• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 261
  • Last Modified:

How to stop users from installing software?

This is using w2k8 ad domain, and all of the user has to logon to this domain. My management is very concern about users have the ability to install software. They may install some 3rd party software that got virus. What is the best to prevent them to install software?
1 Solution
Quite simply, ensure that your end-users don't utilize an account that has full administrator privileges.  On a modern network there really shouldn't be any reason for them to have those rights, and that would prevent them from installing any software, malicious or otherwise.
Sekar ChinnakannuSenior EngineerCommented:
Make sure users are ordinary users and not a members of the Power Users & Administrators. Try to  implement restriction policy using Group Policy to block msi files.
Run5k is right.

Make sure that you don't give any more permissions than absolutely necessary.  - And especially don't put users in the "Administrators" group.

Use Group Policy to achieve what you need.  Read this article, written by Mr. Scott Fulton, it's pretty decent concerning this exact subject:


But in short, create a policy that only allows members into local PC administrators groups, and put the accounts that you control (Domain Admins / or a group you create "WS Admin" / etc).  It's actually VERY common practice to do it, and I haven't run into a company (Using an AD Domain) that doesn't employ this technique.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

you can implement software restriction policy using Group Policy to block specific executables or msi files from being run on targeted users’ machines.

Group Policy Software Installation Extension Tools and Settings

You could use AppLocker to create a rules to prevent that user from being able to run say .exe, .com, .msi, etc..... type files.

Lots of independent software vendors (ISVs) are creating per-user applications that do not require administrative rights to be installed and that are installed and run in the user profile folder. As a result, standard users can install many applications and circumvent the application lockdown policy. With AppLocker, you can prevent users from installing and running per-user applications.

More info about Applocker :http://technet.microsoft.com/en-us/library/dd723678(WS.10).aspx

Abhijit Waikar.
Yes,you should not provide admin rights to Users unless and until there is strong requirement.
Normally VIP users of the organisation are given admin rights.

You can apply restriction policy using Group Policy to block specific executables or msi but I personally would not recommend the same as simple mistakes can mean big headaches. You don't need to get any more complex than necessary.Instead remove the users from local administrator group and you are done.

There are other setting also which can be modified on the client PC if the users have admin right.There's no policy you can flip to prevent the reader as a whole. Admins can install software. If they're smart enough, even if you try to prevent them with GP.

Note:You can use Software Restriction Policies but this is solution that can work but requires you to constantly update hash and/or certificate definition for that.

Depending on what version of Win 7 you have may want to look at using App Locker. We have found that unless the users are tought how to install software even if they are a local admin some times they can't. with therules in app locker you can tell it not to all standand users to be able to install files from ther desktop or even there my documents with out running it as a local admin or havin elevated permissions.
MezzutOzilAuthor Commented:

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now