Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Window Active directory

Posted on 2012-03-27
7
Medium Priority
?
244 Views
Last Modified: 2012-04-01
Hi,

We are active directory 2008.

In our organization some users have administrator rights. They are member of Local administrator group.
I want to disable any software installation for that users. After local administrator rights they should not able to install any software but they must allowed to install window update patches via WSUS server.
0
Comment
Question by:sitg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 5

Expert Comment

by:usslindstrom
ID: 37770123
Unfortunately, local administrator rights would allow them to do pretty much anything they wanted on those PCs, including install software.

I would remove the users from the administrators group immediately.

If you're using an AD infrastructure, I would also set up a Group Policy to control the Windows Updates, and make the machines themselves install the updates, taking the administrators out of the equation.

If you're looking at it from a server perspective, please see the write-up here that describes what permissions a client would need to be able to install things from the update folder:  http://msmvps.com/blogs/Athif/articles/43222.aspx




***


For non-administrators to receive update notifications, you can find it in this policy:

Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update. In the right pane, open "Allow non-administrators to receive update notifications," and set its property to Enabled. Apply and exit the Group Policy Editor.
0
 
LVL 5

Expert Comment

by:usslindstrom
ID: 37770154
BTW - Please see this write-up on accomplishing exactly what you're asking for...

http://www.sevenforums.com/tutorials/112765-windows-update-enable-disable-who-can-install-updates-setting.html

*Option 2, steps 1 - 9 towards the bottom.

- But keep in mind that I still recommend removing those users from the administrators group.  (Use restricted groups in Group Policy to accomplish this).  http://technet.microsoft.com/en-us/library/cc756802(v=ws.10).aspx  - Just don't forget to add the users you WANT to be administrators in the group (Like Domain Admins, etc).
0
 

Author Comment

by:sitg
ID: 37770156
I cant remove those users from local administrator group.
Is there any way to disable any software installation ?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Expert Comment

by:usslindstrom
ID: 37770187
You could try enabling the following settings:

"Disable Windows Installer" and "Prohibit User Installs" in the following Group Policy:
Computer Configuration / Administrative Templates / Windows Installer.

Please be careful of this, as if you don't scope it right, it could disable installations for everybody.

Create the Group Policy Object, and apply it to the Computer OU that you need restricted.  - Not sure if that would disallow windows update installs though...  But that goes back to the suggestion of having the PCs update themselves anyway.
0
 
LVL 12
ID: 37770246
Can they be put in the Power Users group? That gives most local Admin rights without the ability to do installs.
0
 

Author Comment

by:sitg
ID: 37780353
Hi usslindstrom,

I want to know one more thing. I will apply this policy to computers ou.
If i deny this group policy template for administrator then administrator is able to install softwares on that computers or not?
0
 
LVL 5

Accepted Solution

by:
usslindstrom earned 2000 total points
ID: 37781447
To be honest, I haven't setup that policy in any network I've ever worked in.

It would definately stop installations from users you don't want, but I can't honestly tell you if configuring that setting would make it so other things wouldn't break.  I'd use it with caution.  *I think that turning on that group policy setting would make it so anything that uses the windows installer wouldn't be able to work at all (windows updates, etc).

Antony_Kibble's suggestion about making the users "Power Users" would actually be a VERY good idea in your situation I think.  Those users would be able to do ~most~ everything EXCEPT install any software.  Worth a shot to think it over at least.

Considering your requirements, I wouldn't actually apply the group policy against the computer OU.  If it were me, and I needed to set up something the way you're describing (without removing them from the administrators group) - what I'd actually do is this:

1.  I'd create an active directory "global security" group for all the administrators you would like to make it so they can't install anything.
2.  Put all of those administrator's accounts into the new group you just created.
3.  Create a group policy object that defines the settings listed above ("Disable Windows Installer" and "Prohibit User Installs").
4.  Remove the "Authenticated Users" group from the right of the filter pane, and add the group you created in step 1.
5.  Apply the group policy in the OUs that you need.
6.  Read up on loopback processing, as you're most likely going to want to apply these settings against PCs, only when specific users log in.  http://support.microsoft.com/kb/231287

*I'd still recommend using caution about that setting, as I'm not entirely sure if it wouldn't cause more harm than good...  And I still stand by the idea of removing the users from being Admins all together.

That being said, The above steps should get you what you need.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

My purpose is to describe the basic concepts of virtual memory as implemented in a modern Windows-based operating system. I will also describe the problems inherent in older systems and how virtual memory solves them. The dark ages - before virtu…
This article covers how to install the Microsoft Windows Operating System (OS). What is covered in this article:  > Different Versions and Editions of the Windows OS  > Upgrading versus Fresh Installation of the OS           - Steps to take pr…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question