techieguy_100
asked on
Deny local admin accounts rights to install
We are in an active directory environementwindows server 2003, all users are members of the local admin groups on their computers (thanks to Oracal). I want to deny members of local admins the right to install software, download software to their local drives. Only the domain administrator is to have this right.
Last Comment
ASKER
The users are using windows xp pro, I was looking in the group policy, but didn't see anything in there that would do the trick.
Hi!
There is no way to prevent members of local administrators group to install software. Actually there is no way to prevent them from doing anything. You should be looking at your problem from different point of view. Why does application need local administrator's permission and right to run? The proper way of solving this problem is to run application under standard user account with Process Monitor or similar program, which should identify resources (mainly registry and file system) to which access is denied. Change permissions on these registry keys and or file/folders only and remove users fromlocal administrator's group.
Process Monitor: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
HTH
Toni
There is no way to prevent members of local administrators group to install software. Actually there is no way to prevent them from doing anything. You should be looking at your problem from different point of view. Why does application need local administrator's permission and right to run? The proper way of solving this problem is to run application under standard user account with Process Monitor or similar program, which should identify resources (mainly registry and file system) to which access is denied. Change permissions on these registry keys and or file/folders only and remove users fromlocal administrator's group.
Process Monitor: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
HTH
Toni
ASKER
That is the answer I was expecting, but not the one I was hoping for.
Glen
Glen
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I only say this is partial because my problem isn't really solved, but it's probably as good as it's going to get. Thanks
OS Security
Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.
22K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
Since you already have Active Directory installed, you could create an OU called Limited Users or something similar and add the appropriate users in that OU then utilize group policy snap-in to create a policy of not allowing software installation?
If you have fewer workstations to manage, you will probably have to edit the settings in each of them and move them to a different group than local admin.