Software Restriction in Group Policy

Posted on 2007-08-03
Last Modified: 2013-11-05
I need to put some software restrictions on my endusers. i am using sbs 2003 (patched) and don't want my end users downloading software (to include IE addon's or Active X) but I don't want it to affect the Administrator's group (which includes me). I know that this is a basic thing, but being a beginner on AD/GP, and I have to do this on a production box, so I don't want to screw things up.
Question by:dmcgovern
    LVL 19

    Expert Comment

    by:Stephen Manderson
    One way to disable downloads of files would be to enable the option below, but would be for IE only, if running firefox then you would need to get the .adm template for that.

    User Configuration->Administrative templates->Windows Componants->Internet Explorer->Browser Menus>"Disable Save this program to disk option" (Enable)

    Author Comment

    well, that helps for the one thing. question is will that affect the administrator's group.
    LVL 19

    Expert Comment

    by:Stephen Manderson
    Doing it group policy the only other way I could see of doing it is via registry.

    Take a look here at Debsyl60's answer.

    Theres also another couple of options in there with regards to my first post. If you are only planning to use IE then it shouldnt be a problem as they wont be able to download any other browsers :)
    LVL 19

    Expert Comment

    by:Stephen Manderson
    It will only be effective for what ever OU the GPO is linked to, so just be sure its Domain Users etc and not Authenticated users.
    LVL 10

    Accepted Solution

    dmcgovern, you can apply policies to Groups.

    Just on the Scope tab of your policy under "Security Filtering" remove the Authenticated Users group and add your Endusers Group.

    Another approach will be to apply a restrictive policy for all users (the default) and a less restrictive policy for the Administrators group.


    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Join & Write a Comment

    Starting in Windows Server 2008, Microsoft introduced the Group Policy Central Store. This automatically replicating location allows IT administrators to have the latest and greatest Group Policy (GP) configuration settings available. Let’s expl…
    Synchronize a new Active Directory domain with an existing Office 365 tenant
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now