Group Policy to prevent regular domain users from uninstalling programs


I am trying to create and link a group policy to all regular domain users in my windows server 2008 AD. This group policy job is to prevent those users from uninstalling/removing any programs that was previously installed on their machines.

Knowing that all client PCs are using Windows 7.

Is there such GP to use.

Thank you
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Are you sure your regular users are regular, ie nornal limited users and not power users or administrators on the local machines? Regular users don't have rights to install/uninstall software.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
You don't a GPO.  Domain users by default will not have admin access on there device, so they will not have permission to uninstall programs
I agree with kevinhsieh and  Vinchenzo-the-Second.

Bear in mind there are many GPs for controlling control panel "Add/Remove Programs" under User config/policies/admin templates/control panel/ ...

You can always test these using a Test OU :)

The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

ksssgAuthor Commented:
I have another admin that helps me manage the network in my absence.

I asked him if he used his admin rights to remove a symantec end point client from one workstation we have and he said he did not.

This version of symantec end point requires also a password to be removed.

Your right guys, I just checked removing the same program installed on another pc which is also joined to the domain using a different regular domain username, it asked me then for an admin log on info to proceed, hmmm!!!

The thing is that I found one of my domain workstation with no symantec client on!!! and I dont remember uninstalling it, and my other admin says the same too!!!

I also checked the pc for admin rights and all the other users if there was any of them with admin rights and the weird thing is that none of them has admin rights!!!!

I had the symantec end point client installed back on that machine but thats not enough.

I need to know what happend and what username was used at that time to uninstall that end point client from the workstation.

now I am so worried and I dont really know what to do beside changing our admin passwords!.
You need to search through the log files, this will give you an indication when the software was uninstalled, then you can check the security log to see who logged on before the software was uninstalled.  It could be someone who knows the local admin password.
ksssgAuthor Commented:
Yeah, I think your right Vinchenzo-the-Second, there isnt anything else.

Thank you guys for your help.

Appreciate it.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.