Solved

Group Policy to prevent users installing software

Posted on 2004-10-18
15
656 Views
Last Modified: 2012-06-22
Hi,

we are running Windows 2000 SBS.  I am looking to create a Group Policy to prevent users in an OU from being able to install software, any ideas how I should do this?  Thanks in advance
0
Comment
Question by:markmcelhone
  • 5
  • 4
  • 2
  • +3
15 Comments
 
LVL 2

Expert Comment

by:Abgraal
ID: 12337653
You want to prenvent user to install software from removable medias only ?
Or do you want also to prenvent them to install thru the network ?
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12337683
markmcelhone
The best way to stop anyone installing software is to remove them from the administrators group. Administrators can bypass and/or override GPO settings, so there is little point in trying to set restrictions on the GPO if you have granted local admin to all users.

Cheers

JamesDS
0
 
LVL 1

Author Comment

by:markmcelhone
ID: 12337689
Removeable media is not really a problem as know this how this can be done through Group Policy (I think).  Really it is more to do with them downloading from the net and installing.  The reason for the group policy is so that dont have to go around each machine configuring it.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 1

Author Comment

by:markmcelhone
ID: 12337699
The only thing about removing them from local administrators group is that for certain software to run in here admin access is needed.
0
 
LVL 2

Expert Comment

by:Abgraal
ID: 12337718
If you don't need your users to be local administrators on their computers, the best thing to do with GPO is to force the members of the "local administrators" group.
To do that, just name the users you whant to be local admin (for ex. Domain admins) in the restricted groups.
(Computer parameters -> security parameters)

While the users won't be admin on their computers, they won't be able to install any software.
Done without go around each machine...

0
 
LVL 1

Author Comment

by:markmcelhone
ID: 12337781
Can you maybe elaborate a bit Abgraal??
0
 
LVL 2

Expert Comment

by:Abgraal
ID: 12337888
If you are using restricted group, you can restrict the members of a particular group on all your workstation in the domain/OU (depending on the GPO location)
For example, if you add only "Domain admins" to the "local administrators", domain admins will be the only member of this group.
Then your local users won't be able to install software, because they no longer belong to local admins.

To do that, you got to make your gpo on a station with admin tools installed, otherwise you'll be able to pick-up only domain groups. On a station, local groups will be available.

Is this a little more clear ?
If you need more details, just ask !

@+


0
 
LVL 1

Author Comment

by:markmcelhone
ID: 12337928
It is a little bit clearer but would this not have an effect on those who do need admin privileges?  Even though they have admin privileges I want to be able to prevent them from installing apps
0
 
LVL 2

Accepted Solution

by:
Abgraal earned 125 total points
ID: 12337969
Yes, it will have an effect. This is the goal : remove admin privileges to users

Unfortunately, I think it is not possible to prohibit the installations of softwares since the users are local admins with Win2K GPO's.



0
 
LVL 1

Author Comment

by:markmcelhone
ID: 12338033
The goal is to prevent users being able to prevent users being able to install programs (possibly downloaded via the internet) even though they may have local admin privileges.  Could a Group Policy not be enforced on particular machines?Is there some sort of Software Restriction Policylike  and internet zone rule that can be enforced to stop the downloading of progs from the net even??
0
 
LVL 18

Expert Comment

by:luv2smile
ID: 12338158
I agree with the above posts. Its hard to accomplish what you wish.

There are software restriction policies that you can set up with group policy, but here's the thing: You either have to 1.  block all programs except ones that you specify or 2.  know the programs you wish to block.

http://support.microsoft.com/default.aspx?scid=kb;en-us;324036

While 1. would I think accomplish your goal....it is very hard to setup and is often full of problems, etc. and takes a long time to perfect.
0
 
LVL 18

Expert Comment

by:luv2smile
ID: 12338216
Also, they would still be able to download programs from the net, just not run them. Stopping downloading from the net is virtually impossible for all practical purposes. You can block the "save as" command, but if you block the "run as" command, then you also prohibit users from being able to open up pdf files, etc. which in most instances is not a practical thing to do.

If you are really concerned about this then I would also go about this from a policy and procedure standpoint. I'm sure your organization has an acceptable use policy which states users are not allowed to download/install programs without approval...if not, then I suggest to implement this immediately. Talk with upper managment and get there support (they should be willing)....if someone installs something without your approval, have mangament take disciplinary action against the individual. Once people start seeing this is being strictly enforced, then you won't have to worry as much.
0
 
LVL 5

Expert Comment

by:scrmcna
ID: 12339115
Instead of giving them full admin rights on their PCs, can you just grant the special access privileges to certain files and folders on their PCs that will allow their apps to run, but limit it so they cannot install?  I also know some apps need admin rights the first time the user uses the program to write to certain files, then you do not need full admin permissions.
0
 
LVL 17

Expert Comment

by:Jared Luker
ID: 12340723
Scrmcna is right.  That is the way that I will be (eventually) taking away admin rights to my users.

I have a monster gpo that goes through and sets special permissions on folders and registry entries the the system.  Once these permissions are set, then the programs that SAY they need admin rights, will usually behave.  At that point, you could pull away the admin rights and when you need to use a new application, you can update your GPO to grant the rights that particular app needs and roll it out at that point.

I need to get all my clients to XP, then I'm going to be doing exactly this.

Jared
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Print Server: NT to 2008 10 593
Windows 2000 undelete (free program?) 6 437
Windows 7 7 273
Kill system process in windows 2000 10 212
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question