Solved

Preventing the users from installing apps.

Posted on 2007-04-07
5
262 Views
Last Modified: 2013-12-04
I have a General Group policy that applies to all workstations and users. I need to make sure that the users cannot install any application (including the small applications, such as google bar, screen savers, themes...etc). Only the Administrators can install that.

I tried to user "Software Restrictions" and set it to "Disallow" but that leads to prevent the users from running any application. Also, I tried to block Windows Installer and set it to Evaluated, but the problem here is that the users have access to "My Documents" folder, which means they can install the application into My Documents, and run them from there.


any help is much appreciated.
Rami
0
Comment
Question by:nammari
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 5

Accepted Solution

by:
drtoto82 earned 125 total points
ID: 18869574
i can do two things :
Make a windows policy that HIDES the Add / Remove programs .
Also, deny running the .msi packages .

This will do 90 % of the job.

Test it and tell me if u need more.
0
 

Author Comment

by:nammari
ID: 18869808
Thanks, how I can deny the .msi?
I was thinking to remove "Write and Execute" on C:\ permissins from the users, and give them access only to My Documents, is this a good idea? Or it may impact some applications?
Finally, most of the applications can be installed using .exe files, how I can prevent that? keeping in mind that I cannot revoke the access to run exe files from the users.


Thanks,
0
 
LVL 11

Assisted Solution

by:AnthonyP9618
AnthonyP9618 earned 125 total points
ID: 18870446
Denying the users write and execute on C:\ will more than likely effect installed applications.

Are all your clients Windows XP?  If so, I would look into software restriction policies.  It allows you to set limits on the type of applications that users can run on a system.  For example, you would create a new GPO using SRPs to limit users to only run Microsoft Office products.  As new software pieces are rolled out, they can be added to the "white" list of allowed applications that can be executed.

Here's a pretty good overview on how it works, with a really good example:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx#E4MAE
0
 
LVL 5

Expert Comment

by:drtoto82
ID: 18873810
The link that anthony provided is very good. It explians exactly how to use group policy to do that job.

I guess you will not need more details.

0
 

Author Comment

by:nammari
ID: 18876520
Thank you all, I solved ths issue by preventing the users from Write/Create into C:\ (except for My Documents), and preventing users from running .msi packages. I think that will do it.

It is really hard to create a SRP and starting allowing the exceptions in a workplace with 50+ computers, and different user needs and requirments.

Thank you all.
Rami
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question