?
Solved

Prevent Users from Installing Software via GPO

Posted on 2007-11-14
9
Medium Priority
?
5,437 Views
Last Modified: 2012-06-27
All my users, by defualt, are local administrators.  Is there a GPO setting I can roll out to prevent the install of software?  
 or
Do I have to make them users first and then push out a gpo?  Also, where is the GPO that will simply prevent new software installation
0
Comment
Question by:securitythreat
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 20280408
Why are your users local Admins?  You can't prevent them from installing software as long as they are Admins.

Make them all Users.  If you have non-compliant apps that won't behave as a normal user then import the Security template COMPATWS.inf - this should allow the software to behave.

0
 
LVL 70

Expert Comment

by:KCTS
ID: 20280555
If they must be local admins - (doubtful) then you can make life harder with a GPO that prohibits the running of msi and setup files etc - see http://technet.microsoft.com/en-gb/library/bb457006.aspx

But you will have to place the users in an OU and apply it to the OU. (or filter it so it does not apply to legitimate users)

If they can log on locally - ie onto "this computer" and not the domain then they can get around this of course
0
 
LVL 1

Author Comment

by:securitythreat
ID: 20280987
There is not local account.  Only local administrators.  The Users are part of the local administrators group.  Thus, requiring them to use their AD account to login.
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
LVL 51

Expert Comment

by:Netman66
ID: 20281715
You haven't told us why they need to be Adminstrators.  As long as they are, you'll never be able to prevent them from installing software or make changes they shouldn't.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20281891
If they are only local admins - not domain admins then you can restrict them with a software restriction as described and won't have the domain admin rights to get around the policy.
0
 
LVL 1

Author Comment

by:securitythreat
ID: 20282906
The local admin access is being removed.  I understand that there is a software restriction list in AD>  However, it looks like you have to approve the applications that need to be able to run.  Is there a way to approve the ones that you dont want running instead.  This would be much easier for us.
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 1500 total points
ID: 20283022
If local Admin rights are being removed, then they can no longer install software.  No further action is necessary.

0
 
LVL 1

Author Comment

by:securitythreat
ID: 20283065
I thought that to.  However, I just attempted this and installed winzip with no issues
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20283193
You're absolutely certain you are not in the Administrators or Power Users group locally - either directly or via group membership?

Have you tried this on a machine you have not logged into before?
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses
Course of the Month10 days, 11 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question