Group Policy - Blocking TeamViewer and other Applications

Hi Experts,

How can I block TeamViewer from certain people on our network?

When I use Software Restrictions in group policy it blocks it from everyone.  I created a security group and put the people that I didn't want to get the block in it and denied them the policy but it still applied to them.  I am guessing that Software Restrictions ignore a deny group?

I have 2 people that need to use it to connect to some of our computers in Australia.  

The other concern is, some of these people are local admins on their systems (I know) and they could "technically" edit their gpedit.msc as admins and override the domain block.

How can I achieve this?

Thank you,

Karen
klsphotosAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
You cannot stop admins, no way you turn it. As for SRPs, they apply to computer objects, not user objects.
1
klsphotosAuthor Commented:
I took off the Software Restrictions and added Teamviewer.exe to the User Settings under AD Templates\System\ Do not allow windows software to run.  I also added gpedit.msc to not allow it to run.  Won't this work?
0
McKnifeCommented:
Those policies there are not meant to be a real protection, They don't identify the executable by has, they are pretty useless. Take their administrative rights. Let them be admins on their on VMs, not on machines you fear they would hose.
0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

Benjamin VoglarIT ProCommented:
You do not need to be an admin to run TeamViewer.
Let's talk some other time way is a suicide if users are local admins.

You have to do it different way. Apply the policy to security group you wont to block not other way.

Do not use denay policy.

We block teamviewr with Applocker:

http://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx



And
0
McKnifeCommented:
Yes, applocker. If your licensed windows is the enterprise edition, you should use it, it knows rules that apply only to certain users!

About Benjamin's "You have to do it different way. Apply the policy to security group you wont to block not other way." - no. Software restriction policies are linked to computer objects, so using security groups that consist of users has no effect, no matter how you turn it.
0
klsphotosAuthor Commented:
I figured this out.
In policy I blocked it on the user settings by denying access to gpedit.msc, regedit, team viewer, etc under that user name.
I enabled "Group Policy Loopback ; merge" since their user accounts where not in just one container.
I used software restrictions which were computer settings to apply to all systems.

To block a user from this policy, since they wanted this policy through the whole domain, I had to add not only the user but their workstation to the block group and deny the apply of group policy to that group.

They are still admins on their system but they are denied the tools I had concerns with.

Thank you for your help, I will try app locker in the future.

Karen
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
klsphotosAuthor Commented:
I tested and worked on this and it proved successful in accomplishing blocking these programs, and still giving several users access all while users being local admins on their system.  I recognize that being a local admin they can figure out a way around it, but at this time, this solution does what it needs to do.

Karen
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.