[Webinar] Streamline your web hosting managementRegister Today


Restrict from installing software, but part of local admin group

Posted on 2008-01-31
Medium Priority
Last Modified: 2010-08-05
We would like to restrict users from installing any and all applications without requiring to input credentials of an account with rights to install.  This account with rights can be part of a group that was delegated rights or just one particular user.

We currently have domain users and part of local admins group.  When I removed domain users from local admins and left them in the users group it prompts me for someone with admin credentials, which is good.  But the bad part it, it is now prompting for any admin action (I know its working as designed) such as an elevated command prompt to release/renew ip address, running shortcut marked as "always run as admin".

So the question would be, how can I restrict installing software but not be prompted by UAC for other actions such as releasing/renewing IP's and running shortcut marked as "always run as admin"

We are running Vista business with 2k3 r2 servers in an domain
Question by:DebelloCaminus
  • 2
  • 2
LVL 14

Expert Comment

ID: 20790289
You should define the software restriction policies as part of a GPO that applies to members of the Admin group.  The GPO will take precedence.  You could also revoke read permissions to msiexec.exe.  That will stop about 75% of software installs in their tracks, as they will not be able to load their MSI files.

Author Comment

ID: 20790347
I have read about software restriction policy, but only found restricting certain programs and that is only if you know where its going to be installed too.  I would like to restrict all apps from being installed?  Any docs or anything you know of that can walk me throug setting up the restriction policy for this?
LVL 14

Accepted Solution

cuziyq earned 2000 total points
ID: 20790620
Ya, I've not played around with software restriction polcies that much, but that sounds about right.  I know there is a way to prevent certain programs from running, but I can't remember where its located.  It blocks them by file name, so if you added SETUP.EXE, INSTALL.EXE, INSTALL.BAT, etc to that list, that would work.  This is how the "disable registry editing tools" policy works.  It just blocks regedit.exe by name.  3rd party regedit tools will still work (there's M$ security for ya!).

The problem with applying a GPO to an administrator is that the admin has the authority to just take back what a GPO takes away.  That's why killing permissions to MSIEXEC.EXE isn't a very good option.

Author Closing Comment

ID: 31426887
Going to have to allow all and disallow the list of standard install names like you stated.  Thanks again

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Although free tools can be helpful to a limited extent, it’s better to stick to paid versions for business use.
There's never been a better time to become a computer scientist. Employment growth in the field is expected to reach 22% overall by 2020, and if you want to get in on the action, it’s a good idea to think about at least minoring in computer science …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question