Restrict from installing software, but part of local admin group

We would like to restrict users from installing any and all applications without requiring to input credentials of an account with rights to install.  This account with rights can be part of a group that was delegated rights or just one particular user.

We currently have domain users and part of local admins group.  When I removed domain users from local admins and left them in the users group it prompts me for someone with admin credentials, which is good.  But the bad part it, it is now prompting for any admin action (I know its working as designed) such as an elevated command prompt to release/renew ip address, running shortcut marked as "always run as admin".

So the question would be, how can I restrict installing software but not be prompted by UAC for other actions such as releasing/renewing IP's and running shortcut marked as "always run as admin"

We are running Vista business with 2k3 r2 servers in an domain
DebelloCaminusAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

cuziyqCommented:
You should define the software restriction policies as part of a GPO that applies to members of the Admin group.  The GPO will take precedence.  You could also revoke read permissions to msiexec.exe.  That will stop about 75% of software installs in their tracks, as they will not be able to load their MSI files.
0
DebelloCaminusAuthor Commented:
I have read about software restriction policy, but only found restricting certain programs and that is only if you know where its going to be installed too.  I would like to restrict all apps from being installed?  Any docs or anything you know of that can walk me throug setting up the restriction policy for this?
0
cuziyqCommented:
Ya, I've not played around with software restriction polcies that much, but that sounds about right.  I know there is a way to prevent certain programs from running, but I can't remember where its located.  It blocks them by file name, so if you added SETUP.EXE, INSTALL.EXE, INSTALL.BAT, etc to that list, that would work.  This is how the "disable registry editing tools" policy works.  It just blocks regedit.exe by name.  3rd party regedit tools will still work (there's M$ security for ya!).

The problem with applying a GPO to an administrator is that the admin has the authority to just take back what a GPO takes away.  That's why killing permissions to MSIEXEC.EXE isn't a very good option.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DebelloCaminusAuthor Commented:
Going to have to allow all and disallow the list of standard install names like you stated.  Thanks again
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Vista

From novice to tech pro — start learning today.