Solved

Prevent Users from Installing Software Programs

Posted on 2003-11-03
23
1,698 Views
Last Modified: 2010-04-14
I'm in the process of implementing group policies on a hybrid 2000/XP network. Our servers are Win 2K.  I want to prevent users from installing programs.  I was able to block the programs that have the file 'setup.exe', however there are files that have the program name combined with 'setup.exe', for example: 'gatewasetup.exe'

Is there a way for me to disallow any file with the word 'setup.exe' in it?  Are the use of wildcards allowed?  Or is there away with GPO to not allow users to install anything period, even though they have admin rights to their machines?
0
Comment
Question by:Joe_27
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 5
  • 3
  • +2
23 Comments
 
LVL 11

Expert Comment

by:adonis1976
ID: 9675410
as far as I know, it is not possible. I would like to hear from others if it is possible.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 9676045
Any user that is in the Domain User group cannot install software on a local PC.  Try it....it will fail.

Cheers.
0
 
LVL 11

Expert Comment

by:adonis1976
ID: 9676135
Netman66:

if the user(same usr who is in domain usr gp) has admin rights on the local machine, the installation will be successful.. try it... i have been the system admin for almost 4 years now and i'm hearing that for the first time that the domain usr cannot install s/w even if they have admin rights on the local machine.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 32

Expert Comment

by:LucF
ID: 9676760
As said above, make sure the users only have user rights locally, almost every program needs administrator or poweruser rights to be installed.

LucF
0
 
LVL 51

Expert Comment

by:Netman66
ID: 9678531
adonis..

If the Domain User is part of the local Administrators Group of course they will be able to install software locally.  By default, they should not be part of Power User or Administrators Group locally - they would have had to be added to those groups manually.

As long as the user has not been added to those groups then they should only exist in the local Users Group by default and therefore have no local rights to install software.

0
 

Author Comment

by:Joe_27
ID: 9695496
If I remove the user from the local Admin group, which should be the Security permissions on the drives for local users?  I've altered them, and I can't remember what they were before.
0
 
LVL 32

Expert Comment

by:LucF
ID: 9695524
Everyone full control will do, then they still aren't able to install any programs, but they're allowed to read, write, execute, modify and delete files (you can disable whatever you want)

LucF
0
 
LVL 11

Expert Comment

by:adonis1976
ID: 9696093
Joe:

if the users are logging into the domain all the time, then you dont hav to worry about anything, cos the domain policy (if one exists) will take effect. If the machines are not logging on to the domain, what you can do is to have the users in the "Power Users" group, and set the permissions to "read & execute" and "write" access, and other things as you wish. But surely not Full control.
0
 
LVL 32

Accepted Solution

by:
LucF earned 350 total points
ID: 9696131
The best thing you can do is don't give them any local rights, then even if you give everyone full control as NTFS permissions, they still won't be able to install anything. By default it's set to read, read&execute and write access.

LucF
0
 

Author Comment

by:Joe_27
ID: 9696146
The machines are logging into the domain, however, each user has local admin rights.  There are some policies that are taking effect, such as control panel, and run command removal.  However, when specifiying programs not to run, I have to supply a list of programs.  And not all programs have a setup.exe file.  
0
 
LVL 32

Expert Comment

by:LucF
ID: 9696300
As stated above, don't give them any local rights, why did you give them local rights in the first place?
0
 
LVL 25

Assisted Solution

by:mikeleebrla
mikeleebrla earned 150 total points
ID: 9774445
you HAVE to give them local admin rights for MOST 3rd party software to work... it sucks i know,,, If you call tech support for MOST apps they will tell you that in order for their product to work the "user" must have admin rights of the local machine. This is just do to POOR programming and makes the admins job difficult b/c now the "user" can install software.  Ive tried stopping users from doing this with GPOs but hasn't worked yet. Anyone have any other suggestions?

Mike
MCSE CCNA
0
 
LVL 32

Expert Comment

by:LucF
ID: 9774510
>you HAVE to give them local admin rights for MOST 3rd party software to work
Not true, you must have local admin rights to install most software, to run them normal user rights is enough.....
0
 
LVL 32

Expert Comment

by:LucF
ID: 9774536
btw, mikeleebrla, why the "Anyone have any other suggestions?" line at the end of your comment??
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 9779383
LucF,  I manage 1500 plus users and yes for many apps to run with windows 2000 you have to give the user local admin rights.  This comes straight from the software venders themselves, not me.  Try putting usefull input in this forum instead of attempting to take shots at me which simply reveal your lack of knowledge anyway.
0
 
LVL 32

Expert Comment

by:LucF
ID: 9779769
I've personally never encountered that problem, sorry about that. I personally manage a network of 450 computers and have always been able to run every program we have without administrator rights.

>attempting to take shots at me
I wasn't attempting this, I'm just saying what I said above, I've always been able to make programs run without administrator rights.

0
 

Author Comment

by:Joe_27
ID: 9813635
I tried giving users just user rights, however, I'm starting to notice problems.  In Outlook for example, when a user tries to directy open an attachment, they're unable to.  However, when I place them back as local admins, then their attachments can open.  
0
 
LVL 32

Expert Comment

by:LucF
ID: 9813643
You can try putting them in the "Powerusers" group
0
 

Author Comment

by:Joe_27
ID: 9813651
But would that still allow them to install programs?
0
 
LVL 32

Expert Comment

by:LucF
ID: 9813667
Some programs yes, mostly no. Just check for yourself. I know that Powerusers can't install software like Kazaa and MSN-messenger, so you won't have to worry about that.

LucF
0
 

Author Comment

by:Joe_27
ID: 9813734
I will give it a try.  In GPO I can set certain files for Windows not to run.  However, I can specifiy not let any programs with the word setup or install in them?  Are there wildcard characters that can be used?
0
 
LVL 32

Expert Comment

by:LucF
ID: 9813793
>Are there wildcard characters that can be used?
I really haven't got a clue, sorry, I just don't know.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question