?
Solved

Window Active directory

Posted on 2012-03-27
7
Medium Priority
?
243 Views
Last Modified: 2012-04-01
Hi,

We are active directory 2008.

In our organization some users have administrator rights. They are member of Local administrator group.
I want to disable any software installation for that users. After local administrator rights they should not able to install any software but they must allowed to install window update patches via WSUS server.
0
Comment
Question by:sitg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 5

Expert Comment

by:usslindstrom
ID: 37770123
Unfortunately, local administrator rights would allow them to do pretty much anything they wanted on those PCs, including install software.

I would remove the users from the administrators group immediately.

If you're using an AD infrastructure, I would also set up a Group Policy to control the Windows Updates, and make the machines themselves install the updates, taking the administrators out of the equation.

If you're looking at it from a server perspective, please see the write-up here that describes what permissions a client would need to be able to install things from the update folder:  http://msmvps.com/blogs/Athif/articles/43222.aspx




***


For non-administrators to receive update notifications, you can find it in this policy:

Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update. In the right pane, open "Allow non-administrators to receive update notifications," and set its property to Enabled. Apply and exit the Group Policy Editor.
0
 
LVL 5

Expert Comment

by:usslindstrom
ID: 37770154
BTW - Please see this write-up on accomplishing exactly what you're asking for...

http://www.sevenforums.com/tutorials/112765-windows-update-enable-disable-who-can-install-updates-setting.html

*Option 2, steps 1 - 9 towards the bottom.

- But keep in mind that I still recommend removing those users from the administrators group.  (Use restricted groups in Group Policy to accomplish this).  http://technet.microsoft.com/en-us/library/cc756802(v=ws.10).aspx  - Just don't forget to add the users you WANT to be administrators in the group (Like Domain Admins, etc).
0
 

Author Comment

by:sitg
ID: 37770156
I cant remove those users from local administrator group.
Is there any way to disable any software installation ?
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 5

Expert Comment

by:usslindstrom
ID: 37770187
You could try enabling the following settings:

"Disable Windows Installer" and "Prohibit User Installs" in the following Group Policy:
Computer Configuration / Administrative Templates / Windows Installer.

Please be careful of this, as if you don't scope it right, it could disable installations for everybody.

Create the Group Policy Object, and apply it to the Computer OU that you need restricted.  - Not sure if that would disallow windows update installs though...  But that goes back to the suggestion of having the PCs update themselves anyway.
0
 
LVL 12
ID: 37770246
Can they be put in the Power Users group? That gives most local Admin rights without the ability to do installs.
0
 

Author Comment

by:sitg
ID: 37780353
Hi usslindstrom,

I want to know one more thing. I will apply this policy to computers ou.
If i deny this group policy template for administrator then administrator is able to install softwares on that computers or not?
0
 
LVL 5

Accepted Solution

by:
usslindstrom earned 2000 total points
ID: 37781447
To be honest, I haven't setup that policy in any network I've ever worked in.

It would definately stop installations from users you don't want, but I can't honestly tell you if configuring that setting would make it so other things wouldn't break.  I'd use it with caution.  *I think that turning on that group policy setting would make it so anything that uses the windows installer wouldn't be able to work at all (windows updates, etc).

Antony_Kibble's suggestion about making the users "Power Users" would actually be a VERY good idea in your situation I think.  Those users would be able to do ~most~ everything EXCEPT install any software.  Worth a shot to think it over at least.

Considering your requirements, I wouldn't actually apply the group policy against the computer OU.  If it were me, and I needed to set up something the way you're describing (without removing them from the administrators group) - what I'd actually do is this:

1.  I'd create an active directory "global security" group for all the administrators you would like to make it so they can't install anything.
2.  Put all of those administrator's accounts into the new group you just created.
3.  Create a group policy object that defines the settings listed above ("Disable Windows Installer" and "Prohibit User Installs").
4.  Remove the "Authenticated Users" group from the right of the filter pane, and add the group you created in step 1.
5.  Apply the group policy in the OUs that you need.
6.  Read up on loopback processing, as you're most likely going to want to apply these settings against PCs, only when specific users log in.  http://support.microsoft.com/kb/231287

*I'd still recommend using caution about that setting, as I'm not entirely sure if it wouldn't cause more harm than good...  And I still stand by the idea of removing the users from being Admins all together.

That being said, The above steps should get you what you need.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question