• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 730
  • Last Modified:

Windows 7 pc joined to a domain allows users to install software

I have a windows 7 pc in a demo environment that is allowing domain users to install software even though they are not part of the local or admin groups of the computer.

Here are some quick Q & A to the problem

1. Is the domain user part of local admin group ? NO
2. Does the user belong to AD group that is in the local Admin group ? NO
3. Is the domain user part of local poweruser group ? NO
4. Does the user belong to AD group that is in the local poweruser group ? NO
5. Is the domain user part of Domain Admin group ? NO
6. Are there any group policy applied to this computer to allow this behavior ? NO
7. Is this computer joined to the domain ? Yes
8. Does this happen with other users on this specific computer ? Yes
9. Does this happen with on other computers joined to same demo domain ? NO
10. Have you rebooted ? Yes
11. Have you run gpupdate and gpudate /force ? Yes
12. Have you tried unjoining and re-joining computer to demo domain ? No I would like to find the technical reason for why this happened.

Demo Environment runs Windows Server 2008 R2

Thanks, sorry about long Q / A but it will save everyone from wasting time with whats already been tried.
0
GTTech2010
Asked:
GTTech2010
  • 4
  • 3
  • 2
  • +2
1 Solution
 
Thomas GrassiSystems AdministratorCommented:
I found this for your reading

http://www.thewindowsclub.com/how-to-prevent-users-from-installing-programs-in-windows-7

Group policy settings are the beginning.

If you have laptops then you even have more concerns.
0
 
GTTech2010Author Commented:
Thanks for the link but I'm not asking how to prevent users from installing via group policy or registry settings.

I'm asking how to find out WHY out of the blue a single desktop on the demo domain is allowing users to install software regardless of the permissions they are allowed.

I would like suggestions of places (registry, net user, net localgroup, group policy) to look why this might have happened.
0
 
Thomas GrassiSystems AdministratorCommented:
Try running this

gpresult /r

this will tell you what policies is on this computer.

May even if you ran  gpupdate  it may not have worked correctly

Check out the results it should tell you a lot.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
GTTech2010Author Commented:
Thanks, I will give that a try
0
 
Donald StewartNetwork AdministratorCommented:
12. Have you tried unjoining and re-joining computer to demo domain ? No I would like to find the technical reason for why this happened.


My question would be have you moved the computer from the Default "Computers" OU  ??

Have you verified the computers memberships in ADUC ???
0
 
WiReDWolfCommented:
It's possible that particular machine has settings in the Local Security Policy that are not being overriden by a domain policy.  If it's just one machine then there must be local policies applied granting restricted users unrestricted access to install software.

Local Security Policy --> expand Security Settings
- Local Policies
-- user rights assignment
-- security options
- Application Control Policies
-- AppLocker
0
 
GTTech2010Author Commented:
WiReDWolf, I'm trying your suggestion later today and will get back to you.


dstewartjr, that is not the case, but thanks for the suggestion
0
 
Thomas GrassiSystems AdministratorCommented:
what was the results of the gpresult /r ?  please post
0
 
WiReDWolfCommented:
The gpresult /r may also point to which GPO's are applied and if a GPO has been applied to this particular machine granting extended rights to restricted users.  I agree with trgrassijr55 - if the local security policy doesn't show anything then it's probably a GPO.
0
 
compdigit44Commented:
Have you check to make sure no one has added the domain user's account to a domain account like domain admins?????
0
 
GTTech2010Author Commented:
This led me to the solution which was the Local Security Policy was not set correctly and the domain policy had not overridden it.

1. Secpol.msc
2. "Local Policies" => "Security Options"
3. Review the "User Account Control: ..." policies
4. The specific policy was "User Account Control: Behavior of the elevation prompt for standard users"
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now