How to stop users from installing software?

This is using w2k8 ad domain, and all of the user has to logon to this domain. My management is very concern about users have the ability to install software. They may install some 3rd party software that got virus. What is the best to prevent them to install software?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Quite simply, ensure that your end-users don't utilize an account that has full administrator privileges.  On a modern network there really shouldn't be any reason for them to have those rights, and that would prevent them from installing any software, malicious or otherwise.
Sekar ChinnakannuStaff EngineerCommented:
Make sure users are ordinary users and not a members of the Power Users & Administrators. Try to  implement restriction policy using Group Policy to block msi files.
Run5k is right.

Make sure that you don't give any more permissions than absolutely necessary.  - And especially don't put users in the "Administrators" group.

Use Group Policy to achieve what you need.  Read this article, written by Mr. Scott Fulton, it's pretty decent concerning this exact subject:

But in short, create a policy that only allows members into local PC administrators groups, and put the accounts that you control (Domain Admins / or a group you create "WS Admin" / etc).  It's actually VERY common practice to do it, and I haven't run into a company (Using an AD Domain) that doesn't employ this technique.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

you can implement software restriction policy using Group Policy to block specific executables or msi files from being run on targeted users’ machines.

Group Policy Software Installation Extension Tools and Settings

You could use AppLocker to create a rules to prevent that user from being able to run say .exe, .com, .msi, etc..... type files.

Lots of independent software vendors (ISVs) are creating per-user applications that do not require administrative rights to be installed and that are installed and run in the user profile folder. As a result, standard users can install many applications and circumvent the application lockdown policy. With AppLocker, you can prevent users from installing and running per-user applications.

More info about Applocker :

Abhijit Waikar.
SandeshdubeySenior Server EngineerCommented:
Yes,you should not provide admin rights to Users unless and until there is strong requirement.
Normally VIP users of the organisation are given admin rights.

You can apply restriction policy using Group Policy to block specific executables or msi but I personally would not recommend the same as simple mistakes can mean big headaches. You don't need to get any more complex than necessary.Instead remove the users from local administrator group and you are done.

There are other setting also which can be modified on the client PC if the users have admin right.There's no policy you can flip to prevent the reader as a whole. Admins can install software. If they're smart enough, even if you try to prevent them with GP.

Note:You can use Software Restriction Policies but this is solution that can work but requires you to constantly update hash and/or certificate definition for that.

Depending on what version of Win 7 you have may want to look at using App Locker. We have found that unless the users are tought how to install software even if they are a local admin some times they can't. with therules in app locker you can tell it not to all standand users to be able to install files from ther desktop or even there my documents with out running it as a local admin or havin elevated permissions.
MezzutOzilAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.