Solved

stopping users installing new softwares

Posted on 2009-04-03
7
268 Views
Last Modified: 2012-05-06

Dear experts
I have a domain controller on win 2003
I want to stop users installing any new software bythemselves and use that only installed by the administrator
Is there a way to block them running the setup.exe and install.exe
Pls help its urgent
Regards
0
Comment
Question by:thabash
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 1

Expert Comment

by:swift0
ID: 24062134
Go to Start > Run > type this in "secpol.msc" and hit enter
Right click Software Restriction Policies and click New Software Restriction Policies.

Now just look at the right setting you need. :)
0
 
LVL 15

Expert Comment

by:zelron22
ID: 24062138
The only way users could install software on a domain controller is if they were domain administrators or server operators (or had delegated permissions).  Why are users allowed to log onto a domain controller?  Is it being used as a terminal server?

Non-administrator users should NEVER be allowed to log onto a domain controller.  You're asking/begging/pleading to lose your job when they hose your network.
0
 
LVL 5

Author Comment

by:thabash
ID: 24062287
Dear swift0:
this solution will stop them running any exe file, on the system
not accepted solution


Dear zelron22:
soory for the mis understanding, i mean they are domain users and having only the domain users rights and they are not accessing the domain controller, i need to stop them intsalling any new software on there workstations which already joined to the domain
hope the question is clear now


0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 15

Expert Comment

by:zelron22
ID: 24062356
Ah, that's better.  You have a few options.  The simplest is to remove them from the local administrators group.

You can create software restrictions using group policy, if for some reason they need to be administrators on their local machines.   This is done under User Configuration, Windows Settings, Seecurity Settings, Software Restriction Policies.

If you're not familiar with Group Policy, you should do a lot of reading and testing first.  If you set a policy incorrectly, it can have a catastrophic effect on your network.

I strongly recommend removing their administrative privileges on their machines.  Tell them to think of them as CC's (company computers) instead of PC's.  There's not much that you can't work around with respect to users not having local admin rights.
0
 
LVL 5

Author Comment

by:thabash
ID: 24063917

Dear zelron22

They don't have administrator right on their pcs but still they can install software

I'm not familiar with the group policy and I would like to hilm me provide me step by step details on how to create a group policy to fix this issue
Could you pls help me with providing the steps

Regards
0
 
LVL 15

Accepted Solution

by:
zelron22 earned 500 total points
ID: 24064040
If they can install software on their PCs, then they must either be members of the Administrators group or the Power Users group.  In most cases, membership in these can be revoked with little or not other negative effect.

Here's info on setting up Software Restriction  Policies.
http://support.microsoft.com/kb/324036

Configuring group policy in general
http://download.microsoft.com/download/0/0/4/0044470e-5f3a-4569-9255-91f932e4da3b/gpintro.doc
0
 
LVL 5

Author Closing Comment

by:thabash
ID: 31566348
thanks i have to learn more about the GP
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
GPO Access denied in AD 12 65
Unexpected Windows system folders on D drive 16 98
How to restore security permissions on a file server 4 71
Big Problem with Redirected Folder 8 65
by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question