Link to home
Start Free TrialLog in
Avatar of daniel_smith
daniel_smithFlag for United States of America

asked on

Group Policy to disbale software install, but allow windows updates

We have a domain, and I need my domain users to be in the Administrator group because they do their own Windows Updates.

This however lets the user install software and things like IE Toolbars.

Ideas for prevention of toolbar install? Software install restrictions but allow Windows updates?
Using Group Policy ?
ASKER CERTIFIED SOLUTION
Avatar of Darius Ghassem
Darius Ghassem
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of daniel_smith

ASKER

So set them as a LOCAL user?

Can group policy be used to domain wide force windows updates to download and install?
Will the user logged in being only a user have any effect on that group policy?
You can create a GPO to setup Automatic updates.

http://technet.microsoft.com/en-us/library/bb457141.aspx

http://www.windowsitpro.com/article/tips/jsi-tip-7632-how-do-i-configure-automatic-updates-using-group-policy-.aspx

You then remove the users from the admin group and add them to a local user.

Group Policy is applied as admin rights no matter what user is logged in.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
So making the user just a USER and setting up GP to do the windows updates sounds good.

But if its an update that requires a confirmation, etc they are out of luck?
They should be able to confirm if you set the option above.