?
Solved

How to stop Software Installation

Posted on 2006-05-20
17
Medium Priority
?
495 Views
Last Modified: 2013-12-07
How to stop clients from installing any software on their PC's using GPO in Windows 2003
0
Comment
Question by:essamfakieh
  • 3
  • 3
  • 3
  • +3
13 Comments
 
LVL 15

Expert Comment

by:Naser Gabaj
ID: 16724685
Greetings essamfakieh,

I don't think that GPO will do the job for you, but I would rather advice you to take them out of Admin, Power users groups, and then you are safe, no one will be able to install anything.

Good Luck!

Naser
0
 
LVL 12

Expert Comment

by:GinEric
ID: 16724825
Set DEP

Go the help, type in DEP, and read it.
0
 
LVL 3

Expert Comment

by:waqaswasib
ID: 16724915
dont give them the rights to install anything . add them as a standard user.
bye
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 8

Accepted Solution

by:
ckumar42 earned 500 total points
ID: 16725029
I'd restrict their user rights as an option first. I actually know companies who restrict access to the C:\ drive and cd/dvd drives - users can have up to administrator access but unless they really good can't in most cases install on their machines. According to Microsoft, if using GPO, if the program users Windows installer, then this should work:
.."you can prohibit user from install some application which
use windows installer. To do so:


Open Server Management > Group Policy Management > forest > domains, expand
to your domain name, right click default domain policy, select edit
Expand computer configuration > Administrative Templates > Windows
Components > windows installer


You can set Disables or restricts the use of Windows Installer option in
the right frame.


This setting can prevent users from installing software on their systems or
permit users to install only those programs offered by a system
administrator.


If you enable this setting, you can use the options in the Disable Windows
Installer box to establish an installation setting.


--   The "Never" option indicates Windows Installer is fully enabled. Users
can install and upgrade software. This is the default behavior for Windows
Installer on Windows 2000 Professional and Windows XP Professional when the
policy is not configured.


--   The "For non-managed apps only" option permits users to install only
those programs that a system administrator assigns (offers on the desktop)
or publishes (adds them to Add or Remove Programs). This is the default
behavior of Windows Installer on Windows Server 2003 family when the policy
is not configured.


--   The "Always" option indicates that Windows Installer is disabled.


This setting affects Windows Installer only. It does not prevent users from
using other methods to install and upgrade programs."

0
 
LVL 3

Expert Comment

by:dmcoop
ID: 16725252
This isn't exactly the answer to your question.  We gave up on using GPO to block installs.  While it can be done the management side seemed to be a bit heavy.  I never tried what ckimar42 suggested . . . that looks interesting and I may try it out now just to get my by for a couple more month.  Long term we are purchasing Desktop Authority because it solves some other issues for us as well.  

Take a look at a product called Desktop Authority from ScriptLogic.  

Here is the link:

http://www.scriptlogic.com/products/desktopauthority/

It is a bit on the expensive side if you are a smaller organization.  We have about 100 computers in our domain and will be purchasing this software in Q3 of this year.

I have seen it demonstrated and was really impressed.  I also know 2 other admins that use it daily and love it.

As the admin you can easily control folks loading software without ever having to touch their machine again (even if they are remote).

Good Luck!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16726138
Keep an inventory of their systems and what software is installed.
If they install something they're not supposed to do - hit them over the head with a big stick.
But first  . . . . have a written policy on exactly what users are expected to do with their company owned PC's.
Whack one or two and the others will quickly get the message.
OK, so you can't whack the over the head - then fire them. Plain and simple.

There's no technical substitute solution for a human problem.
0
 
LVL 15

Expert Comment

by:Naser Gabaj
ID: 16726992
Lrmoore is 100% right and straight forward, and I'm always with him specially when it comes to human problem.
0
 
LVL 8

Expert Comment

by:ckumar42
ID: 16728769
If they  install a malicious software which wrecks havoc on their entire network, any written policy and sacking would be useless as the damage has been done. I am not saying it is wrong to have them, in fact that is the first thing that should happen. A clear policy is always required as to proper use of a company's computers. However that is the bureaucratic part.

As a network admin, if there are concerns someone may install software which can compromise the network or bring headaches should they be audited, a good procedure is to lock them down. An auditing software helps as well. Take my example previously, A large law firm wanted to lock down their users and had an application that required administrator rights for the user on the workstations. They used Group Policy to redirect profiles and My Documents to one of the servers. They then initiated GPOs to stop the user from being able to view any local drives or access the cd/dvd. As groups were used, you could "relax" the policy for admin staff who would require using the cd/dvd for archiving or viewing large evidence files given in CD format.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16728953
Agree 100% - I was being light . . .
Policies and procedures are absolute 1st steps. You must handle both issues - human and technical simultaneously. You must engage users, educate users, and enforce policies. Unfortunately, humans do stupid things an you can't stop them. Give a user a seat belt, and then you have to pass a law to make it mandatory, then you have spend taxpayer $ to give them a ticket a couple times before they start using it.

No technical solution is anything more than an implementation of policies. You must weigh the $cost of enforcement against the risk of alienating your user population. If you simply institute technology solutions, some users will see it as a game to try to circumvent - and you will have escalated the initial problems.

There are several technical solutions today, and as I understand it, MS Vista/Longhorn will have a whole host of new features for Least User Privilege and Group Policies. Ckumar42 has outlined quite nicely one way to do it with current AD GPO's - this is, of course, assuming that you have AD and users are *not* local admins on their own machines and are forced to login with domain credentials..


0
 
LVL 3

Expert Comment

by:dmcoop
ID: 16738770
I am seriously considering implementing the "hit them over the head with a big stick" penalty in my next accpetable usage policy update.  I like that idea a lot.
0
 
LVL 8

Expert Comment

by:ckumar42
ID: 17216762
The actual question "How to stop clients from installing any software on their PC's using GPO in Windows 2003" was answered by myself in 2 posts. Most of the other comments while valid were tangents of the actual question being asked.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17216945
Agree with ckumar42, as my 2nd post referenced his answer..
Points to ckumar42 !
0
 
LVL 3

Expert Comment

by:dmcoop
ID: 17217076
Agree with ckumar42 also.  Points should go to ckumar42.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question