Windows 7 pc joined to a domain allows users to install software

Posted on 2013-12-17
Medium Priority
Last Modified: 2013-12-18
I have a windows 7 pc in a demo environment that is allowing domain users to install software even though they are not part of the local or admin groups of the computer.

Here are some quick Q & A to the problem

1. Is the domain user part of local admin group ? NO
2. Does the user belong to AD group that is in the local Admin group ? NO
3. Is the domain user part of local poweruser group ? NO
4. Does the user belong to AD group that is in the local poweruser group ? NO
5. Is the domain user part of Domain Admin group ? NO
6. Are there any group policy applied to this computer to allow this behavior ? NO
7. Is this computer joined to the domain ? Yes
8. Does this happen with other users on this specific computer ? Yes
9. Does this happen with on other computers joined to same demo domain ? NO
10. Have you rebooted ? Yes
11. Have you run gpupdate and gpudate /force ? Yes
12. Have you tried unjoining and re-joining computer to demo domain ? No I would like to find the technical reason for why this happened.

Demo Environment runs Windows Server 2008 R2

Thanks, sorry about long Q / A but it will save everyone from wasting time with whats already been tried.
Question by:GTTech2010
  • 4
  • 3
  • 2
  • +2
LVL 23

Expert Comment

by:Thomas Grassi
ID: 39723759
I found this for your reading


Group policy settings are the beginning.

If you have laptops then you even have more concerns.

Author Comment

ID: 39723974
Thanks for the link but I'm not asking how to prevent users from installing via group policy or registry settings.

I'm asking how to find out WHY out of the blue a single desktop on the demo domain is allowing users to install software regardless of the permissions they are allowed.

I would like suggestions of places (registry, net user, net localgroup, group policy) to look why this might have happened.
LVL 23

Expert Comment

by:Thomas Grassi
ID: 39724326
Try running this

gpresult /r

this will tell you what policies is on this computer.

May even if you ran  gpupdate  it may not have worked correctly

Check out the results it should tell you a lot.
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!


Author Comment

ID: 39724369
Thanks, I will give that a try
LVL 47

Expert Comment

by:Donald Stewart
ID: 39724811
12. Have you tried unjoining and re-joining computer to demo domain ? No I would like to find the technical reason for why this happened.

My question would be have you moved the computer from the Default "Computers" OU  ??

Have you verified the computers memberships in ADUC ???

Accepted Solution

WiReDWolf earned 1200 total points
ID: 39725666
It's possible that particular machine has settings in the Local Security Policy that are not being overriden by a domain policy.  If it's just one machine then there must be local policies applied granting restricted users unrestricted access to install software.

Local Security Policy --> expand Security Settings
- Local Policies
-- user rights assignment
-- security options
- Application Control Policies
-- AppLocker

Author Comment

ID: 39726437
WiReDWolf, I'm trying your suggestion later today and will get back to you.

dstewartjr, that is not the case, but thanks for the suggestion
LVL 23

Expert Comment

by:Thomas Grassi
ID: 39726526
what was the results of the gpresult /r ?  please post

Expert Comment

ID: 39727705
The gpresult /r may also point to which GPO's are applied and if a GPO has been applied to this particular machine granting extended rights to restricted users.  I agree with trgrassijr55 - if the local security policy doesn't show anything then it's probably a GPO.
LVL 20

Expert Comment

ID: 39728162
Have you check to make sure no one has added the domain user's account to a domain account like domain admins?????

Author Closing Comment

ID: 39728253
This led me to the solution which was the Local Security Policy was not set correctly and the domain policy had not overridden it.

1. Secpol.msc
2. "Local Policies" => "Security Options"
3. Review the "User Account Control: ..." policies
4. The specific policy was "User Account Control: Behavior of the elevation prompt for standard users"

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
In this article, we will discuss how you can secure Active Directory using free tools, and how you can choose a safe and secure Active Directory security auditing tool.
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question