Server 2008 r2 prevent program installation

I have a 2008 r2 server on a domain.
 I have an account on this box that needs to be an administrator but I do not want them to install programs. They need to be an administrator to migrate data in user accounts.  If I make them a user it is extremely tedious to give them the proper permissions.
How can I accomplish this?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
You can try locking this down via GPO. You can create a Group Policy to restrict access to control panel or Programs/Featues. You would then set the security filtering on that GPO to that one specific user.

You can also set restrictions file types like .exe and .msi with Group Policy as well.

GPO to lock down Control Panel Items

Also see Restric Specific File Types GPO


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
hmcnastyAuthor Commented:
Thanks Will.  How would this prevent them from downloading a program and then launching it and installing it?
Will SzymkowskiSenior Solution ArchitectCommented:
That is what you use Recstrict File Types. You can create a GPO where you cannot launch .exe or .msi files etc.

This would accomplish what you are asking.

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

hmcnastyAuthor Commented:
Ok. Will this prevent users from launching regular programs on the server?   I just don't want anything installed.

Will SzymkowskiSenior Solution ArchitectCommented:
Well...Launching and application and installing one is 2 different things.

Using Group Policy you can completely lock down the start button/menu hide control panel etc. It is really endless on all of the options you have to lock a machine down. Use the first link for this.

For not allowing a Local Administrator to install applications the only thing you can do is create a GPo where you restrict EXE's and MSI's from being launched.

If they cannot be launched then they cannot be installed. Wait a minute this would also should work for not allowing this user to launch any installed applicaiton as well.

hmcnastyAuthor Commented:
Hi Will.  This looks like it will work perfectly.   My only other question is what if I was to rename an exe or an msi to one of the allow names in the policy?  
an example would be:
say i allowed winword.exe but not excel.exe.  Then I renamed the excel.exe  to winword.exe..would it open?

Will SzymkowskiSenior Solution ArchitectCommented:
The logic is there however i have never tested this. You can just lock down everything *.exe and *.msi. However you might want to test the concept first.

If you have a user that has local admin privs there is really only so much you can do with regards to locking them down. If they are smart enough to rename a file then it might work. However if you lock down everything then they can do anything. You have to find a happy medium.

hmcnastyAuthor Commented:
Yeah.  Alright then, I'll deal with that.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.