Group Policy to disbale software install, but allow windows updates

We have a domain, and I need my domain users to be in the Administrator group because they do their own Windows Updates.

This however lets the user install software and things like IE Toolbars.

Ideas for prevention of toolbar install? Software install restrictions but allow Windows updates?
Using Group Policy ?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Darius GhassemCommented:
If they are local admins then they will be able to install software there is no way around this. You can setup the system to automatically install the updates then remove them from the local admin group.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
daniel_smithAuthor Commented:
So set them as a LOCAL user?

Can group policy be used to domain wide force windows updates to download and install?
Will the user logged in being only a user have any effect on that group policy?
Darius GhassemCommented:
You can create a GPO to setup Automatic updates.

You then remove the users from the admin group and add them to a local user.

Group Policy is applied as admin rights no matter what user is logged in.
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Why not take them out of the Administrator group and set the group policy for Windows Updates [under Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Updates] to 'Allow non-administrators to receive update notifications'.

Group policy is explained as this:
If you enable this policy setting, Windows Automatic Update and Microsoft Update will include non-administrators when determining which logged-on user should receive update notifications. Non-administrative users will be able to install all optional, recommended, and important content for which they received a notification. Users will not see a User Account Control window and do not need elevated permissions to install these updates, except in the case of updates that contain User Interface , End User License Agreement , or Windows Update setting changes.

daniel_smithAuthor Commented:
So making the user just a USER and setting up GP to do the windows updates sounds good.

But if its an update that requires a confirmation, etc they are out of luck?
Darius GhassemCommented:
They should be able to confirm if you set the option above.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.