Group Policy - Blocking TeamViewer and other Applications

Hi Experts,

How can I block TeamViewer from certain people on our network?

When I use Software Restrictions in group policy it blocks it from everyone.  I created a security group and put the people that I didn't want to get the block in it and denied them the policy but it still applied to them.  I am guessing that Software Restrictions ignore a deny group?

I have 2 people that need to use it to connect to some of our computers in Australia.  

The other concern is, some of these people are local admins on their systems (I know) and they could "technically" edit their gpedit.msc as admins and override the domain block.

How can I achieve this?

Thank you,

Karen
klsphotosAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
You cannot stop admins, no way you turn it. As for SRPs, they apply to computer objects, not user objects.
klsphotosAuthor Commented:
I took off the Software Restrictions and added Teamviewer.exe to the User Settings under AD Templates\System\ Do not allow windows software to run.  I also added gpedit.msc to not allow it to run.  Won't this work?
McKnifeCommented:
Those policies there are not meant to be a real protection, They don't identify the executable by has, they are pretty useless. Take their administrative rights. Let them be admins on their on VMs, not on machines you fear they would hose.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Benjamin VoglarIT ProCommented:
You do not need to be an admin to run TeamViewer.
Let's talk some other time way is a suicide if users are local admins.

You have to do it different way. Apply the policy to security group you wont to block not other way.

Do not use denay policy.

We block teamviewr with Applocker:

http://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx



And
McKnifeCommented:
Yes, applocker. If your licensed windows is the enterprise edition, you should use it, it knows rules that apply only to certain users!

About Benjamin's "You have to do it different way. Apply the policy to security group you wont to block not other way." - no. Software restriction policies are linked to computer objects, so using security groups that consist of users has no effect, no matter how you turn it.
klsphotosAuthor Commented:
I figured this out.
In policy I blocked it on the user settings by denying access to gpedit.msc, regedit, team viewer, etc under that user name.
I enabled "Group Policy Loopback ; merge" since their user accounts where not in just one container.
I used software restrictions which were computer settings to apply to all systems.

To block a user from this policy, since they wanted this policy through the whole domain, I had to add not only the user but their workstation to the block group and deny the apply of group policy to that group.

They are still admins on their system but they are denied the tools I had concerns with.

Thank you for your help, I will try app locker in the future.

Karen

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
klsphotosAuthor Commented:
I tested and worked on this and it proved successful in accomplishing blocking these programs, and still giving several users access all while users being local admins on their system.  I recognize that being a local admin they can figure out a way around it, but at this time, this solution does what it needs to do.

Karen
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.