Posted on 2005-03-10
Medium Priority
Last Modified: 2010-04-10
ATTENTION: "mikeleebrla"

As to your answer my question is:

Would i have to add the client username to the local machine admin group at each and every client machine or can I do this from the domain? If so, How?

Now with all clients having local admin rights to the local machine, they are now open for installing apps, utills and software anytime they like.  We have installed all necessary apps and software that they need, now we want to lock down so that they cannot install anything.  (How do I do this in the GPO and where?)  But still need the client to have admin rights to the local machine due to antivirus updates and installs that may be needed.

Would i have to do this in the Computer config or userconfig in the domain pol?

The problem is, applications come in diff, formats i.e (exe, bat,, com, zip, msi and so on) how do i block all that?? can I?
Question by:hitechauto
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 57

Expert Comment

by:Pete Long
ID: 13504604
LOL its working of google hits andy - andy is gonne be bigger

LVL 57

Expert Comment

by:Pete Long
ID: 13504607
LOL sorry wrong Q
LVL 12

Accepted Solution

GinEric earned 2000 total points
ID: 13508128
You've got a hard way to go kid.  You really need to pick up some information on SMS.  Giving admin rights to all clients is not good.

You could've created a Group, put them all in it, with only special install privileges in certain of their own computer directories.  And no execute outside of their directories.

Second, I think you should start to read the Microsoft documents on implementing a network enterprise solution.

You've got a lot of reading to do.  I wondered how you got the job as admin, but figure you're either the boss or the bosses son; don't take me the wrong way, I have nothing against that.

Why don't you tell us how many clients you have and what server you're using?

You're going about the solutions kind of backwards.

Just as an example, we had 20,000 clients at one site.  No one had admin rights at their own computer.  We installed, allowed them to install certain things, run certain things, all without them having access to Administrative Tools, or any way to log into their computers locally. We updated them all, and set all of their permissions from one console.  It didn't take one day.   This is called company security.

If you only have ten or twenty clients, yeah, you can go from machine to machine, but not really with more than 20.

Just something for you to think about.  If you're network is going to grow beyond 20 computers, you should start reading about SMS and Deployment of an Enterprise Network now.
LVL 12

Expert Comment

ID: 13535898
Thank you, you're a really good admin for taking the advice, which may have seemed harsh to some, but was constuctive and hopefully helps and benefits you.  You could work for my IT team anytime.


Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question