stopping users installing new softwares


Dear experts
I have a domain controller on win 2003
I want to stop users installing any new software bythemselves and use that only installed by the administrator
Is there a way to block them running the setup.exe and install.exe
Pls help its urgent
Regards
LVL 5
thabashAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
zelron22Connect With a Mentor Commented:
If they can install software on their PCs, then they must either be members of the Administrators group or the Power Users group.  In most cases, membership in these can be revoked with little or not other negative effect.

Here's info on setting up Software Restriction  Policies.
http://support.microsoft.com/kb/324036

Configuring group policy in general
http://download.microsoft.com/download/0/0/4/0044470e-5f3a-4569-9255-91f932e4da3b/gpintro.doc
0
 
swift0Commented:
Go to Start > Run > type this in "secpol.msc" and hit enter
Right click Software Restriction Policies and click New Software Restriction Policies.

Now just look at the right setting you need. :)
0
 
zelron22Commented:
The only way users could install software on a domain controller is if they were domain administrators or server operators (or had delegated permissions).  Why are users allowed to log onto a domain controller?  Is it being used as a terminal server?

Non-administrator users should NEVER be allowed to log onto a domain controller.  You're asking/begging/pleading to lose your job when they hose your network.
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
thabashAuthor Commented:
Dear swift0:
this solution will stop them running any exe file, on the system
not accepted solution


Dear zelron22:
soory for the mis understanding, i mean they are domain users and having only the domain users rights and they are not accessing the domain controller, i need to stop them intsalling any new software on there workstations which already joined to the domain
hope the question is clear now


0
 
zelron22Commented:
Ah, that's better.  You have a few options.  The simplest is to remove them from the local administrators group.

You can create software restrictions using group policy, if for some reason they need to be administrators on their local machines.   This is done under User Configuration, Windows Settings, Seecurity Settings, Software Restriction Policies.

If you're not familiar with Group Policy, you should do a lot of reading and testing first.  If you set a policy incorrectly, it can have a catastrophic effect on your network.

I strongly recommend removing their administrative privileges on their machines.  Tell them to think of them as CC's (company computers) instead of PC's.  There's not much that you can't work around with respect to users not having local admin rights.
0
 
thabashAuthor Commented:

Dear zelron22

They don't have administrator right on their pcs but still they can install software

I'm not familiar with the group policy and I would like to hilm me provide me step by step details on how to create a group policy to fix this issue
Could you pls help me with providing the steps

Regards
0
 
thabashAuthor Commented:
thanks i have to learn more about the GP
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.