Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Active Directory - Policy

Posted on 2004-10-24
Medium Priority
Last Modified: 2010-04-14
I would like to establish a policy for a particular OU for security purposes that prevents all members of the OU from the following:

- Installing any applications on local machine
- prevents them from changing there network settings on local machine
- prevents them from changing displays settings on local machine

Basically what i want is only for the users to be able to use there exsiting applications that i i have installed for them.  Is the fact the these users have local admin privileges going to be an issue? Or will the policy prevail once they log onto the domain?

Question by:andreacadia
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 11

Expert Comment

ID: 12395615
put them per GPO into the users group and it will be fine.
with admin rights its hard to prevent what you want to prevent.

Accepted Solution

brownmetals earned 1500 total points
ID: 12395665
Hi there.

Group policy does normally apply to Administrator accounts, but using this article, you can prevent that from happening.

Allowing each user to have local admin privileges isn't in line with Microsoft Best Practices. In fact, I'd highly suggest against it. User access for client machines is best controlled with permissions. That's the main function of permissions. Again, I would highly suggest putting users in user groups, and then assigning permissions to those groups so that users can perform their respective job functions. If each user is given normal user privileges, you also wouldn't have to setup Group Policy for installing applications and changing network settings. Users would not have these privileges in that instance.

To help solve your issue, this article will help you use Group Policy to hide certain control panel icons

This article is for disabling screen saver passwords. In this same section, you can make changes to other display settings options. For example, you can disable access to the screen saver tab completely. You should also be able to disable access to the settings tab. The display dialog box has several tabs. You can select the Group Policy Object that "hides" that tab from teh end user.

Group Policy is for gaining centralized control over your network. Allowing clients to have local admin privileges provides less control for you as the administrator. As a suggestion, I would revoke local admin privileges from the users, setup normal user accounts for each client, place clients in a logical group, and then assign permission to that group. Using Local User Groups and Group Policy together will give you great control, and make it much easier to administer.

Hope this is helpful.
Good luck!


Expert Comment

ID: 13755823
Thanks for the answering. Hope you were able to solve the issue to meet your needs.


Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Explore the ways to Unlock VBA Project Password Excel 2010 & 2013 documents. Go through the article and perform the steps carefully to remove VBA Excel .xls file.
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question