Prevent Users from Installing Software Programs

I'm in the process of implementing group policies on a hybrid 2000/XP network. Our servers are Win 2K.  I want to prevent users from installing programs.  I was able to block the programs that have the file 'setup.exe', however there are files that have the program name combined with 'setup.exe', for example: 'gatewasetup.exe'

Is there a way for me to disallow any file with the word 'setup.exe' in it?  Are the use of wildcards allowed?  Or is there away with GPO to not allow users to install anything period, even though they have admin rights to their machines?
Joe_27Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

adonis1976Commented:
as far as I know, it is not possible. I would like to hear from others if it is possible.
0
Netman66Commented:
Any user that is in the Domain User group cannot install software on a local PC.  Try it....it will fail.

Cheers.
0
adonis1976Commented:
Netman66:

if the user(same usr who is in domain usr gp) has admin rights on the local machine, the installation will be successful.. try it... i have been the system admin for almost 4 years now and i'm hearing that for the first time that the domain usr cannot install s/w even if they have admin rights on the local machine.
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

LucFEMEA Server EngineerCommented:
As said above, make sure the users only have user rights locally, almost every program needs administrator or poweruser rights to be installed.

LucF
0
Netman66Commented:
adonis..

If the Domain User is part of the local Administrators Group of course they will be able to install software locally.  By default, they should not be part of Power User or Administrators Group locally - they would have had to be added to those groups manually.

As long as the user has not been added to those groups then they should only exist in the local Users Group by default and therefore have no local rights to install software.

0
Joe_27Author Commented:
If I remove the user from the local Admin group, which should be the Security permissions on the drives for local users?  I've altered them, and I can't remember what they were before.
0
LucFEMEA Server EngineerCommented:
Everyone full control will do, then they still aren't able to install any programs, but they're allowed to read, write, execute, modify and delete files (you can disable whatever you want)

LucF
0
adonis1976Commented:
Joe:

if the users are logging into the domain all the time, then you dont hav to worry about anything, cos the domain policy (if one exists) will take effect. If the machines are not logging on to the domain, what you can do is to have the users in the "Power Users" group, and set the permissions to "read & execute" and "write" access, and other things as you wish. But surely not Full control.
0
LucFEMEA Server EngineerCommented:
The best thing you can do is don't give them any local rights, then even if you give everyone full control as NTFS permissions, they still won't be able to install anything. By default it's set to read, read&execute and write access.

LucF
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Joe_27Author Commented:
The machines are logging into the domain, however, each user has local admin rights.  There are some policies that are taking effect, such as control panel, and run command removal.  However, when specifiying programs not to run, I have to supply a list of programs.  And not all programs have a setup.exe file.  
0
LucFEMEA Server EngineerCommented:
As stated above, don't give them any local rights, why did you give them local rights in the first place?
0
mikeleebrlaCommented:
you HAVE to give them local admin rights for MOST 3rd party software to work... it sucks i know,,, If you call tech support for MOST apps they will tell you that in order for their product to work the "user" must have admin rights of the local machine. This is just do to POOR programming and makes the admins job difficult b/c now the "user" can install software.  Ive tried stopping users from doing this with GPOs but hasn't worked yet. Anyone have any other suggestions?

Mike
MCSE CCNA
0
LucFEMEA Server EngineerCommented:
>you HAVE to give them local admin rights for MOST 3rd party software to work
Not true, you must have local admin rights to install most software, to run them normal user rights is enough.....
0
LucFEMEA Server EngineerCommented:
btw, mikeleebrla, why the "Anyone have any other suggestions?" line at the end of your comment??
0
mikeleebrlaCommented:
LucF,  I manage 1500 plus users and yes for many apps to run with windows 2000 you have to give the user local admin rights.  This comes straight from the software venders themselves, not me.  Try putting usefull input in this forum instead of attempting to take shots at me which simply reveal your lack of knowledge anyway.
0
LucFEMEA Server EngineerCommented:
I've personally never encountered that problem, sorry about that. I personally manage a network of 450 computers and have always been able to run every program we have without administrator rights.

>attempting to take shots at me
I wasn't attempting this, I'm just saying what I said above, I've always been able to make programs run without administrator rights.

0
Joe_27Author Commented:
I tried giving users just user rights, however, I'm starting to notice problems.  In Outlook for example, when a user tries to directy open an attachment, they're unable to.  However, when I place them back as local admins, then their attachments can open.  
0
LucFEMEA Server EngineerCommented:
You can try putting them in the "Powerusers" group
0
Joe_27Author Commented:
But would that still allow them to install programs?
0
LucFEMEA Server EngineerCommented:
Some programs yes, mostly no. Just check for yourself. I know that Powerusers can't install software like Kazaa and MSN-messenger, so you won't have to worry about that.

LucF
0
Joe_27Author Commented:
I will give it a try.  In GPO I can set certain files for Windows not to run.  However, I can specifiy not let any programs with the word setup or install in them?  Are there wildcard characters that can be used?
0
LucFEMEA Server EngineerCommented:
>Are there wildcard characters that can be used?
I really haven't got a clue, sorry, I just don't know.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.