How to stop Software Installation

How to stop clients from installing any software on their PC's using GPO in Windows 2003
Who is Participating?
I'd restrict their user rights as an option first. I actually know companies who restrict access to the C:\ drive and cd/dvd drives - users can have up to administrator access but unless they really good can't in most cases install on their machines. According to Microsoft, if using GPO, if the program users Windows installer, then this should work:
.."you can prohibit user from install some application which
use windows installer. To do so:

Open Server Management > Group Policy Management > forest > domains, expand
to your domain name, right click default domain policy, select edit
Expand computer configuration > Administrative Templates > Windows
Components > windows installer

You can set Disables or restricts the use of Windows Installer option in
the right frame.

This setting can prevent users from installing software on their systems or
permit users to install only those programs offered by a system

If you enable this setting, you can use the options in the Disable Windows
Installer box to establish an installation setting.

--   The "Never" option indicates Windows Installer is fully enabled. Users
can install and upgrade software. This is the default behavior for Windows
Installer on Windows 2000 Professional and Windows XP Professional when the
policy is not configured.

--   The "For non-managed apps only" option permits users to install only
those programs that a system administrator assigns (offers on the desktop)
or publishes (adds them to Add or Remove Programs). This is the default
behavior of Windows Installer on Windows Server 2003 family when the policy
is not configured.

--   The "Always" option indicates that Windows Installer is disabled.

This setting affects Windows Installer only. It does not prevent users from
using other methods to install and upgrade programs."

Naser GabajE&P Senior Software SpecialistCommented:
Greetings essamfakieh,

I don't think that GPO will do the job for you, but I would rather advice you to take them out of Admin, Power users groups, and then you are safe, no one will be able to install anything.

Good Luck!


Go the help, type in DEP, and read it.
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

dont give them the rights to install anything . add them as a standard user.
This isn't exactly the answer to your question.  We gave up on using GPO to block installs.  While it can be done the management side seemed to be a bit heavy.  I never tried what ckimar42 suggested . . . that looks interesting and I may try it out now just to get my by for a couple more month.  Long term we are purchasing Desktop Authority because it solves some other issues for us as well.  

Take a look at a product called Desktop Authority from ScriptLogic.  

Here is the link:

It is a bit on the expensive side if you are a smaller organization.  We have about 100 computers in our domain and will be purchasing this software in Q3 of this year.

I have seen it demonstrated and was really impressed.  I also know 2 other admins that use it daily and love it.

As the admin you can easily control folks loading software without ever having to touch their machine again (even if they are remote).

Good Luck!
Keep an inventory of their systems and what software is installed.
If they install something they're not supposed to do - hit them over the head with a big stick.
But first  . . . . have a written policy on exactly what users are expected to do with their company owned PC's.
Whack one or two and the others will quickly get the message.
OK, so you can't whack the over the head - then fire them. Plain and simple.

There's no technical substitute solution for a human problem.
Naser GabajE&P Senior Software SpecialistCommented:
Lrmoore is 100% right and straight forward, and I'm always with him specially when it comes to human problem.
If they  install a malicious software which wrecks havoc on their entire network, any written policy and sacking would be useless as the damage has been done. I am not saying it is wrong to have them, in fact that is the first thing that should happen. A clear policy is always required as to proper use of a company's computers. However that is the bureaucratic part.

As a network admin, if there are concerns someone may install software which can compromise the network or bring headaches should they be audited, a good procedure is to lock them down. An auditing software helps as well. Take my example previously, A large law firm wanted to lock down their users and had an application that required administrator rights for the user on the workstations. They used Group Policy to redirect profiles and My Documents to one of the servers. They then initiated GPOs to stop the user from being able to view any local drives or access the cd/dvd. As groups were used, you could "relax" the policy for admin staff who would require using the cd/dvd for archiving or viewing large evidence files given in CD format.

Agree 100% - I was being light . . .
Policies and procedures are absolute 1st steps. You must handle both issues - human and technical simultaneously. You must engage users, educate users, and enforce policies. Unfortunately, humans do stupid things an you can't stop them. Give a user a seat belt, and then you have to pass a law to make it mandatory, then you have spend taxpayer $ to give them a ticket a couple times before they start using it.

No technical solution is anything more than an implementation of policies. You must weigh the $cost of enforcement against the risk of alienating your user population. If you simply institute technology solutions, some users will see it as a game to try to circumvent - and you will have escalated the initial problems.

There are several technical solutions today, and as I understand it, MS Vista/Longhorn will have a whole host of new features for Least User Privilege and Group Policies. Ckumar42 has outlined quite nicely one way to do it with current AD GPO's - this is, of course, assuming that you have AD and users are *not* local admins on their own machines and are forced to login with domain credentials..

I am seriously considering implementing the "hit them over the head with a big stick" penalty in my next accpetable usage policy update.  I like that idea a lot.
The actual question "How to stop clients from installing any software on their PC's using GPO in Windows 2003" was answered by myself in 2 posts. Most of the other comments while valid were tangents of the actual question being asked.
Agree with ckumar42, as my 2nd post referenced his answer..
Points to ckumar42 !
Agree with ckumar42 also.  Points should go to ckumar42.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.