Announcement

Collapse
No announcement yet.

Can i Deny COMPUTER Group Policy setting to be Implemented on Administrator

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Can i Deny COMPUTER Group Policy setting to be Implemented on Administrator

    Hi all, I need URGENT help with this matter.

    I have implemented an policy to restrict users from installing software on workstation.
    I did this by creating a new GPO in which part of the settings are enabling "Disable Windows installer" under the Computer configuration.

    I then created a Special group for users who can install software and gave this
    group a deny premission over the above policy.

    The problem is that only when i add a Computer Object to that group, the deny
    premission take effect. this meens that i cant grant any user , nor the administrator rights to install.

    How can deny the computer configuration part of the policy from users.. in this
    case the administrator??? (i need the admin to be able to install on all pcs)

    PLEASE HELP !!! VERY URGENT !

    Thank YOU!

  • #2
    Re: Can i Deny COMPUTER Group Policy setting to be Implemented on Administrator

    Originally posted by [email protected] View Post
    Hi all, I need URGENT help with this matter.

    I have implemented an policy to restrict users from installing software on workstation.
    I did this by creating a new GPO in which part of the settings are enabling "Disable Windows installer" under the Computer configuration.

    I then created a Special group for users who can install software and gave this
    group a deny premission over the above policy.

    The problem is that only when i add a Computer Object to that group, the deny
    premission take effect. this meens that i cant grant any user , nor the administrator rights to install.

    How can deny the computer configuration part of the policy from users.. in this
    case the administrator??? (i need the admin to be able to install on all pcs)

    PLEASE HELP !!! VERY URGENT !

    Thank YOU!
    OK, a better understanding of Group Policy is needed. The Computer Configuration applies to computers. User Configuration applies to users. Anything set in the Computer Configuration section of the GPO will affect any user that logs on to a computer that applies that GPO. Conversely, User Configuration will affect any user that applies the GPO regardless of what computer the user logs on to.

    A user account that is not part of the Administrators group or the Power Users group shouldn't be able to install software anyways.
    Maybe a read about Least Privilege would help?

    Is the problem users are installing unwanted software? If you post what you're trying to accomplish than we may be able to help further.
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: Can i Deny COMPUTER Group Policy setting to be Implemented on Administrator

      The problem that users have to be part of the Local administrative group,
      so i cant prevent them from installing using the regular users group.

      What in need to accomplish is :
      1. restricting all users that are not prat of the domain admins group from installing
      software on their workstations in a domain inviroment.

      2. creating a special group which will contain users (not admins) that CAN install.

      Is there a 'User configuration' policy that can prevent software installation
      like the "Disable Windows installer" under the Computer configuration ?

      I waiting for further help please .

      Thank You.

      Comment


      • #4
        Re: Can i Deny COMPUTER Group Policy setting to be Implemented on Administrator

        My first question is why do they need to be local administrators?

        I really think you ought to look at Least Privilege http://www.google.com/search?hl=en&l...east+Privilege
        I really think that it will solve your trouble.
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: Can i Deny COMPUTER Group Policy setting to be Implemented on Administrator

          What I understand from is that any domain user that does not belong to anyadministrator group will not be able to install softwares.

          There is a GPO in which you will allow uesrs to install software even without having administrator permissions.

          That what you need?

          Best regards,
          Mostafa
          Best regards,
          Mostafa Itani

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment

          Working...
          X