Solved

Group Policy to prevent users installing software

Posted on 2004-10-18
15
649 Views
Last Modified: 2012-06-22
Hi,

we are running Windows 2000 SBS.  I am looking to create a Group Policy to prevent users in an OU from being able to install software, any ideas how I should do this?  Thanks in advance
0
Comment
Question by:markmcelhone
  • 5
  • 4
  • 2
  • +3
15 Comments
 
LVL 2

Expert Comment

by:Abgraal
Comment Utility
You want to prenvent user to install software from removable medias only ?
Or do you want also to prenvent them to install thru the network ?
0
 
LVL 16

Expert Comment

by:JamesDS
Comment Utility
markmcelhone
The best way to stop anyone installing software is to remove them from the administrators group. Administrators can bypass and/or override GPO settings, so there is little point in trying to set restrictions on the GPO if you have granted local admin to all users.

Cheers

JamesDS
0
 
LVL 1

Author Comment

by:markmcelhone
Comment Utility
Removeable media is not really a problem as know this how this can be done through Group Policy (I think).  Really it is more to do with them downloading from the net and installing.  The reason for the group policy is so that dont have to go around each machine configuring it.
0
 
LVL 1

Author Comment

by:markmcelhone
Comment Utility
The only thing about removing them from local administrators group is that for certain software to run in here admin access is needed.
0
 
LVL 2

Expert Comment

by:Abgraal
Comment Utility
If you don't need your users to be local administrators on their computers, the best thing to do with GPO is to force the members of the "local administrators" group.
To do that, just name the users you whant to be local admin (for ex. Domain admins) in the restricted groups.
(Computer parameters -> security parameters)

While the users won't be admin on their computers, they won't be able to install any software.
Done without go around each machine...

0
 
LVL 1

Author Comment

by:markmcelhone
Comment Utility
Can you maybe elaborate a bit Abgraal??
0
 
LVL 2

Expert Comment

by:Abgraal
Comment Utility
If you are using restricted group, you can restrict the members of a particular group on all your workstation in the domain/OU (depending on the GPO location)
For example, if you add only "Domain admins" to the "local administrators", domain admins will be the only member of this group.
Then your local users won't be able to install software, because they no longer belong to local admins.

To do that, you got to make your gpo on a station with admin tools installed, otherwise you'll be able to pick-up only domain groups. On a station, local groups will be available.

Is this a little more clear ?
If you need more details, just ask !

@+


0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Author Comment

by:markmcelhone
Comment Utility
It is a little bit clearer but would this not have an effect on those who do need admin privileges?  Even though they have admin privileges I want to be able to prevent them from installing apps
0
 
LVL 2

Accepted Solution

by:
Abgraal earned 125 total points
Comment Utility
Yes, it will have an effect. This is the goal : remove admin privileges to users

Unfortunately, I think it is not possible to prohibit the installations of softwares since the users are local admins with Win2K GPO's.



0
 
LVL 1

Author Comment

by:markmcelhone
Comment Utility
The goal is to prevent users being able to prevent users being able to install programs (possibly downloaded via the internet) even though they may have local admin privileges.  Could a Group Policy not be enforced on particular machines?Is there some sort of Software Restriction Policylike  and internet zone rule that can be enforced to stop the downloading of progs from the net even??
0
 
LVL 18

Expert Comment

by:luv2smile
Comment Utility
I agree with the above posts. Its hard to accomplish what you wish.

There are software restriction policies that you can set up with group policy, but here's the thing: You either have to 1.  block all programs except ones that you specify or 2.  know the programs you wish to block.

http://support.microsoft.com/default.aspx?scid=kb;en-us;324036

While 1. would I think accomplish your goal....it is very hard to setup and is often full of problems, etc. and takes a long time to perfect.
0
 
LVL 18

Expert Comment

by:luv2smile
Comment Utility
Also, they would still be able to download programs from the net, just not run them. Stopping downloading from the net is virtually impossible for all practical purposes. You can block the "save as" command, but if you block the "run as" command, then you also prohibit users from being able to open up pdf files, etc. which in most instances is not a practical thing to do.

If you are really concerned about this then I would also go about this from a policy and procedure standpoint. I'm sure your organization has an acceptable use policy which states users are not allowed to download/install programs without approval...if not, then I suggest to implement this immediately. Talk with upper managment and get there support (they should be willing)....if someone installs something without your approval, have mangament take disciplinary action against the individual. Once people start seeing this is being strictly enforced, then you won't have to worry as much.
0
 
LVL 5

Expert Comment

by:scrmcna
Comment Utility
Instead of giving them full admin rights on their PCs, can you just grant the special access privileges to certain files and folders on their PCs that will allow their apps to run, but limit it so they cannot install?  I also know some apps need admin rights the first time the user uses the program to write to certain files, then you do not need full admin permissions.
0
 
LVL 17

Expert Comment

by:Jared Luker
Comment Utility
Scrmcna is right.  That is the way that I will be (eventually) taking away admin rights to my users.

I have a monster gpo that goes through and sets special permissions on folders and registry entries the the system.  Once these permissions are set, then the programs that SAY they need admin rights, will usually behave.  At that point, you could pull away the admin rights and when you need to use a new application, you can update your GPO to grant the rights that particular app needs and roll it out at that point.

I need to get all my clients to XP, then I'm going to be doing exactly this.

Jared
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article, I will show you HOW TO: Create your first Windows Virtual Machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, the Windows OS we will install is Windows Server 2016.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now