Solved

Window Active directory

Posted on 2012-03-27
7
237 Views
Last Modified: 2012-04-01
Hi,

We are active directory 2008.

In our organization some users have administrator rights. They are member of Local administrator group.
I want to disable any software installation for that users. After local administrator rights they should not able to install any software but they must allowed to install window update patches via WSUS server.
0
Comment
Question by:sitg
  • 4
  • 2
7 Comments
 
LVL 5

Expert Comment

by:usslindstrom
ID: 37770123
Unfortunately, local administrator rights would allow them to do pretty much anything they wanted on those PCs, including install software.

I would remove the users from the administrators group immediately.

If you're using an AD infrastructure, I would also set up a Group Policy to control the Windows Updates, and make the machines themselves install the updates, taking the administrators out of the equation.

If you're looking at it from a server perspective, please see the write-up here that describes what permissions a client would need to be able to install things from the update folder:  http://msmvps.com/blogs/Athif/articles/43222.aspx




***


For non-administrators to receive update notifications, you can find it in this policy:

Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update. In the right pane, open "Allow non-administrators to receive update notifications," and set its property to Enabled. Apply and exit the Group Policy Editor.
0
 
LVL 5

Expert Comment

by:usslindstrom
ID: 37770154
BTW - Please see this write-up on accomplishing exactly what you're asking for...

http://www.sevenforums.com/tutorials/112765-windows-update-enable-disable-who-can-install-updates-setting.html

*Option 2, steps 1 - 9 towards the bottom.

- But keep in mind that I still recommend removing those users from the administrators group.  (Use restricted groups in Group Policy to accomplish this).  http://technet.microsoft.com/en-us/library/cc756802(v=ws.10).aspx  - Just don't forget to add the users you WANT to be administrators in the group (Like Domain Admins, etc).
0
 

Author Comment

by:sitg
ID: 37770156
I cant remove those users from local administrator group.
Is there any way to disable any software installation ?
0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 
LVL 5

Expert Comment

by:usslindstrom
ID: 37770187
You could try enabling the following settings:

"Disable Windows Installer" and "Prohibit User Installs" in the following Group Policy:
Computer Configuration / Administrative Templates / Windows Installer.

Please be careful of this, as if you don't scope it right, it could disable installations for everybody.

Create the Group Policy Object, and apply it to the Computer OU that you need restricted.  - Not sure if that would disallow windows update installs though...  But that goes back to the suggestion of having the PCs update themselves anyway.
0
 
LVL 12
ID: 37770246
Can they be put in the Power Users group? That gives most local Admin rights without the ability to do installs.
0
 

Author Comment

by:sitg
ID: 37780353
Hi usslindstrom,

I want to know one more thing. I will apply this policy to computers ou.
If i deny this group policy template for administrator then administrator is able to install softwares on that computers or not?
0
 
LVL 5

Accepted Solution

by:
usslindstrom earned 500 total points
ID: 37781447
To be honest, I haven't setup that policy in any network I've ever worked in.

It would definately stop installations from users you don't want, but I can't honestly tell you if configuring that setting would make it so other things wouldn't break.  I'd use it with caution.  *I think that turning on that group policy setting would make it so anything that uses the windows installer wouldn't be able to work at all (windows updates, etc).

Antony_Kibble's suggestion about making the users "Power Users" would actually be a VERY good idea in your situation I think.  Those users would be able to do ~most~ everything EXCEPT install any software.  Worth a shot to think it over at least.

Considering your requirements, I wouldn't actually apply the group policy against the computer OU.  If it were me, and I needed to set up something the way you're describing (without removing them from the administrators group) - what I'd actually do is this:

1.  I'd create an active directory "global security" group for all the administrators you would like to make it so they can't install anything.
2.  Put all of those administrator's accounts into the new group you just created.
3.  Create a group policy object that defines the settings listed above ("Disable Windows Installer" and "Prohibit User Installs").
4.  Remove the "Authenticated Users" group from the right of the filter pane, and add the group you created in step 1.
5.  Apply the group policy in the OUs that you need.
6.  Read up on loopback processing, as you're most likely going to want to apply these settings against PCs, only when specific users log in.  http://support.microsoft.com/kb/231287

*I'd still recommend using caution about that setting, as I'm not entirely sure if it wouldn't cause more harm than good...  And I still stand by the idea of removing the users from being Admins all together.

That being said, The above steps should get you what you need.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Autotask Connectwise PSA 3 86
vmware virtual machine from fusion wont boot on workstation, 23 80
Modify logon screen Windows 7 6 45
I/E toolbars 7 29
In a hurry?.. scroll down to "HERE's HOW TO DO IT" Section. Greetings All, I was going to post this as question/solution, but its seems more appropriate as an article considering its length.  I felt it important to illucidate all the details c…
Have you ever had a hard drive that you can't boot into, but need to change the registry? Here is the solution! This article guides you through accessing and editing a registry of a non-primary drive. To read registry information on a non-prim…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question