• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 258
  • Last Modified:

Deny user in domain from install any program or VPN application.

Hello,

Please I have domain controller with windows server 2008R2 and all user join this domain all user have windows 7 OS. How I can deny them from install any application. All user have user authority and that deny them from install some application but they still they can install another application which do not need administration authority like VPN application (ultrasurf, hotshpot shield...etc),google chrome or any tool bar

I want to deny them from install anything (application, tool bar..etc)

Regards
0
maryam_adnan
Asked:
maryam_adnan
  • 7
  • 4
3 Solutions
 
John HurstBusiness Consultant (Owner)Commented:
Users should be Standard Users and never administrators. That is common and correct practice and will solve your problem neatly. Also keep UAC turned on High (Standard Users cannot change this)

If you need granular install capability, you need Power Broker.

http://www.beyondtrust.com/PowerBroker-Desktops-Windows-Edition.aspx?section=PowerBroker-Desktops-Windows-Edition
0
 
maryam_adnanAuthor Commented:
Hello,
Please use standard user do not solve the problem. Because there are many application can install without need administrator privilege like (ultrasurf, hotshpot shield..etc ). In addition, tool bar.

I need to done this from server

Regards
0
 
John HurstBusiness Consultant (Owner)Commented:
You can go into Group Policy Editor (gpedit.msc) and start limiting access to Control Panel and Programs and Features. Look through the settings before changing anything.

Windows-8-Group-Policy-Editor
There are add-ins which are preferences and not installs and so cannot be prevented. But rogue add-ins usually install and Standard User / UAC will prevent these.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
maryam_adnanAuthor Commented:
Hello,

Thank you for your reply. Prevent in control panel will not prevent user from add (VPN application). I try to use mandatory profile. I prohibited all control panel but this not solve problem. they still able to install hotshpot shield and other program like that.

Any Idea will help me

Regards
0
 
John HurstBusiness Consultant (Owner)Commented:
VPN must be Microsoft VPN, because NONE of my clients can install NCP IPsec. It cannot happen.

So what programs are allowed that are problems?

The only thing I see is the occasional toolbar for IE, and while I do not like them, they are harmless for the most part.

You make it sound like anything and everything can be installed and that is not true in my client machines.
0
 
maryam_adnanAuthor Commented:
Hello,

Thank you for your reply. No, . Actually I want to deny application like ultrasurf, hotshpot shield. the other application is denied by Group Policy

Regards
0
 
John HurstBusiness Consultant (Owner)Commented:
Some people use DNS Redirector to block all the proxy / anonymizer websites / VPN .

DNS Redirector is at http://dnsredirector.com/

You may need to use something like this.

You also need a Company Policy that precludes the use of these things and enforces disciplinary measures on people caught.

My clients do not have time for theses things and I do not see them.
0
 
John HurstBusiness Consultant (Owner)Commented:
I have done some more looking and really you need to block the sites it uses for setting up data transmissions.
0
 
maryam_adnanAuthor Commented:
Hello,
I check this website https://forums.opendns.com/comments.php?DiscussionID=17357 for openDNS and it show that open DNS also can not block hotspot.

Please any other way can help to accomplish this job

Regards
0
 
John HurstBusiness Consultant (Owner)Commented:
Apparently the only way you can stop this is by blocking the IP addresses used by Hotspot Shield. It is apparently a simple program (which is why it installs) and uses web VPN services.

You DO need a Company Policy that expressly forbids its use and provides disciplinary action if the product is found.
0
 
McKnifeCommented:
What you want is to have complete control of what code is running. This can be done using applocker GPOs.
Applocker GPOs can whitelist executables and scripts that you acknowledge - the rest will not run.

Applocker is available in win7 ultimate or enterprise. If you run win7 pro, you will have to use software restriction policies which were the predecessor of applocker but work comparable.

Applocker http://technet.microsoft.com/en-us/library/dd723678(v=ws.10).aspx
Software restriction policies http://technet.microsoft.com/en-us/library/bb457006.aspx
Those links feature descriptions and further how-tos.
0
 
John HurstBusiness Consultant (Owner)Commented:
@maryam_adnan - Thank you and I was happy to help. Hotspot Shield is a natty problem.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 7
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now