How to stop users from installing software?

Posted on 2011-10-04
Last Modified: 2012-05-12
This is using w2k8 ad domain, and all of the user has to logon to this domain. My management is very concern about users have the ability to install software. They may install some 3rd party software that got virus. What is the best to prevent them to install software?
Question by:MezzutOzil
    LVL 28

    Expert Comment

    Quite simply, ensure that your end-users don't utilize an account that has full administrator privileges.  On a modern network there really shouldn't be any reason for them to have those rights, and that would prevent them from installing any software, malicious or otherwise.
    LVL 24

    Expert Comment

    by:Sekar Chinnakannu
    Make sure users are ordinary users and not a members of the Power Users & Administrators. Try to  implement restriction policy using Group Policy to block msi files.
    LVL 5

    Accepted Solution

    Run5k is right.

    Make sure that you don't give any more permissions than absolutely necessary.  - And especially don't put users in the "Administrators" group.

    Use Group Policy to achieve what you need.  Read this article, written by Mr. Scott Fulton, it's pretty decent concerning this exact subject:

    But in short, create a policy that only allows members into local PC administrators groups, and put the accounts that you control (Domain Admins / or a group you create "WS Admin" / etc).  It's actually VERY common practice to do it, and I haven't run into a company (Using an AD Domain) that doesn't employ this technique.
    LVL 10

    Expert Comment

    you can implement software restriction policy using Group Policy to block specific executables or msi files from being run on targeted users’ machines.

    Group Policy Software Installation Extension Tools and Settings

    You could use AppLocker to create a rules to prevent that user from being able to run say .exe, .com, .msi, etc..... type files.

    Lots of independent software vendors (ISVs) are creating per-user applications that do not require administrative rights to be installed and that are installed and run in the user profile folder. As a result, standard users can install many applications and circumvent the application lockdown policy. With AppLocker, you can prevent users from installing and running per-user applications.

    More info about Applocker :

    Abhijit Waikar.
    LVL 24

    Expert Comment

    Yes,you should not provide admin rights to Users unless and until there is strong requirement.
    Normally VIP users of the organisation are given admin rights.

    You can apply restriction policy using Group Policy to block specific executables or msi but I personally would not recommend the same as simple mistakes can mean big headaches. You don't need to get any more complex than necessary.Instead remove the users from local administrator group and you are done.

    There are other setting also which can be modified on the client PC if the users have admin right.There's no policy you can flip to prevent the reader as a whole. Admins can install software. If they're smart enough, even if you try to prevent them with GP.

    Note:You can use Software Restriction Policies but this is solution that can work but requires you to constantly update hash and/or certificate definition for that.

    LVL 7

    Expert Comment

    Depending on what version of Win 7 you have may want to look at using App Locker. We have found that unless the users are tought how to install software even if they are a local admin some times they can't. with therules in app locker you can tell it not to all standand users to be able to install files from ther desktop or even there my documents with out running it as a local admin or havin elevated permissions.

    Author Closing Comment


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Article by: Lee
    Windows 7 Ultimate and Enterprise (and 2008 R2) introduced a new feature you may not be aware of - Boot from VHD.   Boot from VHD (or what Microsoft refers to asNative Boot allows you to install Windows to a VHD (Virtual Hard Disk) file that is t…
    The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
    This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
    This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now