Active Directory - Policy

I would like to establish a policy for a particular OU for security purposes that prevents all members of the OU from the following:

- Installing any applications on local machine
- prevents them from changing there network settings on local machine
- prevents them from changing displays settings on local machine

Basically what i want is only for the users to be able to use there exsiting applications that i i have installed for them.  Is the fact the these users have local admin privileges going to be an issue? Or will the policy prevail once they log onto the domain?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

put them per GPO into the users group and it will be fine.
with admin rights its hard to prevent what you want to prevent.
Hi there.

Group policy does normally apply to Administrator accounts, but using this article, you can prevent that from happening.;en-us;315675

Allowing each user to have local admin privileges isn't in line with Microsoft Best Practices. In fact, I'd highly suggest against it. User access for client machines is best controlled with permissions. That's the main function of permissions. Again, I would highly suggest putting users in user groups, and then assigning permissions to those groups so that users can perform their respective job functions. If each user is given normal user privileges, you also wouldn't have to setup Group Policy for installing applications and changing network settings. Users would not have these privileges in that instance.

To help solve your issue, this article will help you use Group Policy to hide certain control panel icons;en-us;261241

This article is for disabling screen saver passwords. In this same section, you can make changes to other display settings options. For example, you can disable access to the screen saver tab completely. You should also be able to disable access to the settings tab. The display dialog box has several tabs. You can select the Group Policy Object that "hides" that tab from teh end user.

Group Policy is for gaining centralized control over your network. Allowing clients to have local admin privileges provides less control for you as the administrator. As a suggestion, I would revoke local admin privileges from the users, setup normal user accounts for each client, place clients in a logical group, and then assign permission to that group. Using Local User Groups and Group Policy together will give you great control, and make it much easier to administer.

Hope this is helpful.
Good luck!


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Thanks for the answering. Hope you were able to solve the issue to meet your needs.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.