?
Solved

Windows 7 pc joined to a domain allows users to install software

Posted on 2013-12-17
11
Medium Priority
?
723 Views
Last Modified: 2013-12-18
I have a windows 7 pc in a demo environment that is allowing domain users to install software even though they are not part of the local or admin groups of the computer.

Here are some quick Q & A to the problem

1. Is the domain user part of local admin group ? NO
2. Does the user belong to AD group that is in the local Admin group ? NO
3. Is the domain user part of local poweruser group ? NO
4. Does the user belong to AD group that is in the local poweruser group ? NO
5. Is the domain user part of Domain Admin group ? NO
6. Are there any group policy applied to this computer to allow this behavior ? NO
7. Is this computer joined to the domain ? Yes
8. Does this happen with other users on this specific computer ? Yes
9. Does this happen with on other computers joined to same demo domain ? NO
10. Have you rebooted ? Yes
11. Have you run gpupdate and gpudate /force ? Yes
12. Have you tried unjoining and re-joining computer to demo domain ? No I would like to find the technical reason for why this happened.

Demo Environment runs Windows Server 2008 R2

Thanks, sorry about long Q / A but it will save everyone from wasting time with whats already been tried.
0
Comment
Question by:GTTech2010
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 23

Expert Comment

by:Thomas Grassi
ID: 39723759
I found this for your reading

http://www.thewindowsclub.com/how-to-prevent-users-from-installing-programs-in-windows-7

Group policy settings are the beginning.

If you have laptops then you even have more concerns.
0
 

Author Comment

by:GTTech2010
ID: 39723974
Thanks for the link but I'm not asking how to prevent users from installing via group policy or registry settings.

I'm asking how to find out WHY out of the blue a single desktop on the demo domain is allowing users to install software regardless of the permissions they are allowed.

I would like suggestions of places (registry, net user, net localgroup, group policy) to look why this might have happened.
0
 
LVL 23

Expert Comment

by:Thomas Grassi
ID: 39724326
Try running this

gpresult /r

this will tell you what policies is on this computer.

May even if you ran  gpupdate  it may not have worked correctly

Check out the results it should tell you a lot.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:GTTech2010
ID: 39724369
Thanks, I will give that a try
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 39724811
12. Have you tried unjoining and re-joining computer to demo domain ? No I would like to find the technical reason for why this happened.


My question would be have you moved the computer from the Default "Computers" OU  ??

Have you verified the computers memberships in ADUC ???
0
 
LVL 3

Accepted Solution

by:
WiReDWolf earned 1200 total points
ID: 39725666
It's possible that particular machine has settings in the Local Security Policy that are not being overriden by a domain policy.  If it's just one machine then there must be local policies applied granting restricted users unrestricted access to install software.

Local Security Policy --> expand Security Settings
- Local Policies
-- user rights assignment
-- security options
- Application Control Policies
-- AppLocker
0
 

Author Comment

by:GTTech2010
ID: 39726437
WiReDWolf, I'm trying your suggestion later today and will get back to you.


dstewartjr, that is not the case, but thanks for the suggestion
0
 
LVL 23

Expert Comment

by:Thomas Grassi
ID: 39726526
what was the results of the gpresult /r ?  please post
0
 
LVL 3

Expert Comment

by:WiReDWolf
ID: 39727705
The gpresult /r may also point to which GPO's are applied and if a GPO has been applied to this particular machine granting extended rights to restricted users.  I agree with trgrassijr55 - if the local security policy doesn't show anything then it's probably a GPO.
0
 
LVL 20

Expert Comment

by:compdigit44
ID: 39728162
Have you check to make sure no one has added the domain user's account to a domain account like domain admins?????
0
 

Author Closing Comment

by:GTTech2010
ID: 39728253
This led me to the solution which was the Local Security Policy was not set correctly and the domain policy had not overridden it.

1. Secpol.msc
2. "Local Policies" => "Security Options"
3. Review the "User Account Control: ..." policies
4. The specific policy was "User Account Control: Behavior of the elevation prompt for standard users"
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses
Course of the Month10 days, 8 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question