Solved

Install Permissions for users on Windows Domain

Posted on 2003-11-19
6
386 Views
Last Modified: 2010-03-19
I am running a Windows 2000 Domain with about 500 users, my boss has asked me if we could give certain individuals rights to install programs, but only localy. He does not want them to install anything downloaded from the web. They are all users right now so they cannot install anything which is fine by me....however I have already exhausted the options of making them power users or Admin on the local machine only because he only wants them to be able to install something like a CDROM that came with a text book or something from media. Can this be done through group policys??  Any help would be greatly appreciated.


Thanks
0
Comment
Question by:sgunderson
6 Comments
 
LVL 10

Assisted Solution

by:pcbrat
pcbrat earned 125 total points
ID: 9783253
If you give them rights to install that means they have access to run Executables. The only way to block them from doing it from the NET is to have a proxy or ISA server and control what they can download. We use Websense...it defines what users have access to on the net through groups and permissions in AD..

There is no way to differentiate between what has been downloaded and what is on a CD....anything can be copied locally of a CD...so how do you tell the system that this was a download exe and not a CD exe???

dawne :)
0
 
LVL 9

Accepted Solution

by:
svenkarlsen earned 125 total points
ID: 9783279
Hi sgunderson,

Either you allow them to install, or you don't. You will never be able to make a system that safely distinguishes between software downloaded from internet, and sw comming on a CD.

I am afraid you will have to tell your superior that this can only be done under the administration of the IT Dept. and will consequently require some resources, - i.e. he cannot get it for free, so he will have to consider what's the worst: saying to the secretaries (or whoever's been at him on the subject) that they will not be allowed to mess with the computers or spending some more money for e.g. a student assistant in the System Dept.

If you don't want to be rude to him, you could try asking him who will be responsible for any un-licensed software being installed on corporate computers ? And get the answer in writing, - otherwise you'll be the one taking the blame in the end!

Kind regards,
Sven
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 9783613
Sven has hit the nail squarely on the head.  Pts to him.

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:sgunderson
ID: 9788986
These are the answers I expected. Thank You Very Much.
0
 
LVL 1

Expert Comment

by:ThePowderedToastMan
ID: 9792055
Sven is right, HOWEVER, if you are running either Proxy Server or more recently ISA Server, you can handle this problem by using Group Policy, i.e., creating power user groups or using inherited permissions.  Then you ISA can inherit attributes from the group permissions and allow or disallow downloads from the internet.  Simple, but can be a bad one to set up if you have to route through a DMZ.
0
 

Author Comment

by:sgunderson
ID: 9798176
Thank You
PowderedToast
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now