Solved

Deny user in domain from install any program or VPN application.

Posted on 2014-12-28
12
251 Views
Last Modified: 2014-12-30
Hello,

Please I have domain controller with windows server 2008R2 and all user join this domain all user have windows 7 OS. How I can deny them from install any application. All user have user authority and that deny them from install some application but they still they can install another application which do not need administration authority like VPN application (ultrasurf, hotshpot shield...etc),google chrome or any tool bar

I want to deny them from install anything (application, tool bar..etc)

Regards
0
Comment
Question by:maryam_adnan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
12 Comments
 
LVL 96

Accepted Solution

by:
Experienced Member earned 333 total points
ID: 40521233
Users should be Standard Users and never administrators. That is common and correct practice and will solve your problem neatly. Also keep UAC turned on High (Standard Users cannot change this)

If you need granular install capability, you need Power Broker.

http://www.beyondtrust.com/PowerBroker-Desktops-Windows-Edition.aspx?section=PowerBroker-Desktops-Windows-Edition
0
 

Author Comment

by:maryam_adnan
ID: 40521237
Hello,
Please use standard user do not solve the problem. Because there are many application can install without need administrator privilege like (ultrasurf, hotshpot shield..etc ). In addition, tool bar.

I need to done this from server

Regards
0
 
LVL 96

Assisted Solution

by:Experienced Member
Experienced Member earned 333 total points
ID: 40521245
You can go into Group Policy Editor (gpedit.msc) and start limiting access to Control Panel and Programs and Features. Look through the settings before changing anything.

Windows-8-Group-Policy-Editor
There are add-ins which are preferences and not installs and so cannot be prevented. But rogue add-ins usually install and Standard User / UAC will prevent these.
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 

Author Comment

by:maryam_adnan
ID: 40521251
Hello,

Thank you for your reply. Prevent in control panel will not prevent user from add (VPN application). I try to use mandatory profile. I prohibited all control panel but this not solve problem. they still able to install hotshpot shield and other program like that.

Any Idea will help me

Regards
0
 
LVL 96

Expert Comment

by:Experienced Member
ID: 40521254
VPN must be Microsoft VPN, because NONE of my clients can install NCP IPsec. It cannot happen.

So what programs are allowed that are problems?

The only thing I see is the occasional toolbar for IE, and while I do not like them, they are harmless for the most part.

You make it sound like anything and everything can be installed and that is not true in my client machines.
0
 

Author Comment

by:maryam_adnan
ID: 40521256
Hello,

Thank you for your reply. No, . Actually I want to deny application like ultrasurf, hotshpot shield. the other application is denied by Group Policy

Regards
0
 
LVL 96

Expert Comment

by:Experienced Member
ID: 40521264
Some people use DNS Redirector to block all the proxy / anonymizer websites / VPN .

DNS Redirector is at http://dnsredirector.com/

You may need to use something like this.

You also need a Company Policy that precludes the use of these things and enforces disciplinary measures on people caught.

My clients do not have time for theses things and I do not see them.
0
 
LVL 96

Expert Comment

by:Experienced Member
ID: 40521271
I have done some more looking and really you need to block the sites it uses for setting up data transmissions.
0
 

Author Comment

by:maryam_adnan
ID: 40521294
Hello,
I check this website https://forums.opendns.com/comments.php?DiscussionID=17357 for openDNS and it show that open DNS also can not block hotspot.

Please any other way can help to accomplish this job

Regards
0
 
LVL 96

Expert Comment

by:Experienced Member
ID: 40521649
Apparently the only way you can stop this is by blocking the IP addresses used by Hotspot Shield. It is apparently a simple program (which is why it installs) and uses web VPN services.

You DO need a Company Policy that expressly forbids its use and provides disciplinary action if the product is found.
0
 
LVL 55

Assisted Solution

by:McKnife
McKnife earned 167 total points
ID: 40522912
What you want is to have complete control of what code is running. This can be done using applocker GPOs.
Applocker GPOs can whitelist executables and scripts that you acknowledge - the rest will not run.

Applocker is available in win7 ultimate or enterprise. If you run win7 pro, you will have to use software restriction policies which were the predecessor of applocker but work comparable.

Applocker http://technet.microsoft.com/en-us/library/dd723678(v=ws.10).aspx
Software restriction policies http://technet.microsoft.com/en-us/library/bb457006.aspx
Those links feature descriptions and further how-tos.
0
 
LVL 96

Expert Comment

by:Experienced Member
ID: 40523490
@maryam_adnan - Thank you and I was happy to help. Hotspot Shield is a natty problem.
0

Featured Post

Enroll in July's Course of the Month

July's Course of the Month is now available! Enroll to learn HTML5 and prepare for certification. It's free for Premium Members, Team Accounts, and Qualified Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question