Solved

Window Active directory

Posted on 2012-03-27
7
235 Views
Last Modified: 2012-04-01
Hi,

We are active directory 2008.

In our organization some users have administrator rights. They are member of Local administrator group.
I want to disable any software installation for that users. After local administrator rights they should not able to install any software but they must allowed to install window update patches via WSUS server.
0
Comment
Question by:sitg
  • 4
  • 2
7 Comments
 
LVL 5

Expert Comment

by:usslindstrom
Comment Utility
Unfortunately, local administrator rights would allow them to do pretty much anything they wanted on those PCs, including install software.

I would remove the users from the administrators group immediately.

If you're using an AD infrastructure, I would also set up a Group Policy to control the Windows Updates, and make the machines themselves install the updates, taking the administrators out of the equation.

If you're looking at it from a server perspective, please see the write-up here that describes what permissions a client would need to be able to install things from the update folder:  http://msmvps.com/blogs/Athif/articles/43222.aspx




***


For non-administrators to receive update notifications, you can find it in this policy:

Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update. In the right pane, open "Allow non-administrators to receive update notifications," and set its property to Enabled. Apply and exit the Group Policy Editor.
0
 
LVL 5

Expert Comment

by:usslindstrom
Comment Utility
BTW - Please see this write-up on accomplishing exactly what you're asking for...

http://www.sevenforums.com/tutorials/112765-windows-update-enable-disable-who-can-install-updates-setting.html

*Option 2, steps 1 - 9 towards the bottom.

- But keep in mind that I still recommend removing those users from the administrators group.  (Use restricted groups in Group Policy to accomplish this).  http://technet.microsoft.com/en-us/library/cc756802(v=ws.10).aspx  - Just don't forget to add the users you WANT to be administrators in the group (Like Domain Admins, etc).
0
 

Author Comment

by:sitg
Comment Utility
I cant remove those users from local administrator group.
Is there any way to disable any software installation ?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 5

Expert Comment

by:usslindstrom
Comment Utility
You could try enabling the following settings:

"Disable Windows Installer" and "Prohibit User Installs" in the following Group Policy:
Computer Configuration / Administrative Templates / Windows Installer.

Please be careful of this, as if you don't scope it right, it could disable installations for everybody.

Create the Group Policy Object, and apply it to the Computer OU that you need restricted.  - Not sure if that would disallow windows update installs though...  But that goes back to the suggestion of having the PCs update themselves anyway.
0
 
LVL 12
Comment Utility
Can they be put in the Power Users group? That gives most local Admin rights without the ability to do installs.
0
 

Author Comment

by:sitg
Comment Utility
Hi usslindstrom,

I want to know one more thing. I will apply this policy to computers ou.
If i deny this group policy template for administrator then administrator is able to install softwares on that computers or not?
0
 
LVL 5

Accepted Solution

by:
usslindstrom earned 500 total points
Comment Utility
To be honest, I haven't setup that policy in any network I've ever worked in.

It would definately stop installations from users you don't want, but I can't honestly tell you if configuring that setting would make it so other things wouldn't break.  I'd use it with caution.  *I think that turning on that group policy setting would make it so anything that uses the windows installer wouldn't be able to work at all (windows updates, etc).

Antony_Kibble's suggestion about making the users "Power Users" would actually be a VERY good idea in your situation I think.  Those users would be able to do ~most~ everything EXCEPT install any software.  Worth a shot to think it over at least.

Considering your requirements, I wouldn't actually apply the group policy against the computer OU.  If it were me, and I needed to set up something the way you're describing (without removing them from the administrators group) - what I'd actually do is this:

1.  I'd create an active directory "global security" group for all the administrators you would like to make it so they can't install anything.
2.  Put all of those administrator's accounts into the new group you just created.
3.  Create a group policy object that defines the settings listed above ("Disable Windows Installer" and "Prohibit User Installs").
4.  Remove the "Authenticated Users" group from the right of the filter pane, and add the group you created in step 1.
5.  Apply the group policy in the OUs that you need.
6.  Read up on loopback processing, as you're most likely going to want to apply these settings against PCs, only when specific users log in.  http://support.microsoft.com/kb/231287

*I'd still recommend using caution about that setting, as I'm not entirely sure if it wouldn't cause more harm than good...  And I still stand by the idea of removing the users from being Admins all together.

That being said, The above steps should get you what you need.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Introduction: I have always been a big fan of Windows but my liking towards it is slowly being eroded by the variety of other Applications that I encounter, when I browse the Web. Most of the software available is free and maybe Open Source too. …
This article describes how to set permissions to allow a limited-permissions user to start and stop a particular System Service.   It is always best to give users only the permissions that they need to perform their job, so tweaking particular permi…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now