Preventing users from installing software GPO

I need to prevent regular users from install software on there machines.  I know you can create a GPO to turn off windows installer but I need for Admins to beable to install software and I'm afraid if I turn that off no one will be able to install software.  Is there a way I can disable the windows installer but still have it run with admin rights? Basically I'm trying to stop people from updating or installing things like flash, reader, IE11, google chrome, etc.
WellingtonISAsked:
Who is Participating?
 
MaheshConnect With a Mentor ArchitectCommented:
If users are not member of local administrators group and logged on as standard users, by default they cannot install any softwares or device drivers

you can exclude administrators from applying software restrictions policies so that they can install softwares if required.Check below articles

http://technet.microsoft.com/en-us/library/cc776536(v=ws.10).aspx
http://mabdelhamid.wordpress.com/2011/10/23/how-to-configure-applocker-group-policy-to-prevent-software-from-running/

Mahesh
0
 
MaheshArchitectCommented:
You can use GPO software restriction polices with appropriate exceptions

Please check below URL for implementation best practises

http://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf

Note that you must set default software restriction policy level to disallowed

Mahesh
0
 
WellingtonISAuthor Commented:
THis is ok but it's going to require me to allow anything and everything I want to install - basically I'm trying to accomplish denying the using from installing things and allowing the administrator to install it.
0
 
kostbadCommented:
Disable Windows Installer options:

Never--Windows Installer is fully enabled. Users can install and upgrade software. Windows Installer is enabled by default in Windows.

For non-managed apps only--Users can install only those programs that an administrator assigns (offers on the desktop) or publishes (adds to Add or Remove programs).

Always--Windows Installer is disabled.

-------------------

I think the 2nd option could do your job. Everytime you need to deploy an app, you can publish it thought group policy and it will be available through the add/remove programs menu.
It's much better than sending an admin to every pc to install the software!


Also i might add, that standard users in AD are quite restricted. They can only install certain software with no registry entries.
0
 
WellingtonISAuthor Commented:
This plus disabling the service for some specific updates is what I did to stop them from installing software.  Thx
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.