Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Preventing the users from installing apps.

Posted on 2007-04-07
5
Medium Priority
?
264 Views
Last Modified: 2013-12-04
I have a General Group policy that applies to all workstations and users. I need to make sure that the users cannot install any application (including the small applications, such as google bar, screen savers, themes...etc). Only the Administrators can install that.

I tried to user "Software Restrictions" and set it to "Disallow" but that leads to prevent the users from running any application. Also, I tried to block Windows Installer and set it to Evaluated, but the problem here is that the users have access to "My Documents" folder, which means they can install the application into My Documents, and run them from there.


any help is much appreciated.
Rami
0
Comment
Question by:nammari
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 5

Accepted Solution

by:
drtoto82 earned 500 total points
ID: 18869574
i can do two things :
Make a windows policy that HIDES the Add / Remove programs .
Also, deny running the .msi packages .

This will do 90 % of the job.

Test it and tell me if u need more.
0
 

Author Comment

by:nammari
ID: 18869808
Thanks, how I can deny the .msi?
I was thinking to remove "Write and Execute" on C:\ permissins from the users, and give them access only to My Documents, is this a good idea? Or it may impact some applications?
Finally, most of the applications can be installed using .exe files, how I can prevent that? keeping in mind that I cannot revoke the access to run exe files from the users.


Thanks,
0
 
LVL 11

Assisted Solution

by:AnthonyP9618
AnthonyP9618 earned 500 total points
ID: 18870446
Denying the users write and execute on C:\ will more than likely effect installed applications.

Are all your clients Windows XP?  If so, I would look into software restriction policies.  It allows you to set limits on the type of applications that users can run on a system.  For example, you would create a new GPO using SRPs to limit users to only run Microsoft Office products.  As new software pieces are rolled out, they can be added to the "white" list of allowed applications that can be executed.

Here's a pretty good overview on how it works, with a really good example:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx#E4MAE
0
 
LVL 5

Expert Comment

by:drtoto82
ID: 18873810
The link that anthony provided is very good. It explians exactly how to use group policy to do that job.

I guess you will not need more details.

0
 

Author Comment

by:nammari
ID: 18876520
Thank you all, I solved ths issue by preventing the users from Write/Create into C:\ (except for My Documents), and preventing users from running .msi packages. I think that will do it.

It is really hard to create a SRP and starting allowing the exceptions in a workplace with 50+ computers, and different user needs and requirments.

Thank you all.
Rami
0

Featured Post

Protect Your Retail Business and Reputation

Wi-Fi access doesn't just impact your business & customer experience, it can also affect your security.  Join us for an informative webinar to learn more about the top threats and trends impacting retail today, and the key solutions to protecting retail networks and reputations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question