “Active Directory Users and Computers” mmc file.
- Verification and Testing
After completing the configuration, the privileges of the user account should be thoroughly tested to ensure that it is able to install/uninstall software but is not able to manage user accounts.
Log on to the server that is the test target and use the newly created user account.
Try installing and uninstalling software to verify its permissions.
Try accessing Active Directory Users and Computers or other user management tools to confirm that the user is unable to perform administrative actions.
Best regards
Neuvi