Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

stopping users installing new softwares

Posted on 2009-04-03
7
Medium Priority
?
271 Views
Last Modified: 2012-05-06

Dear experts
I have a domain controller on win 2003
I want to stop users installing any new software bythemselves and use that only installed by the administrator
Is there a way to block them running the setup.exe and install.exe
Pls help its urgent
Regards
0
Comment
Question by:thabash
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 1

Expert Comment

by:swift0
ID: 24062134
Go to Start > Run > type this in "secpol.msc" and hit enter
Right click Software Restriction Policies and click New Software Restriction Policies.

Now just look at the right setting you need. :)
0
 
LVL 15

Expert Comment

by:zelron22
ID: 24062138
The only way users could install software on a domain controller is if they were domain administrators or server operators (or had delegated permissions).  Why are users allowed to log onto a domain controller?  Is it being used as a terminal server?

Non-administrator users should NEVER be allowed to log onto a domain controller.  You're asking/begging/pleading to lose your job when they hose your network.
0
 
LVL 5

Author Comment

by:thabash
ID: 24062287
Dear swift0:
this solution will stop them running any exe file, on the system
not accepted solution


Dear zelron22:
soory for the mis understanding, i mean they are domain users and having only the domain users rights and they are not accessing the domain controller, i need to stop them intsalling any new software on there workstations which already joined to the domain
hope the question is clear now


0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 15

Expert Comment

by:zelron22
ID: 24062356
Ah, that's better.  You have a few options.  The simplest is to remove them from the local administrators group.

You can create software restrictions using group policy, if for some reason they need to be administrators on their local machines.   This is done under User Configuration, Windows Settings, Seecurity Settings, Software Restriction Policies.

If you're not familiar with Group Policy, you should do a lot of reading and testing first.  If you set a policy incorrectly, it can have a catastrophic effect on your network.

I strongly recommend removing their administrative privileges on their machines.  Tell them to think of them as CC's (company computers) instead of PC's.  There's not much that you can't work around with respect to users not having local admin rights.
0
 
LVL 5

Author Comment

by:thabash
ID: 24063917

Dear zelron22

They don't have administrator right on their pcs but still they can install software

I'm not familiar with the group policy and I would like to hilm me provide me step by step details on how to create a group policy to fix this issue
Could you pls help me with providing the steps

Regards
0
 
LVL 15

Accepted Solution

by:
zelron22 earned 2000 total points
ID: 24064040
If they can install software on their PCs, then they must either be members of the Administrators group or the Power Users group.  In most cases, membership in these can be revoked with little or not other negative effect.

Here's info on setting up Software Restriction  Policies.
http://support.microsoft.com/kb/324036

Configuring group policy in general
http://download.microsoft.com/download/0/0/4/0044470e-5f3a-4569-9255-91f932e4da3b/gpintro.doc
0
 
LVL 5

Author Closing Comment

by:thabash
ID: 31566348
thanks i have to learn more about the GP
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question