Solved

Deny user in domain from install any program or VPN application.

Posted on 2014-12-28
12
233 Views
Last Modified: 2014-12-30
Hello,

Please I have domain controller with windows server 2008R2 and all user join this domain all user have windows 7 OS. How I can deny them from install any application. All user have user authority and that deny them from install some application but they still they can install another application which do not need administration authority like VPN application (ultrasurf, hotshpot shield...etc),google chrome or any tool bar

I want to deny them from install anything (application, tool bar..etc)

Regards
0
Comment
Question by:maryam_adnan
  • 7
  • 4
12 Comments
 
LVL 93

Accepted Solution

by:
John Hurst earned 333 total points
ID: 40521233
Users should be Standard Users and never administrators. That is common and correct practice and will solve your problem neatly. Also keep UAC turned on High (Standard Users cannot change this)

If you need granular install capability, you need Power Broker.

http://www.beyondtrust.com/PowerBroker-Desktops-Windows-Edition.aspx?section=PowerBroker-Desktops-Windows-Edition
0
 

Author Comment

by:maryam_adnan
ID: 40521237
Hello,
Please use standard user do not solve the problem. Because there are many application can install without need administrator privilege like (ultrasurf, hotshpot shield..etc ). In addition, tool bar.

I need to done this from server

Regards
0
 
LVL 93

Assisted Solution

by:John Hurst
John Hurst earned 333 total points
ID: 40521245
You can go into Group Policy Editor (gpedit.msc) and start limiting access to Control Panel and Programs and Features. Look through the settings before changing anything.

Windows-8-Group-Policy-Editor
There are add-ins which are preferences and not installs and so cannot be prevented. But rogue add-ins usually install and Standard User / UAC will prevent these.
0
Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

 

Author Comment

by:maryam_adnan
ID: 40521251
Hello,

Thank you for your reply. Prevent in control panel will not prevent user from add (VPN application). I try to use mandatory profile. I prohibited all control panel but this not solve problem. they still able to install hotshpot shield and other program like that.

Any Idea will help me

Regards
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 40521254
VPN must be Microsoft VPN, because NONE of my clients can install NCP IPsec. It cannot happen.

So what programs are allowed that are problems?

The only thing I see is the occasional toolbar for IE, and while I do not like them, they are harmless for the most part.

You make it sound like anything and everything can be installed and that is not true in my client machines.
0
 

Author Comment

by:maryam_adnan
ID: 40521256
Hello,

Thank you for your reply. No, . Actually I want to deny application like ultrasurf, hotshpot shield. the other application is denied by Group Policy

Regards
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 40521264
Some people use DNS Redirector to block all the proxy / anonymizer websites / VPN .

DNS Redirector is at http://dnsredirector.com/

You may need to use something like this.

You also need a Company Policy that precludes the use of these things and enforces disciplinary measures on people caught.

My clients do not have time for theses things and I do not see them.
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 40521271
I have done some more looking and really you need to block the sites it uses for setting up data transmissions.
0
 

Author Comment

by:maryam_adnan
ID: 40521294
Hello,
I check this website https://forums.opendns.com/comments.php?DiscussionID=17357 for openDNS and it show that open DNS also can not block hotspot.

Please any other way can help to accomplish this job

Regards
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 40521649
Apparently the only way you can stop this is by blocking the IP addresses used by Hotspot Shield. It is apparently a simple program (which is why it installs) and uses web VPN services.

You DO need a Company Policy that expressly forbids its use and provides disciplinary action if the product is found.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 167 total points
ID: 40522912
What you want is to have complete control of what code is running. This can be done using applocker GPOs.
Applocker GPOs can whitelist executables and scripts that you acknowledge - the rest will not run.

Applocker is available in win7 ultimate or enterprise. If you run win7 pro, you will have to use software restriction policies which were the predecessor of applocker but work comparable.

Applocker http://technet.microsoft.com/en-us/library/dd723678(v=ws.10).aspx
Software restriction policies http://technet.microsoft.com/en-us/library/bb457006.aspx
Those links feature descriptions and further how-tos.
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 40523490
@maryam_adnan - Thank you and I was happy to help. Hotspot Shield is a natty problem.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question