Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Deny user in domain from install any program or VPN application.

Posted on 2014-12-28
12
Medium Priority
?
254 Views
Last Modified: 2014-12-30
Hello,

Please I have domain controller with windows server 2008R2 and all user join this domain all user have windows 7 OS. How I can deny them from install any application. All user have user authority and that deny them from install some application but they still they can install another application which do not need administration authority like VPN application (ultrasurf, hotshpot shield...etc),google chrome or any tool bar

I want to deny them from install anything (application, tool bar..etc)

Regards
0
Comment
Question by:maryam_adnan
  • 7
  • 4
12 Comments
 
LVL 99

Accepted Solution

by:
John Hurst earned 1332 total points
ID: 40521233
Users should be Standard Users and never administrators. That is common and correct practice and will solve your problem neatly. Also keep UAC turned on High (Standard Users cannot change this)

If you need granular install capability, you need Power Broker.

http://www.beyondtrust.com/PowerBroker-Desktops-Windows-Edition.aspx?section=PowerBroker-Desktops-Windows-Edition
0
 

Author Comment

by:maryam_adnan
ID: 40521237
Hello,
Please use standard user do not solve the problem. Because there are many application can install without need administrator privilege like (ultrasurf, hotshpot shield..etc ). In addition, tool bar.

I need to done this from server

Regards
0
 
LVL 99

Assisted Solution

by:John Hurst
John Hurst earned 1332 total points
ID: 40521245
You can go into Group Policy Editor (gpedit.msc) and start limiting access to Control Panel and Programs and Features. Look through the settings before changing anything.

Windows-8-Group-Policy-Editor
There are add-ins which are preferences and not installs and so cannot be prevented. But rogue add-ins usually install and Standard User / UAC will prevent these.
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 

Author Comment

by:maryam_adnan
ID: 40521251
Hello,

Thank you for your reply. Prevent in control panel will not prevent user from add (VPN application). I try to use mandatory profile. I prohibited all control panel but this not solve problem. they still able to install hotshpot shield and other program like that.

Any Idea will help me

Regards
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 40521254
VPN must be Microsoft VPN, because NONE of my clients can install NCP IPsec. It cannot happen.

So what programs are allowed that are problems?

The only thing I see is the occasional toolbar for IE, and while I do not like them, they are harmless for the most part.

You make it sound like anything and everything can be installed and that is not true in my client machines.
0
 

Author Comment

by:maryam_adnan
ID: 40521256
Hello,

Thank you for your reply. No, . Actually I want to deny application like ultrasurf, hotshpot shield. the other application is denied by Group Policy

Regards
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 40521264
Some people use DNS Redirector to block all the proxy / anonymizer websites / VPN .

DNS Redirector is at http://dnsredirector.com/

You may need to use something like this.

You also need a Company Policy that precludes the use of these things and enforces disciplinary measures on people caught.

My clients do not have time for theses things and I do not see them.
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 40521271
I have done some more looking and really you need to block the sites it uses for setting up data transmissions.
0
 

Author Comment

by:maryam_adnan
ID: 40521294
Hello,
I check this website https://forums.opendns.com/comments.php?DiscussionID=17357 for openDNS and it show that open DNS also can not block hotspot.

Please any other way can help to accomplish this job

Regards
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 40521649
Apparently the only way you can stop this is by blocking the IP addresses used by Hotspot Shield. It is apparently a simple program (which is why it installs) and uses web VPN services.

You DO need a Company Policy that expressly forbids its use and provides disciplinary action if the product is found.
0
 
LVL 57

Assisted Solution

by:McKnife
McKnife earned 668 total points
ID: 40522912
What you want is to have complete control of what code is running. This can be done using applocker GPOs.
Applocker GPOs can whitelist executables and scripts that you acknowledge - the rest will not run.

Applocker is available in win7 ultimate or enterprise. If you run win7 pro, you will have to use software restriction policies which were the predecessor of applocker but work comparable.

Applocker http://technet.microsoft.com/en-us/library/dd723678(v=ws.10).aspx
Software restriction policies http://technet.microsoft.com/en-us/library/bb457006.aspx
Those links feature descriptions and further how-tos.
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 40523490
@maryam_adnan - Thank you and I was happy to help. Hotspot Shield is a natty problem.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Assume you have an outside contractor who comes in seasonally or once a week to do some work in your office, but you only want to give him access to the programs and files he needs and keep all other documents and programs private. Can you do this o…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question