Solved

Prevent Users from Installing Software via GPO

Posted on 2007-11-14
9
5,390 Views
Last Modified: 2012-06-27
All my users, by defualt, are local administrators.  Is there a GPO setting I can roll out to prevent the install of software?  
 or
Do I have to make them users first and then push out a gpo?  Also, where is the GPO that will simply prevent new software installation
0
Comment
Question by:securitythreat
  • 4
  • 3
  • 2
9 Comments
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Why are your users local Admins?  You can't prevent them from installing software as long as they are Admins.

Make them all Users.  If you have non-compliant apps that won't behave as a normal user then import the Security template COMPATWS.inf - this should allow the software to behave.

0
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
If they must be local admins - (doubtful) then you can make life harder with a GPO that prohibits the running of msi and setup files etc - see http://technet.microsoft.com/en-gb/library/bb457006.aspx

But you will have to place the users in an OU and apply it to the OU. (or filter it so it does not apply to legitimate users)

If they can log on locally - ie onto "this computer" and not the domain then they can get around this of course
0
 
LVL 1

Author Comment

by:securitythreat
Comment Utility
There is not local account.  Only local administrators.  The Users are part of the local administrators group.  Thus, requiring them to use their AD account to login.
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
You haven't told us why they need to be Adminstrators.  As long as they are, you'll never be able to prevent them from installing software or make changes they shouldn't.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 70

Expert Comment

by:KCTS
Comment Utility
If they are only local admins - not domain admins then you can restrict them with a software restriction as described and won't have the domain admin rights to get around the policy.
0
 
LVL 1

Author Comment

by:securitythreat
Comment Utility
The local admin access is being removed.  I understand that there is a software restriction list in AD>  However, it looks like you have to approve the applications that need to be able to run.  Is there a way to approve the ones that you dont want running instead.  This would be much easier for us.
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
Comment Utility
If local Admin rights are being removed, then they can no longer install software.  No further action is necessary.

0
 
LVL 1

Author Comment

by:securitythreat
Comment Utility
I thought that to.  However, I just attempted this and installed winzip with no issues
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
You're absolutely certain you are not in the Administrators or Power Users group locally - either directly or via group membership?

Have you tried this on a machine you have not logged into before?
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

There are two modes of restricted groups GPOs. Replacing mode:   Additive mode:   How do they work? Replacing mode: Everything (users, groups, computers) that is member of the local administrators group will be cleared out. After th…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now