apply restrictions for users to install or uninstall applications

Dear Experts

How to apply restrictions for the desktop/laptop users who use windows10pro and ubuntu desktop to install/remove any applications, only the system administrator should be able to install and update the systems, if user require application to be installed they should bring to system admin and system admin should only be able to perform this task,
1. how to achieve this for windows10 pro system
2. how to achieve this for ubuntu desktop system
please suggest thanks in advance.
D_wathiAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
If you make users members of the standard users group on Windows and Linux, then users cannot Install software. There are a couple of exceptions , but that is fundamentally how these systems work
1
Vadim RappCommented:
Applications can be installed per-user or per-machine. Sometimes you have this choice during interactive installation, sometimes not. It also depends on how you deploy them. If they are installed per-user, the user for whom they are installed can uninstall. If they are installed per-machine, the users who are not local administrators cannot uninstall them.
0
MaheshArchitectCommented:
No matter applications are installed per user or workstation, you have to have admin rights on workstation to install Applicationa
Once installed, user can use it
By default users cannot install Application unless they are added to local administrators group
Also I am pretty sure that, user cannot uninstall it though it's installed per user basis, per user installation only allow user to control application usage and not it's binaries
U can consider deploying restricted groups gpo so that upon every reboot system will restore default local administrators members and if any user made himself administrator, his rights will be revoked
Also in addition, you can implement applocker and software restrictions policies in gpo
Also you can restrict users from running specified applications if wanted through gpo if wanted to
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Vadim RappCommented:
Mahesh, if the installation allows per-user installation, it certainly can be installed by non-admin user. From https://msdn.microsoft.com/en-us/library/windows/desktop/dd765197(v=vs.85).aspx: "Because a per-machine installation makes changes to the system that affect all users, standard users having limited privileges may be prevented from installing a package into the per-machine context without first obtaining permission." (meaning, not into per-user context).

Not all installations allow that, however.
1
serialbandCommented:
WINDOWS
The have long removed the Power User group, so you must be an Admin to install Windows software, unless you're running open sourced software that's self contained.  One trick to work around it, that used to work, is to grant the user write permissions the Program Files folders.  This will allow installation of programs that only need access to those folders.  If the program also needs access to Windows folders, then you will also need to add permissions there.  If it needs access to the registry, you will need to add permissions there.

The more permissions you add, the closer it becomes to an Administrator account.  This was the problem with the old Power Users Group long ago.  Putting a user in the Power User group gave a user too much extra ability, and made it a security hole.  Junior admins would just put everyone in the group.  Users would also automatically install malware.  That's why it was removed.

UBUNTU
With Ubuntu, it's a Linux system, so a user can just manually install any software in there own home directories.  Linux has always allowed for that, even if a lot of the newer users don't understand it.  Some of the older users have probably been so used to the modern package managers, that they don't remember how to do it manually anymore.

If you mean that you want them to be able to run apt or apt-get installer tools to install software, you can enable them to run just those commands with sudo.  Edit /etc/sudoers with sudo visudo.  (Be sure to set your EDITOR variable or you'll start up with an unfamiliar editor)

Add or insert the following line to the file and save it.  You will need to replace the %username% group variable or create the group with its members in the same file.
%username% ALL=NOPASSWD: /usr/bin/apt-get install, /usr/bin/apt install
See the following for examples. https://www.garron.me/en/linux/visudo-command-sudoers-file-sudo-default-editor.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MaheshArchitectCommented:
@Vadim,
In that case it's not software installation
There may be softwares which can execute and start working without installation
For example teamviewer quick connect executable, there also UAC kicks in and make difficult to run those standalone softwares
As far as u need to install something you need admin rights, IMHO
0
arnoldCommented:
Commonly, users are made local admins on laptops as admins can not be present to attend to ....
Others pointed out that standard, limited users lack install rights.

In Linux, users can install, compile applications, programs locally within their path.
Only if /hone is mounted with a restriction on exec bit, .......
0
Vadim RappCommented:
@Mahesh, if you rename attached file from .txt to .msi, and install it for a standard user, you will see that it will install successfully. Per user installations have been known for decades.
PERUSER.txt
0
Vadim RappCommented:
It should be noted that the accepted solution actually answers the question opposite to what was asked. The question was not what is required to allow the users to install; it was what is required not to. Accordingly, the very first answer, by John, was 100% correct and should be the accepted solution.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.