Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 664
  • Last Modified:

Group Policy to prevent users installing software

Hi,

we are running Windows 2000 SBS.  I am looking to create a Group Policy to prevent users in an OU from being able to install software, any ideas how I should do this?  Thanks in advance
0
markmcelhone
Asked:
markmcelhone
  • 5
  • 4
  • 2
  • +3
1 Solution
 
AbgraalCommented:
You want to prenvent user to install software from removable medias only ?
Or do you want also to prenvent them to install thru the network ?
0
 
JamesDSCommented:
markmcelhone
The best way to stop anyone installing software is to remove them from the administrators group. Administrators can bypass and/or override GPO settings, so there is little point in trying to set restrictions on the GPO if you have granted local admin to all users.

Cheers

JamesDS
0
 
markmcelhoneAuthor Commented:
Removeable media is not really a problem as know this how this can be done through Group Policy (I think).  Really it is more to do with them downloading from the net and installing.  The reason for the group policy is so that dont have to go around each machine configuring it.
0
New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

 
markmcelhoneAuthor Commented:
The only thing about removing them from local administrators group is that for certain software to run in here admin access is needed.
0
 
AbgraalCommented:
If you don't need your users to be local administrators on their computers, the best thing to do with GPO is to force the members of the "local administrators" group.
To do that, just name the users you whant to be local admin (for ex. Domain admins) in the restricted groups.
(Computer parameters -> security parameters)

While the users won't be admin on their computers, they won't be able to install any software.
Done without go around each machine...

0
 
markmcelhoneAuthor Commented:
Can you maybe elaborate a bit Abgraal??
0
 
AbgraalCommented:
If you are using restricted group, you can restrict the members of a particular group on all your workstation in the domain/OU (depending on the GPO location)
For example, if you add only "Domain admins" to the "local administrators", domain admins will be the only member of this group.
Then your local users won't be able to install software, because they no longer belong to local admins.

To do that, you got to make your gpo on a station with admin tools installed, otherwise you'll be able to pick-up only domain groups. On a station, local groups will be available.

Is this a little more clear ?
If you need more details, just ask !

@+


0
 
markmcelhoneAuthor Commented:
It is a little bit clearer but would this not have an effect on those who do need admin privileges?  Even though they have admin privileges I want to be able to prevent them from installing apps
0
 
AbgraalCommented:
Yes, it will have an effect. This is the goal : remove admin privileges to users

Unfortunately, I think it is not possible to prohibit the installations of softwares since the users are local admins with Win2K GPO's.



0
 
markmcelhoneAuthor Commented:
The goal is to prevent users being able to prevent users being able to install programs (possibly downloaded via the internet) even though they may have local admin privileges.  Could a Group Policy not be enforced on particular machines?Is there some sort of Software Restriction Policylike  and internet zone rule that can be enforced to stop the downloading of progs from the net even??
0
 
luv2smileCommented:
I agree with the above posts. Its hard to accomplish what you wish.

There are software restriction policies that you can set up with group policy, but here's the thing: You either have to 1.  block all programs except ones that you specify or 2.  know the programs you wish to block.

http://support.microsoft.com/default.aspx?scid=kb;en-us;324036

While 1. would I think accomplish your goal....it is very hard to setup and is often full of problems, etc. and takes a long time to perfect.
0
 
luv2smileCommented:
Also, they would still be able to download programs from the net, just not run them. Stopping downloading from the net is virtually impossible for all practical purposes. You can block the "save as" command, but if you block the "run as" command, then you also prohibit users from being able to open up pdf files, etc. which in most instances is not a practical thing to do.

If you are really concerned about this then I would also go about this from a policy and procedure standpoint. I'm sure your organization has an acceptable use policy which states users are not allowed to download/install programs without approval...if not, then I suggest to implement this immediately. Talk with upper managment and get there support (they should be willing)....if someone installs something without your approval, have mangament take disciplinary action against the individual. Once people start seeing this is being strictly enforced, then you won't have to worry as much.
0
 
scrmcnaCommented:
Instead of giving them full admin rights on their PCs, can you just grant the special access privileges to certain files and folders on their PCs that will allow their apps to run, but limit it so they cannot install?  I also know some apps need admin rights the first time the user uses the program to write to certain files, then you do not need full admin permissions.
0
 
Jared LukerCommented:
Scrmcna is right.  That is the way that I will be (eventually) taking away admin rights to my users.

I have a monster gpo that goes through and sets special permissions on folders and registry entries the the system.  Once these permissions are set, then the programs that SAY they need admin rights, will usually behave.  At that point, you could pull away the admin rights and when you need to use a new application, you can update your GPO to grant the rights that particular app needs and roll it out at that point.

I need to get all my clients to XP, then I'm going to be doing exactly this.

Jared
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 5
  • 4
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now