Solved

Preventing the users from installing apps.

Posted on 2007-04-07
5
258 Views
Last Modified: 2013-12-04
I have a General Group policy that applies to all workstations and users. I need to make sure that the users cannot install any application (including the small applications, such as google bar, screen savers, themes...etc). Only the Administrators can install that.

I tried to user "Software Restrictions" and set it to "Disallow" but that leads to prevent the users from running any application. Also, I tried to block Windows Installer and set it to Evaluated, but the problem here is that the users have access to "My Documents" folder, which means they can install the application into My Documents, and run them from there.


any help is much appreciated.
Rami
0
Comment
Question by:nammari
  • 2
  • 2
5 Comments
 
LVL 5

Accepted Solution

by:
drtoto82 earned 125 total points
ID: 18869574
i can do two things :
Make a windows policy that HIDES the Add / Remove programs .
Also, deny running the .msi packages .

This will do 90 % of the job.

Test it and tell me if u need more.
0
 

Author Comment

by:nammari
ID: 18869808
Thanks, how I can deny the .msi?
I was thinking to remove "Write and Execute" on C:\ permissins from the users, and give them access only to My Documents, is this a good idea? Or it may impact some applications?
Finally, most of the applications can be installed using .exe files, how I can prevent that? keeping in mind that I cannot revoke the access to run exe files from the users.


Thanks,
0
 
LVL 11

Assisted Solution

by:AnthonyP9618
AnthonyP9618 earned 125 total points
ID: 18870446
Denying the users write and execute on C:\ will more than likely effect installed applications.

Are all your clients Windows XP?  If so, I would look into software restriction policies.  It allows you to set limits on the type of applications that users can run on a system.  For example, you would create a new GPO using SRPs to limit users to only run Microsoft Office products.  As new software pieces are rolled out, they can be added to the "white" list of allowed applications that can be executed.

Here's a pretty good overview on how it works, with a really good example:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx#E4MAE
0
 
LVL 5

Expert Comment

by:drtoto82
ID: 18873810
The link that anthony provided is very good. It explians exactly how to use group policy to do that job.

I guess you will not need more details.

0
 

Author Comment

by:nammari
ID: 18876520
Thank you all, I solved ths issue by preventing the users from Write/Create into C:\ (except for My Documents), and preventing users from running .msi packages. I think that will do it.

It is really hard to create a SRP and starting allowing the exceptions in a workplace with 50+ computers, and different user needs and requirments.

Thank you all.
Rami
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
AWS VPS as AD Server 2 55
Federation ID format? 3 33
How do i move AD Contacts to O365? 2 34
Disable SSLv3.0/TLSv1.0 - Windows 2012R2 3 11
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now