Solved

stopping users installing new softwares

Posted on 2009-04-03
7
265 Views
Last Modified: 2012-05-06

Dear experts
I have a domain controller on win 2003
I want to stop users installing any new software bythemselves and use that only installed by the administrator
Is there a way to block them running the setup.exe and install.exe
Pls help its urgent
Regards
0
Comment
Question by:thabash
  • 3
  • 3
7 Comments
 
LVL 1

Expert Comment

by:swift0
ID: 24062134
Go to Start > Run > type this in "secpol.msc" and hit enter
Right click Software Restriction Policies and click New Software Restriction Policies.

Now just look at the right setting you need. :)
0
 
LVL 15

Expert Comment

by:zelron22
ID: 24062138
The only way users could install software on a domain controller is if they were domain administrators or server operators (or had delegated permissions).  Why are users allowed to log onto a domain controller?  Is it being used as a terminal server?

Non-administrator users should NEVER be allowed to log onto a domain controller.  You're asking/begging/pleading to lose your job when they hose your network.
0
 
LVL 5

Author Comment

by:thabash
ID: 24062287
Dear swift0:
this solution will stop them running any exe file, on the system
not accepted solution


Dear zelron22:
soory for the mis understanding, i mean they are domain users and having only the domain users rights and they are not accessing the domain controller, i need to stop them intsalling any new software on there workstations which already joined to the domain
hope the question is clear now


0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 15

Expert Comment

by:zelron22
ID: 24062356
Ah, that's better.  You have a few options.  The simplest is to remove them from the local administrators group.

You can create software restrictions using group policy, if for some reason they need to be administrators on their local machines.   This is done under User Configuration, Windows Settings, Seecurity Settings, Software Restriction Policies.

If you're not familiar with Group Policy, you should do a lot of reading and testing first.  If you set a policy incorrectly, it can have a catastrophic effect on your network.

I strongly recommend removing their administrative privileges on their machines.  Tell them to think of them as CC's (company computers) instead of PC's.  There's not much that you can't work around with respect to users not having local admin rights.
0
 
LVL 5

Author Comment

by:thabash
ID: 24063917

Dear zelron22

They don't have administrator right on their pcs but still they can install software

I'm not familiar with the group policy and I would like to hilm me provide me step by step details on how to create a group policy to fix this issue
Could you pls help me with providing the steps

Regards
0
 
LVL 15

Accepted Solution

by:
zelron22 earned 500 total points
ID: 24064040
If they can install software on their PCs, then they must either be members of the Administrators group or the Power Users group.  In most cases, membership in these can be revoked with little or not other negative effect.

Here's info on setting up Software Restriction  Policies.
http://support.microsoft.com/kb/324036

Configuring group policy in general
http://download.microsoft.com/download/0/0/4/0044470e-5f3a-4569-9255-91f932e4da3b/gpintro.doc
0
 
LVL 5

Author Closing Comment

by:thabash
ID: 31566348
thanks i have to learn more about the GP
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now