Restrict from installing software, but part of local admin group
We would like to restrict users from installing any and all applications without requiring to input credentials of an account with rights to install. This account with rights can be part of a group that was delegated rights or just one particular user.
We currently have domain users and part of local admins group. When I removed domain users from local admins and left them in the users group it prompts me for someone with admin credentials, which is good. But the bad part it, it is now prompting for any admin action (I know its working as designed) such as an elevated command prompt to release/renew ip address, running shortcut marked as "always run as admin".
So the question would be, how can I restrict installing software but not be prompted by UAC for other actions such as releasing/renewing IP's and running shortcut marked as "always run as admin"
We are running Vista business with 2k3 r2 servers in an domain
We currently have domain users and part of local admins group. When I removed domain users from local admins and left them in the users group it prompts me for someone with admin credentials, which is good. But the bad part it, it is now prompting for any admin action (I know its working as designed) such as an elevated command prompt to release/renew ip address, running shortcut marked as "always run as admin".
So the question would be, how can I restrict installing software but not be prompted by UAC for other actions such as releasing/renewing IP's and running shortcut marked as "always run as admin"
We are running Vista business with 2k3 r2 servers in an domain
You should define the software restriction policies as part of a GPO that applies to members of the Admin group. The GPO will take precedence. You could also revoke read permissions to msiexec.exe. That will stop about 75% of software installs in their tracks, as they will not be able to load their MSI files.
ASKER
I have read about software restriction policy, but only found restricting certain programs and that is only if you know where its going to be installed too. I would like to restrict all apps from being installed? Any docs or anything you know of that can walk me throug setting up the restriction policy for this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Going to have to allow all and disallow the list of standard install names like you stated. Thanks again