[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 547
  • Last Modified:

Group Policy to disbale software install, but allow windows updates

We have a domain, and I need my domain users to be in the Administrator group because they do their own Windows Updates.

This however lets the user install software and things like IE Toolbars.

Ideas for prevention of toolbar install? Software install restrictions but allow Windows updates?
Using Group Policy ?
0
daniel_smith
Asked:
daniel_smith
  • 3
  • 2
2 Solutions
 
Darius GhassemCommented:
If they are local admins then they will be able to install software there is no way around this. You can setup the system to automatically install the updates then remove them from the local admin group.
0
 
daniel_smithAuthor Commented:
So set them as a LOCAL user?

Can group policy be used to domain wide force windows updates to download and install?
Will the user logged in being only a user have any effect on that group policy?
0
 
Darius GhassemCommented:
You can create a GPO to setup Automatic updates.

http://technet.microsoft.com/en-us/library/bb457141.aspx

http://www.windowsitpro.com/article/tips/jsi-tip-7632-how-do-i-configure-automatic-updates-using-group-policy-.aspx

You then remove the users from the admin group and add them to a local user.

Group Policy is applied as admin rights no matter what user is logged in.
0
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 
mspieglerCommented:
Why not take them out of the Administrator group and set the group policy for Windows Updates [under Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Updates] to 'Allow non-administrators to receive update notifications'.

Group policy is explained as this:
If you enable this policy setting, Windows Automatic Update and Microsoft Update will include non-administrators when determining which logged-on user should receive update notifications. Non-administrative users will be able to install all optional, recommended, and important content for which they received a notification. Users will not see a User Account Control window and do not need elevated permissions to install these updates, except in the case of updates that contain User Interface , End User License Agreement , or Windows Update setting changes.


0
 
daniel_smithAuthor Commented:
So making the user just a USER and setting up GP to do the windows updates sounds good.

But if its an update that requires a confirmation, etc they are out of luck?
0
 
Darius GhassemCommented:
They should be able to confirm if you set the option above.
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now