No announcement yet.

Group Policy

  • Filter
  • Time
  • Show
Clear All
new posts

  • Group Policy

    Due to application conflicts on user terminal, i cannot enable 'user mode' for domain users under WinXP Pro. 'Administrator mode' has to be use for all domain users on the user terminals.

    Therefore looking to see if i could restrict users from installation softwares using Group Policy in an Win2000 server domain.

    Updated my policy files and the most i could do is to restrict COMPUTERS from installing software using MSI or USER from installing from removable media drives.

    Is there any way we can enable total restriction of software installation?

  • #2
    WinXP and Perms


    We had the same application problems when we moved to XP, but we did not allow users admin access, instead, we went to the directory of each application in question and added the domain "everyone" group and the group "modify" access. This way we are still able to keep the machine safe from software downloads. M$ advises that you do not allow Internet connected machines to run as administrator and we have strictly enforced this standard. Good luck!


    • #3
      This method does not really solve the problem cos users can still install programs and preventive methods enforced after they install.

      Due to the application conflicts, we have to use "Administrator" mode for all terminal. This is due to an ERP application conflict.

      Is there no way we can emulate only the restriction of ANY software in the user mode to administrator mode??


      • #4
        Have never tried it, but you can try to change the security permission of the "Windows Installer" service using GPO.

        remove "Start/Stop" right from the Administrators group and assign it to some other group of your choice. You will need to test it in your lab though, as I have never tried that.
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"


        • #5
          The closest i found is in system.adm where windows installer disable.

          But this only applies to programs with *.msi package and even administrators are affected by this rollout. Software which do not use *.msi are not affected.