Solved

stopping users installing new softwares

Posted on 2009-04-03
7
270 Views
Last Modified: 2012-05-06

Dear experts
I have a domain controller on win 2003
I want to stop users installing any new software bythemselves and use that only installed by the administrator
Is there a way to block them running the setup.exe and install.exe
Pls help its urgent
Regards
0
Comment
Question by:thabash
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 1

Expert Comment

by:swift0
ID: 24062134
Go to Start > Run > type this in "secpol.msc" and hit enter
Right click Software Restriction Policies and click New Software Restriction Policies.

Now just look at the right setting you need. :)
0
 
LVL 15

Expert Comment

by:zelron22
ID: 24062138
The only way users could install software on a domain controller is if they were domain administrators or server operators (or had delegated permissions).  Why are users allowed to log onto a domain controller?  Is it being used as a terminal server?

Non-administrator users should NEVER be allowed to log onto a domain controller.  You're asking/begging/pleading to lose your job when they hose your network.
0
 
LVL 5

Author Comment

by:thabash
ID: 24062287
Dear swift0:
this solution will stop them running any exe file, on the system
not accepted solution


Dear zelron22:
soory for the mis understanding, i mean they are domain users and having only the domain users rights and they are not accessing the domain controller, i need to stop them intsalling any new software on there workstations which already joined to the domain
hope the question is clear now


0
Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

 
LVL 15

Expert Comment

by:zelron22
ID: 24062356
Ah, that's better.  You have a few options.  The simplest is to remove them from the local administrators group.

You can create software restrictions using group policy, if for some reason they need to be administrators on their local machines.   This is done under User Configuration, Windows Settings, Seecurity Settings, Software Restriction Policies.

If you're not familiar with Group Policy, you should do a lot of reading and testing first.  If you set a policy incorrectly, it can have a catastrophic effect on your network.

I strongly recommend removing their administrative privileges on their machines.  Tell them to think of them as CC's (company computers) instead of PC's.  There's not much that you can't work around with respect to users not having local admin rights.
0
 
LVL 5

Author Comment

by:thabash
ID: 24063917

Dear zelron22

They don't have administrator right on their pcs but still they can install software

I'm not familiar with the group policy and I would like to hilm me provide me step by step details on how to create a group policy to fix this issue
Could you pls help me with providing the steps

Regards
0
 
LVL 15

Accepted Solution

by:
zelron22 earned 500 total points
ID: 24064040
If they can install software on their PCs, then they must either be members of the Administrators group or the Power Users group.  In most cases, membership in these can be revoked with little or not other negative effect.

Here's info on setting up Software Restriction  Policies.
http://support.microsoft.com/kb/324036

Configuring group policy in general
http://download.microsoft.com/download/0/0/4/0044470e-5f3a-4569-9255-91f932e4da3b/gpintro.doc
0
 
LVL 5

Author Closing Comment

by:thabash
ID: 31566348
thanks i have to learn more about the GP
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question