Solved

Prevent Users from Installing Software Programs

Posted on 2003-11-03
23
1,691 Views
Last Modified: 2010-04-14
I'm in the process of implementing group policies on a hybrid 2000/XP network. Our servers are Win 2K.  I want to prevent users from installing programs.  I was able to block the programs that have the file 'setup.exe', however there are files that have the program name combined with 'setup.exe', for example: 'gatewasetup.exe'

Is there a way for me to disallow any file with the word 'setup.exe' in it?  Are the use of wildcards allowed?  Or is there away with GPO to not allow users to install anything period, even though they have admin rights to their machines?
0
Comment
Question by:Joe_27
  • 10
  • 5
  • 3
  • +2
23 Comments
 
LVL 11

Expert Comment

by:adonis1976
Comment Utility
as far as I know, it is not possible. I would like to hear from others if it is possible.
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Any user that is in the Domain User group cannot install software on a local PC.  Try it....it will fail.

Cheers.
0
 
LVL 11

Expert Comment

by:adonis1976
Comment Utility
Netman66:

if the user(same usr who is in domain usr gp) has admin rights on the local machine, the installation will be successful.. try it... i have been the system admin for almost 4 years now and i'm hearing that for the first time that the domain usr cannot install s/w even if they have admin rights on the local machine.
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
As said above, make sure the users only have user rights locally, almost every program needs administrator or poweruser rights to be installed.

LucF
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
adonis..

If the Domain User is part of the local Administrators Group of course they will be able to install software locally.  By default, they should not be part of Power User or Administrators Group locally - they would have had to be added to those groups manually.

As long as the user has not been added to those groups then they should only exist in the local Users Group by default and therefore have no local rights to install software.

0
 

Author Comment

by:Joe_27
Comment Utility
If I remove the user from the local Admin group, which should be the Security permissions on the drives for local users?  I've altered them, and I can't remember what they were before.
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Everyone full control will do, then they still aren't able to install any programs, but they're allowed to read, write, execute, modify and delete files (you can disable whatever you want)

LucF
0
 
LVL 11

Expert Comment

by:adonis1976
Comment Utility
Joe:

if the users are logging into the domain all the time, then you dont hav to worry about anything, cos the domain policy (if one exists) will take effect. If the machines are not logging on to the domain, what you can do is to have the users in the "Power Users" group, and set the permissions to "read & execute" and "write" access, and other things as you wish. But surely not Full control.
0
 
LVL 32

Accepted Solution

by:
Luc Franken earned 350 total points
Comment Utility
The best thing you can do is don't give them any local rights, then even if you give everyone full control as NTFS permissions, they still won't be able to install anything. By default it's set to read, read&execute and write access.

LucF
0
 

Author Comment

by:Joe_27
Comment Utility
The machines are logging into the domain, however, each user has local admin rights.  There are some policies that are taking effect, such as control panel, and run command removal.  However, when specifiying programs not to run, I have to supply a list of programs.  And not all programs have a setup.exe file.  
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
As stated above, don't give them any local rights, why did you give them local rights in the first place?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 25

Assisted Solution

by:mikeleebrla
mikeleebrla earned 150 total points
Comment Utility
you HAVE to give them local admin rights for MOST 3rd party software to work... it sucks i know,,, If you call tech support for MOST apps they will tell you that in order for their product to work the "user" must have admin rights of the local machine. This is just do to POOR programming and makes the admins job difficult b/c now the "user" can install software.  Ive tried stopping users from doing this with GPOs but hasn't worked yet. Anyone have any other suggestions?

Mike
MCSE CCNA
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
>you HAVE to give them local admin rights for MOST 3rd party software to work
Not true, you must have local admin rights to install most software, to run them normal user rights is enough.....
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
btw, mikeleebrla, why the "Anyone have any other suggestions?" line at the end of your comment??
0
 
LVL 25

Expert Comment

by:mikeleebrla
Comment Utility
LucF,  I manage 1500 plus users and yes for many apps to run with windows 2000 you have to give the user local admin rights.  This comes straight from the software venders themselves, not me.  Try putting usefull input in this forum instead of attempting to take shots at me which simply reveal your lack of knowledge anyway.
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
I've personally never encountered that problem, sorry about that. I personally manage a network of 450 computers and have always been able to run every program we have without administrator rights.

>attempting to take shots at me
I wasn't attempting this, I'm just saying what I said above, I've always been able to make programs run without administrator rights.

0
 

Author Comment

by:Joe_27
Comment Utility
I tried giving users just user rights, however, I'm starting to notice problems.  In Outlook for example, when a user tries to directy open an attachment, they're unable to.  However, when I place them back as local admins, then their attachments can open.  
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
You can try putting them in the "Powerusers" group
0
 

Author Comment

by:Joe_27
Comment Utility
But would that still allow them to install programs?
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Some programs yes, mostly no. Just check for yourself. I know that Powerusers can't install software like Kazaa and MSN-messenger, so you won't have to worry about that.

LucF
0
 

Author Comment

by:Joe_27
Comment Utility
I will give it a try.  In GPO I can set certain files for Windows not to run.  However, I can specifiy not let any programs with the word setup or install in them?  Are there wildcard characters that can be used?
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
>Are there wildcard characters that can be used?
I really haven't got a clue, sorry, I just don't know.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now