Assigning limited admin rights to install programs

[westerman]

Greetings

How can I go about giving a managed network user account rights to install programs but not create local accounts, change permissions, un-bind from the domain and other system management stuff like that?

much thanks - BW

 

[westerman]

Is there a particular group that has the permissions needed to install programs?

Anyone got a source where I can check out exactly what groups like _developer, _installer, staff, wheel, and ect ect are designed for?

 

[Satcomer]

What kind of Domain are you running to allow users to install programs?

 

[westerman]

All Macs are bound to Active Directory and users are not admins so currently they cannot install programs. We only want to give certain users install rights.

 

[westerman]

Another option would be to make a user an admin which would be restricted from being able to access the Accounts preferences. Then local accounts couldn't be created or other account made into admins which is the main concern.

How would one go about that?

 

[Satcomer]

Is this an Microsoft 2008, 2010 or 2003 domain? I ask because things are vastly different for each version.

 

[westerman]

The DCs are all 2008.

I think the best option would be to restrict access to Prefs\Accounts to only the root user. Is something like that possible?