hmcnasty
asked on
Server 2008 r2 prevent program installation
Hi.
I have a 2008 r2 server on a domain.
I have an account on this box that needs to be an administrator but I do not want them to install programs. They need to be an administrator to migrate data in user accounts. If I make them a user it is extremely tedious to give them the proper permissions.
How can I accomplish this?
Thanks
I have a 2008 r2 server on a domain.
I have an account on this box that needs to be an administrator but I do not want them to install programs. They need to be an administrator to migrate data in user accounts. If I make them a user it is extremely tedious to give them the proper permissions.
How can I accomplish this?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That is what you use Recstrict File Types. You can create a GPO where you cannot launch .exe or .msi files etc.
This would accomplish what you are asking.
Will.
This would accomplish what you are asking.
Will.
ASKER
Ok. Will this prevent users from launching regular programs on the server? I just don't want anything installed.
Thanks
Thanks
Well...Launching and application and installing one is 2 different things.
Using Group Policy you can completely lock down the start button/menu hide control panel etc. It is really endless on all of the options you have to lock a machine down. Use the first link for this.
For not allowing a Local Administrator to install applications the only thing you can do is create a GPo where you restrict EXE's and MSI's from being launched.
If they cannot be launched then they cannot be installed. Wait a minute this would also should work for not allowing this user to launch any installed applicaiton as well.
Will.
Using Group Policy you can completely lock down the start button/menu hide control panel etc. It is really endless on all of the options you have to lock a machine down. Use the first link for this.
For not allowing a Local Administrator to install applications the only thing you can do is create a GPo where you restrict EXE's and MSI's from being launched.
If they cannot be launched then they cannot be installed. Wait a minute this would also should work for not allowing this user to launch any installed applicaiton as well.
Will.
ASKER
Hi Will. This looks like it will work perfectly. My only other question is what if I was to rename an exe or an msi to one of the allow names in the policy?
an example would be:
say i allowed winword.exe but not excel.exe. Then I renamed the excel.exe to winword.exe..would it open?
Wes
an example would be:
say i allowed winword.exe but not excel.exe. Then I renamed the excel.exe to winword.exe..would it open?
Wes
The logic is there however i have never tested this. You can just lock down everything *.exe and *.msi. However you might want to test the concept first.
If you have a user that has local admin privs there is really only so much you can do with regards to locking them down. If they are smart enough to rename a file then it might work. However if you lock down everything then they can do anything. You have to find a happy medium.
Will.
If you have a user that has local admin privs there is really only so much you can do with regards to locking them down. If they are smart enough to rename a file then it might work. However if you lock down everything then they can do anything. You have to find a happy medium.
Will.
ASKER
Yeah. Alright then, I'll deal with that.
Thanks
Thanks
ASKER