Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5453
  • Last Modified:

Prevent Users from Installing Software via GPO

All my users, by defualt, are local administrators.  Is there a GPO setting I can roll out to prevent the install of software?  
 or
Do I have to make them users first and then push out a gpo?  Also, where is the GPO that will simply prevent new software installation
0
securitythreat
Asked:
securitythreat
  • 4
  • 3
  • 2
1 Solution
 
Netman66Commented:
Why are your users local Admins?  You can't prevent them from installing software as long as they are Admins.

Make them all Users.  If you have non-compliant apps that won't behave as a normal user then import the Security template COMPATWS.inf - this should allow the software to behave.

0
 
KCTSCommented:
If they must be local admins - (doubtful) then you can make life harder with a GPO that prohibits the running of msi and setup files etc - see http://technet.microsoft.com/en-gb/library/bb457006.aspx

But you will have to place the users in an OU and apply it to the OU. (or filter it so it does not apply to legitimate users)

If they can log on locally - ie onto "this computer" and not the domain then they can get around this of course
0
 
securitythreatAuthor Commented:
There is not local account.  Only local administrators.  The Users are part of the local administrators group.  Thus, requiring them to use their AD account to login.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Netman66Commented:
You haven't told us why they need to be Adminstrators.  As long as they are, you'll never be able to prevent them from installing software or make changes they shouldn't.
0
 
KCTSCommented:
If they are only local admins - not domain admins then you can restrict them with a software restriction as described and won't have the domain admin rights to get around the policy.
0
 
securitythreatAuthor Commented:
The local admin access is being removed.  I understand that there is a software restriction list in AD>  However, it looks like you have to approve the applications that need to be able to run.  Is there a way to approve the ones that you dont want running instead.  This would be much easier for us.
0
 
Netman66Commented:
If local Admin rights are being removed, then they can no longer install software.  No further action is necessary.

0
 
securitythreatAuthor Commented:
I thought that to.  However, I just attempted this and installed winzip with no issues
0
 
Netman66Commented:
You're absolutely certain you are not in the Administrators or Power Users group locally - either directly or via group membership?

Have you tried this on a machine you have not logged into before?
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now