Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Preventing users from installing software GPO

Posted on 2013-12-12
5
Medium Priority
?
462 Views
Last Modified: 2013-12-20
I need to prevent regular users from install software on there machines.  I know you can create a GPO to turn off windows installer but I need for Admins to beable to install software and I'm afraid if I turn that off no one will be able to install software.  Is there a way I can disable the windows installer but still have it run with admin rights? Basically I'm trying to stop people from updating or installing things like flash, reader, IE11, google chrome, etc.
0
Comment
Question by:WellingtonIS
  • 2
  • 2
5 Comments
 
LVL 38

Expert Comment

by:Mahesh
ID: 39714084
You can use GPO software restriction polices with appropriate exceptions

Please check below URL for implementation best practises

http://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf

Note that you must set default software restriction policy level to disallowed

Mahesh
0
 

Author Comment

by:WellingtonIS
ID: 39714120
THis is ok but it's going to require me to allow anything and everything I want to install - basically I'm trying to accomplish denying the using from installing things and allowing the administrator to install it.
0
 
LVL 1

Expert Comment

by:kostbad
ID: 39715358
Disable Windows Installer options:

Never--Windows Installer is fully enabled. Users can install and upgrade software. Windows Installer is enabled by default in Windows.

For non-managed apps only--Users can install only those programs that an administrator assigns (offers on the desktop) or publishes (adds to Add or Remove programs).

Always--Windows Installer is disabled.

-------------------

I think the 2nd option could do your job. Everytime you need to deploy an app, you can publish it thought group policy and it will be available through the add/remove programs menu.
It's much better than sending an admin to every pc to install the software!


Also i might add, that standard users in AD are quite restricted. They can only install certain software with no registry entries.
0
 
LVL 38

Accepted Solution

by:
Mahesh earned 2000 total points
ID: 39715889
If users are not member of local administrators group and logged on as standard users, by default they cannot install any softwares or device drivers

you can exclude administrators from applying software restrictions policies so that they can install softwares if required.Check below articles

http://technet.microsoft.com/en-us/library/cc776536(v=ws.10).aspx
http://mabdelhamid.wordpress.com/2011/10/23/how-to-configure-applocker-group-policy-to-prevent-software-from-running/

Mahesh
0
 

Author Closing Comment

by:WellingtonIS
ID: 39731714
This plus disabling the service for some specific updates is what I did to stop them from installing software.  Thx
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

By default the complete memory dump option is disabled in windows . If we want to enable the complete memory dump for a diagnostic purpose, we have a solution for it. here we are using the registry method to enable this.
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question