Announcement

Collapse
No announcement yet.

need to prevent any program installation for local admin user

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • need to prevent any program installation for local admin user

    Hi,
    need to prevent any soft installaton by a user with local admin rights
    This is a requirement (don't ask why)

    Need it for 2 computers: W7 Pro in AD 2003 (shema 200.

    Native Windows installer GPO is not an option. Need to prevent potential "garbage" installations.

    Made some reading.
    Non of the suggestions is a real solution for the request.

    I know Admin is Admin... Generally, I need a restriction to write after execution...

    Solutions that I saw (the annotations are not mine):

    Solutions:

    1-Configuring specific User Account Control Settings
    2-Software Restriction Policies
    3-AppLocker

    Option 3 is very good, New application control feature available in Windows 7 that helps prevent the execution of unwanted and unknown applications within an organization's network while providing security, operational, and compliance benefits.
    Example for AppLocker:
    How to configure AppLocker Group Policy in Windows 7 to block third-party browsers

    Option 1 is good, Using specific User Account Control Settings you can eventually help your users from running applications (and preventing application installs) by prompting them for their password every time they want to install an application or run an application from a location other than Program Files and Windows.

    Option 2 is normal, You will need to create hash rules for every version of an undesired application.
    Software Restriction Policies demo video download 5.5MB
    "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

  • #2
    Re: need to prevent any program installation for local admin user

    Remove them from the local admin group is about the only manageable option that you have i'm afraid.

    What is the reason that they need local admin rights in the first place??

    You could look at having something like allowed apps. http://www.howtogeek.com/howto/8739/...-in-windows-7/

    Comment


    • #3
      Re: need to prevent any program installation for local admin user

      The main reason is:
      use of the app that works on old manner - requires local ADMIN rights.

      The solution found (and looks so simple):

      run this app with Run As...
      "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

      Comment

      Working...
      X