Active Directory - Policy

Posted on 2004-10-24
Last Modified: 2010-04-14
I would like to establish a policy for a particular OU for security purposes that prevents all members of the OU from the following:

- Installing any applications on local machine
- prevents them from changing there network settings on local machine
- prevents them from changing displays settings on local machine

Basically what i want is only for the users to be able to use there exsiting applications that i i have installed for them.  Is the fact the these users have local admin privileges going to be an issue? Or will the policy prevail once they log onto the domain?

Question by:andreacadia
    LVL 11

    Expert Comment

    put them per GPO into the users group and it will be fine.
    with admin rights its hard to prevent what you want to prevent.
    LVL 4

    Accepted Solution

    Hi there.

    Group policy does normally apply to Administrator accounts, but using this article, you can prevent that from happening.;en-us;315675

    Allowing each user to have local admin privileges isn't in line with Microsoft Best Practices. In fact, I'd highly suggest against it. User access for client machines is best controlled with permissions. That's the main function of permissions. Again, I would highly suggest putting users in user groups, and then assigning permissions to those groups so that users can perform their respective job functions. If each user is given normal user privileges, you also wouldn't have to setup Group Policy for installing applications and changing network settings. Users would not have these privileges in that instance.

    To help solve your issue, this article will help you use Group Policy to hide certain control panel icons;en-us;261241

    This article is for disabling screen saver passwords. In this same section, you can make changes to other display settings options. For example, you can disable access to the screen saver tab completely. You should also be able to disable access to the settings tab. The display dialog box has several tabs. You can select the Group Policy Object that "hides" that tab from teh end user.

    Group Policy is for gaining centralized control over your network. Allowing clients to have local admin privileges provides less control for you as the administrator. As a suggestion, I would revoke local admin privileges from the users, setup normal user accounts for each client, place clients in a logical group, and then assign permission to that group. Using Local User Groups and Group Policy together will give you great control, and make it much easier to administer.

    Hope this is helpful.
    Good luck!

    LVL 4

    Expert Comment

    Thanks for the answering. Hope you were able to solve the issue to meet your needs.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Suggested Solutions

    NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
    Technology opened people to different means of presenting information, but PowerPoint remains to be above competition. Know why PPT still works today.
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    913 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now