Announcement

Collapse
No announcement yet.

Block users from installing any software

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Block users from installing any software

    Hi Guys,

    What will be the best setting go Block users from installing any software on their client machines?

    Even if they are administrators for example on the local machine.

    Thanks,
    Retaliator
    Thanks & Regards

    Retaliator

    MCSA/MCSE/CCNA
    Computer Science Graduate

  • #2
    Re: Block users from installing any software

    Dont think you can even if there admins (Unless you block write access to c:\program files to evenyone except the group of people you want to install software) But this also means they can just install to a different location.

    Why dont you concentrate on taking everyone out of the local admin group on the workstations and lock them down this way. Unless they have a pretty good reason why they need local admin rights.

    Michael
    Michael Armstrong
    www.m80arm.co.uk
    MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    Comment


    • #3
      Re: Block users from installing any software

      'morning, Retaliator.
      Take a look at other threads in this forum that dealt with software installation prevention: http://forums.petri.com/search.php?searchid=740286 . Maybe you'll find something useful in there...

      Sorin Solomon


      In order to succeed, your desire for success should be greater than your fear of failure.
      -

      Comment


      • #4
        Re: Block users from installing any software

        Thanks guys,

        I thought about kicking thier butts from Administrators group
        But tried to find another way, it's silly there is not a GPO option to "Can't install programs" or so..

        I will take a look at what you wrote Sorinso,

        Retaliator
        Thanks & Regards

        Retaliator

        MCSA/MCSE/CCNA
        Computer Science Graduate

        Comment


        • #5
          Re: Block users from installing any software

          There is such an option. It is called "Software Restriction Policies" and you can find it under Windows Settings -> Security Settings in both Computer and User Configuration branch in the GPO.
          See also Microsoft's article: http://www.microsoft.com/technet/pro.../rstrplcy.mspx
          Good luck, dude.

          Sorin Solomon


          In order to succeed, your desire for success should be greater than your fear of failure.
          -

          Comment


          • #6
            Re: Block users from installing any software

            The software restriction part AFAIK is to define exactly what programs can RUN, i used it on a call center central, but i want something that can define that the user can't install programs at all, i will give it a try..

            Retaliator
            Thanks & Regards

            Retaliator

            MCSA/MCSE/CCNA
            Computer Science Graduate

            Comment


            • #7
              Re: Block users from installing any software

              But why making them local admin then if you don't want them to execute what is not in the windows- of programfiles-folders.

              \Rem

              This posting is provided "AS IS" with no warranties, and confers no rights.

              __________________

              ** Remember to give credit where credit's due **
              and leave Reputation Points for meaningful posts

              Comment


              • #8
                Re: Block users from installing any software

                I will consider removing thier Administrator access,

                What will be the best way to remove the users with script, gpo, restricted groups?
                i know the net group command, any suggestions?

                Retaliator
                Thanks & Regards

                Retaliator

                MCSA/MCSE/CCNA
                Computer Science Graduate

                Comment


                • #9
                  Re: Block users from installing any software

                  Originally posted by Retaliator
                  the best way to remove the users
                  By using 'Restricted Groups' I would say.
                  After that, it might be a good idea to reset the local administrator account too.
                  http://forums.petri.com/showthread.p..._message_59749

                  \Rem
                  Last edited by Rems; 27th February 2007, 12:56.

                  This posting is provided "AS IS" with no warranties, and confers no rights.

                  __________________

                  ** Remember to give credit where credit's due **
                  and leave Reputation Points for meaningful posts

                  Comment


                  • #10
                    Re: Block users from installing any software

                    Thanks, i found that too, and:

                    http://www.windowsitpro.com/Article/...1296.html?Ad=1

                    what do you mean by reset the local admin?
                    Thanks & Regards

                    Retaliator

                    MCSA/MCSE/CCNA
                    Computer Science Graduate

                    Comment


                    • #11
                      Re: Block users from installing any software

                      Change it.
                      Let's say I'm one of your users. If my account was part of the local Administrators, and want to be sure I will always have rights, I would change the Administrator password to something I know. This way, when you'll come and take me out of the Administrators group, I will still be able to use Run As command and run things.
                      By changing the password, you'll be sure that only you know it. Just a precaution...

                      Sorin Solomon


                      In order to succeed, your desire for success should be greater than your fear of failure.
                      -

                      Comment


                      • #12
                        Re: Block users from installing any software

                        It's ok, i understand but it's not that important from my sight of view.
                        I guess for now by removing thier Admin rights i am safe..
                        Thanks everybody..

                        Retaliator.
                        Last edited by Retaliator; 27th February 2007, 13:42.
                        Thanks & Regards

                        Retaliator

                        MCSA/MCSE/CCNA
                        Computer Science Graduate

                        Comment


                        • #13
                          Re: Block users from installing any software

                          Now that no users are administrators anymore, you can use Software Restricting. An effective way of using a path rule is to create a default rule that prevents users from executing anything at all. You can then create other rules that allow users to execute programs found in system related paths. It is important to allow users to execute files in system related paths because otherwise Windows will not function correctly. The paths that you must permit access to are:

                          %userprofile%
                          %windir%
                          %appdata%
                          %programfiles%
                          %temp%
                          And the network installation path (if exists)
                          (http://www.windowsnetworking.com/art...-Policies.html)

                          \Rem

                          This posting is provided "AS IS" with no warranties, and confers no rights.

                          __________________

                          ** Remember to give credit where credit's due **
                          and leave Reputation Points for meaningful posts

                          Comment


                          • #14
                            Re: Block users from installing any software

                            I set Software Restriction Policy default is Disallowed.
                            I try run file (any extension) in %ProgramFiles% and %WINDIR%, It can executed.
                            But other location can not executed.

                            Why?

                            Thank you.

                            Comment


                            • #15
                              Re: Block users from installing any software

                              Whenever you create the Software Restriction Policy, a set of four Path Rules is cerated by default, with Unrestricted permissions (see the attached screenshot). The reason for this is to assure that the OS can run, disregarding the user that logs on.
                              You ask because you are curious, or there's a problem with it?
                              Last edited by sorinso; 9th November 2007, 21:29.

                              Sorin Solomon


                              In order to succeed, your desire for success should be greater than your fear of failure.
                              -

                              Comment

                              Working...
                              X