Solved

Preventing the users from installing apps.

Posted on 2007-04-07
5
257 Views
Last Modified: 2013-12-04
I have a General Group policy that applies to all workstations and users. I need to make sure that the users cannot install any application (including the small applications, such as google bar, screen savers, themes...etc). Only the Administrators can install that.

I tried to user "Software Restrictions" and set it to "Disallow" but that leads to prevent the users from running any application. Also, I tried to block Windows Installer and set it to Evaluated, but the problem here is that the users have access to "My Documents" folder, which means they can install the application into My Documents, and run them from there.


any help is much appreciated.
Rami
0
Comment
Question by:nammari
  • 2
  • 2
5 Comments
 
LVL 5

Accepted Solution

by:
drtoto82 earned 125 total points
ID: 18869574
i can do two things :
Make a windows policy that HIDES the Add / Remove programs .
Also, deny running the .msi packages .

This will do 90 % of the job.

Test it and tell me if u need more.
0
 

Author Comment

by:nammari
ID: 18869808
Thanks, how I can deny the .msi?
I was thinking to remove "Write and Execute" on C:\ permissins from the users, and give them access only to My Documents, is this a good idea? Or it may impact some applications?
Finally, most of the applications can be installed using .exe files, how I can prevent that? keeping in mind that I cannot revoke the access to run exe files from the users.


Thanks,
0
 
LVL 11

Assisted Solution

by:AnthonyP9618
AnthonyP9618 earned 125 total points
ID: 18870446
Denying the users write and execute on C:\ will more than likely effect installed applications.

Are all your clients Windows XP?  If so, I would look into software restriction policies.  It allows you to set limits on the type of applications that users can run on a system.  For example, you would create a new GPO using SRPs to limit users to only run Microsoft Office products.  As new software pieces are rolled out, they can be added to the "white" list of allowed applications that can be executed.

Here's a pretty good overview on how it works, with a really good example:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx#E4MAE
0
 
LVL 5

Expert Comment

by:drtoto82
ID: 18873810
The link that anthony provided is very good. It explians exactly how to use group policy to do that job.

I guess you will not need more details.

0
 

Author Comment

by:nammari
ID: 18876520
Thank you all, I solved ths issue by preventing the users from Write/Create into C:\ (except for My Documents), and preventing users from running .msi packages. I think that will do it.

It is really hard to create a SRP and starting allowing the exceptions in a workplace with 50+ computers, and different user needs and requirments.

Thank you all.
Rami
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now