Solved

Group Policy - Allow a Group to Install Programs

Posted on 2004-10-11
2
230 Views
Last Modified: 2010-04-19
I need a detailed description on how to Let my teachers (group - All Staff) to either be local administrators or allow them to install programs on whatever Windows XP Pro computer they log on to.  
0
Comment
Question by:mgohring
2 Comments
 

Author Comment

by:mgohring
ID: 12283623
Or not a so detailed description, as long as someone answers
0
 
LVL 7

Accepted Solution

by:
corneliup earned 500 total points
ID: 12284015
How to Create a New Policy
It’s not easy to find the software restriction policies node in the GPO console at first glance. Remember: you won’t find this on Windows 2000 computers. On XP and Windows Server 2003 machines, It’s buried deep in the Windows Settings | Security Settings under either Computer Configuration or User Configuration (depending on whether it will be a user or machine policy). The first time you open this node, you’ll get a message that says no software restriction policies have been defined.

To create a new policy, click the Action menu, then select New Software Restriction Policies. You’ll see five items:

Security Levels (folder)
Additional Rules (folder)
Enforcement
Designated File Types
Trusted Publishers
Security Levels allows you to select the default rule (Disallowed or Unrestricted). Double click the one you want and click the Set as Default button. This button will be greyed out for the selection that is currently the default, and that item will show an icon with a checkmark to indicate that it is the current default.

The Additional Rules folder contains the exceptions to the default. By right clicking this folder, you can create a new certificate, hash, Internet Zone or Path rule. For example, to set a new Path rule, you’ll need to type in or browse to the path for the program that will be an exception to the default, then select either Disallowed or Unrestricted to designate whether you want that program to run or be blocked from running.

NOTE: you’ll need to be logged in as a local administrator or domain admin to create software restriction policies, or you’ll need to have been delegated the authority to do this.

How Software Restriction Policies Work
Here’s how it works: There are two different default rules that you can start from, depending on the security needs of your organization:

Unrestricted: if you choose this as the default, all programs will be able to run except those that you specify, which will not be allowed to run. This might work in a small organization where  you want employees to have a lot of leeway in what they can install, but you want to protect against certain programs that are known to cause problems.
Disallowed: this default rule means that all programs will be blocked from running unless they are on the list of programs that you have specified to be allowed to run. This is a more secure method, and is best for larger organizations where you have less direct knowledge of what all employees are doing and in environments where you want to more specifically control exactly what programs can be run.
The policy defines rules for identifying programs that are exceptions to the default rule. That is, if the default is unrestricted, the rules identify programs that should not be allowed to run, and if the default is disallowed, the rules identify programs that should be allowed to run. There are four ways that can be used to identify these programs:

By a hash or cryptographic “fingerprint.” This is useful when you want to specify a particular version of a program, since different versions will have different “fingerprints.”
By a digital certificate signed by the publisher of the software. This can define a program regardless of where it is stored.
By the UNC path or Registry path that defines where the program file is located. The first is useful if the program will always be located in the same path on all machines; the second is used if the program is located in different folder locations on different machines.
By the Internet Zone from which a program is downloaded. You would use this method if you want users to be able to download and install programs from Internet sites that you’ve marked as trusted.
If there are multiple rules that a program matches, they’re evaluated in the order shown above, with the default rule evaluated last after the four rule types. The most specific match will take precedence.


From:
How Windows Server 2003’s Software Restriction Policies Improve Security
http://www.windowsecurity.com/articles/windows_2003_restriction_policies_security.html
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Many functions in Excel can make decisions. The most simple of these is the IF function: it returns a value depending on whether a condition you describe is true or false. Once you get the hang of using the IF function, you will find it easier to us…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now