klsphotos
asked on
Group Policy - Blocking TeamViewer and other Applications
Hi Experts,
How can I block TeamViewer from certain people on our network?
When I use Software Restrictions in group policy it blocks it from everyone. I created a security group and put the people that I didn't want to get the block in it and denied them the policy but it still applied to them. I am guessing that Software Restrictions ignore a deny group?
I have 2 people that need to use it to connect to some of our computers in Australia.
The other concern is, some of these people are local admins on their systems (I know) and they could "technically" edit their gpedit.msc as admins and override the domain block.
How can I achieve this?
Thank you,
Karen
How can I block TeamViewer from certain people on our network?
When I use Software Restrictions in group policy it blocks it from everyone. I created a security group and put the people that I didn't want to get the block in it and denied them the policy but it still applied to them. I am guessing that Software Restrictions ignore a deny group?
I have 2 people that need to use it to connect to some of our computers in Australia.
The other concern is, some of these people are local admins on their systems (I know) and they could "technically" edit their gpedit.msc as admins and override the domain block.
How can I achieve this?
Thank you,
Karen
You cannot stop admins, no way you turn it. As for SRPs, they apply to computer objects, not user objects.
ASKER
I took off the Software Restrictions and added Teamviewer.exe to the User Settings under AD Templates\System\ Do not allow windows software to run. I also added gpedit.msc to not allow it to run. Won't this work?
Those policies there are not meant to be a real protection, They don't identify the executable by has, they are pretty useless. Take their administrative rights. Let them be admins on their on VMs, not on machines you fear they would hose.
You do not need to be an admin to run TeamViewer.
Let's talk some other time way is a suicide if users are local admins.
You have to do it different way. Apply the policy to security group you wont to block not other way.
Do not use denay policy.
We block teamviewr with Applocker:
http://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx
And
Let's talk some other time way is a suicide if users are local admins.
You have to do it different way. Apply the policy to security group you wont to block not other way.
Do not use denay policy.
We block teamviewr with Applocker:
http://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx
And
Yes, applocker. If your licensed windows is the enterprise edition, you should use it, it knows rules that apply only to certain users!
About Benjamin's "You have to do it different way. Apply the policy to security group you wont to block not other way." - no. Software restriction policies are linked to computer objects, so using security groups that consist of users has no effect, no matter how you turn it.
About Benjamin's "You have to do it different way. Apply the policy to security group you wont to block not other way." - no. Software restriction policies are linked to computer objects, so using security groups that consist of users has no effect, no matter how you turn it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I tested and worked on this and it proved successful in accomplishing blocking these programs, and still giving several users access all while users being local admins on their system. I recognize that being a local admin they can figure out a way around it, but at this time, this solution does what it needs to do.
Karen
Karen