markmcelhone
asked on
Group Policy to prevent users installing software
Hi,
we are running Windows 2000 SBS. I am looking to create a Group Policy to prevent users in an OU from being able to install software, any ideas how I should do this? Thanks in advance
we are running Windows 2000 SBS. I am looking to create a Group Policy to prevent users in an OU from being able to install software, any ideas how I should do this? Thanks in advance
markmcelhone
The best way to stop anyone installing software is to remove them from the administrators group. Administrators can bypass and/or override GPO settings, so there is little point in trying to set restrictions on the GPO if you have granted local admin to all users.
Cheers
JamesDS
The best way to stop anyone installing software is to remove them from the administrators group. Administrators can bypass and/or override GPO settings, so there is little point in trying to set restrictions on the GPO if you have granted local admin to all users.
Cheers
JamesDS
ASKER
Removeable media is not really a problem as know this how this can be done through Group Policy (I think). Really it is more to do with them downloading from the net and installing. The reason for the group policy is so that dont have to go around each machine configuring it.
ASKER
The only thing about removing them from local administrators group is that for certain software to run in here admin access is needed.
If you don't need your users to be local administrators on their computers, the best thing to do with GPO is to force the members of the "local administrators" group.
To do that, just name the users you whant to be local admin (for ex. Domain admins) in the restricted groups.
(Computer parameters -> security parameters)
While the users won't be admin on their computers, they won't be able to install any software.
Done without go around each machine...
To do that, just name the users you whant to be local admin (for ex. Domain admins) in the restricted groups.
(Computer parameters -> security parameters)
While the users won't be admin on their computers, they won't be able to install any software.
Done without go around each machine...
ASKER
Can you maybe elaborate a bit Abgraal??
If you are using restricted group, you can restrict the members of a particular group on all your workstation in the domain/OU (depending on the GPO location)
For example, if you add only "Domain admins" to the "local administrators", domain admins will be the only member of this group.
Then your local users won't be able to install software, because they no longer belong to local admins.
To do that, you got to make your gpo on a station with admin tools installed, otherwise you'll be able to pick-up only domain groups. On a station, local groups will be available.
Is this a little more clear ?
If you need more details, just ask !
@+
For example, if you add only "Domain admins" to the "local administrators", domain admins will be the only member of this group.
Then your local users won't be able to install software, because they no longer belong to local admins.
To do that, you got to make your gpo on a station with admin tools installed, otherwise you'll be able to pick-up only domain groups. On a station, local groups will be available.
Is this a little more clear ?
If you need more details, just ask !
@+
ASKER
It is a little bit clearer but would this not have an effect on those who do need admin privileges? Even though they have admin privileges I want to be able to prevent them from installing apps
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The goal is to prevent users being able to prevent users being able to install programs (possibly downloaded via the internet) even though they may have local admin privileges. Could a Group Policy not be enforced on particular machines?Is there some sort of Software Restriction Policylike and internet zone rule that can be enforced to stop the downloading of progs from the net even??
I agree with the above posts. Its hard to accomplish what you wish.
There are software restriction policies that you can set up with group policy, but here's the thing: You either have to 1. block all programs except ones that you specify or 2. know the programs you wish to block.
http://support.microsoft.com/default.aspx?scid=kb;en-us;324036
While 1. would I think accomplish your goal....it is very hard to setup and is often full of problems, etc. and takes a long time to perfect.
There are software restriction policies that you can set up with group policy, but here's the thing: You either have to 1. block all programs except ones that you specify or 2. know the programs you wish to block.
http://support.microsoft.com/default.aspx?scid=kb;en-us;324036
While 1. would I think accomplish your goal....it is very hard to setup and is often full of problems, etc. and takes a long time to perfect.
Also, they would still be able to download programs from the net, just not run them. Stopping downloading from the net is virtually impossible for all practical purposes. You can block the "save as" command, but if you block the "run as" command, then you also prohibit users from being able to open up pdf files, etc. which in most instances is not a practical thing to do.
If you are really concerned about this then I would also go about this from a policy and procedure standpoint. I'm sure your organization has an acceptable use policy which states users are not allowed to download/install programs without approval...if not, then I suggest to implement this immediately. Talk with upper managment and get there support (they should be willing)....if someone installs something without your approval, have mangament take disciplinary action against the individual. Once people start seeing this is being strictly enforced, then you won't have to worry as much.
If you are really concerned about this then I would also go about this from a policy and procedure standpoint. I'm sure your organization has an acceptable use policy which states users are not allowed to download/install programs without approval...if not, then I suggest to implement this immediately. Talk with upper managment and get there support (they should be willing)....if someone installs something without your approval, have mangament take disciplinary action against the individual. Once people start seeing this is being strictly enforced, then you won't have to worry as much.
Instead of giving them full admin rights on their PCs, can you just grant the special access privileges to certain files and folders on their PCs that will allow their apps to run, but limit it so they cannot install? I also know some apps need admin rights the first time the user uses the program to write to certain files, then you do not need full admin permissions.
Scrmcna is right. That is the way that I will be (eventually) taking away admin rights to my users.
I have a monster gpo that goes through and sets special permissions on folders and registry entries the the system. Once these permissions are set, then the programs that SAY they need admin rights, will usually behave. At that point, you could pull away the admin rights and when you need to use a new application, you can update your GPO to grant the rights that particular app needs and roll it out at that point.
I need to get all my clients to XP, then I'm going to be doing exactly this.
Jared
I have a monster gpo that goes through and sets special permissions on folders and registry entries the the system. Once these permissions are set, then the programs that SAY they need admin rights, will usually behave. At that point, you could pull away the admin rights and when you need to use a new application, you can update your GPO to grant the rights that particular app needs and roll it out at that point.
I need to get all my clients to XP, then I'm going to be doing exactly this.
Jared
Or do you want also to prenvent them to install thru the network ?