Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 245
  • Last Modified:

Window Active directory

Hi,

We are active directory 2008.

In our organization some users have administrator rights. They are member of Local administrator group.
I want to disable any software installation for that users. After local administrator rights they should not able to install any software but they must allowed to install window update patches via WSUS server.
0
sitg
Asked:
sitg
  • 4
  • 2
1 Solution
 
usslindstromCommented:
Unfortunately, local administrator rights would allow them to do pretty much anything they wanted on those PCs, including install software.

I would remove the users from the administrators group immediately.

If you're using an AD infrastructure, I would also set up a Group Policy to control the Windows Updates, and make the machines themselves install the updates, taking the administrators out of the equation.

If you're looking at it from a server perspective, please see the write-up here that describes what permissions a client would need to be able to install things from the update folder:  http://msmvps.com/blogs/Athif/articles/43222.aspx




***


For non-administrators to receive update notifications, you can find it in this policy:

Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update. In the right pane, open "Allow non-administrators to receive update notifications," and set its property to Enabled. Apply and exit the Group Policy Editor.
0
 
usslindstromCommented:
BTW - Please see this write-up on accomplishing exactly what you're asking for...

http://www.sevenforums.com/tutorials/112765-windows-update-enable-disable-who-can-install-updates-setting.html

*Option 2, steps 1 - 9 towards the bottom.

- But keep in mind that I still recommend removing those users from the administrators group.  (Use restricted groups in Group Policy to accomplish this).  http://technet.microsoft.com/en-us/library/cc756802(v=ws.10).aspx  - Just don't forget to add the users you WANT to be administrators in the group (Like Domain Admins, etc).
0
 
sitgAuthor Commented:
I cant remove those users from local administrator group.
Is there any way to disable any software installation ?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
usslindstromCommented:
You could try enabling the following settings:

"Disable Windows Installer" and "Prohibit User Installs" in the following Group Policy:
Computer Configuration / Administrative Templates / Windows Installer.

Please be careful of this, as if you don't scope it right, it could disable installations for everybody.

Create the Group Policy Object, and apply it to the Computer OU that you need restricted.  - Not sure if that would disallow windows update installs though...  But that goes back to the suggestion of having the PCs update themselves anyway.
0
 
antony_kibble<!-8D58D5C365651885FB5A77A120C8C8C6-->Commented:
Can they be put in the Power Users group? That gives most local Admin rights without the ability to do installs.
0
 
sitgAuthor Commented:
Hi usslindstrom,

I want to know one more thing. I will apply this policy to computers ou.
If i deny this group policy template for administrator then administrator is able to install softwares on that computers or not?
0
 
usslindstromCommented:
To be honest, I haven't setup that policy in any network I've ever worked in.

It would definately stop installations from users you don't want, but I can't honestly tell you if configuring that setting would make it so other things wouldn't break.  I'd use it with caution.  *I think that turning on that group policy setting would make it so anything that uses the windows installer wouldn't be able to work at all (windows updates, etc).

Antony_Kibble's suggestion about making the users "Power Users" would actually be a VERY good idea in your situation I think.  Those users would be able to do ~most~ everything EXCEPT install any software.  Worth a shot to think it over at least.

Considering your requirements, I wouldn't actually apply the group policy against the computer OU.  If it were me, and I needed to set up something the way you're describing (without removing them from the administrators group) - what I'd actually do is this:

1.  I'd create an active directory "global security" group for all the administrators you would like to make it so they can't install anything.
2.  Put all of those administrator's accounts into the new group you just created.
3.  Create a group policy object that defines the settings listed above ("Disable Windows Installer" and "Prohibit User Installs").
4.  Remove the "Authenticated Users" group from the right of the filter pane, and add the group you created in step 1.
5.  Apply the group policy in the OUs that you need.
6.  Read up on loopback processing, as you're most likely going to want to apply these settings against PCs, only when specific users log in.  http://support.microsoft.com/kb/231287

*I'd still recommend using caution about that setting, as I'm not entirely sure if it wouldn't cause more harm than good...  And I still stand by the idea of removing the users from being Admins all together.

That being said, The above steps should get you what you need.
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now