Announcement

Collapse
No announcement yet.

Program Installation

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Program Installation

    After doing some reading, it seems that network standard users aren't supposed to be allowed to install applications when you're running SBS 2011. The standard users on my network seem to be allowed to do so. A user asked me if he could install Adobe Air this morning and he was able to do so without any input of my Admin credentials. What settings should I be looking at to find out what might be causing this? I just did a 2003 to 2011 swing migration.
    Last edited by noRulez43; 18th February 2013, 23:06.

  • #2
    Re: Program Installation

    I just realized that, when I look from a user PC, in Ctrl Panel -> User Accounts -> Manage User Accounts, it says that they are Administrators. What is the difference between this and the user role associated to their account on the server?

    Comment


    • #3
      Re: Program Installation

      They will be local administrators for the machine.

      This will also be the reason why they can install software.

      Comment


      • #4
        Re: Program Installation

        And Spyware and other things you don`t want to have in or on your network.
        unless there is a very very very good reason to keep them local admin remove them from that group.

        Comment


        • #5
          Re: Program Installation

          To change this, I would have to log into each PC and change it from the User Account settings, correct? There's nothing I can do from the server to make this change?

          Comment


          • #6
            Re: Program Installation

            Run, do not walk, to and check out "restricted groups" which will allow you to control membership of local groups from the server
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Program Installation

              I am testing the restricted groups functionality. Here's what I did:

              1) Created a separate OU for the test called 'Windows Standard', and sub OUs for Computers and Users.
              2) Created and linked a new GPO for LocalAdminRemoval
              3) On the security tab of the GPO edit, removed domain users. Added domain computers and clicked 'apply group policy'. Added domain controllers and denied group policy.
              4) Added Administrators group to restricted groups and added members Administrator and DOMAIN/Admins

              I followed some instructions I found online for this so the first question would be if anyone sees anything wrong with what I did. My second question is that, it appears to have worked but I noticed that the group membership for the test login is Other: Remote Desktop Users. Is this normal? I expected it to be changed to a 'Standard User' I guess.

              Comment


              • #8
                Re: Program Installation

                What does the 'Set Network Computer Access' properties do under a user accounts properties under 'Computers'? I have a choice between standard and local administrator. Can I just make the changes for all users here?

                Comment


                • #9
                  Re: Program Installation

                  Restricted Groups or visiting each PC isn't necessary in SBS 2011, as you can control what access each user has to each machine through the SBS console.
                  BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                  sigpic
                  Cruachan's Blog

                  Comment


                  • #10
                    Re: Program Installation

                    Originally posted by cruachan View Post
                    Restricted Groups or visiting each PC isn't necessary in SBS 2011, as you can control what access each user has to each machine through the SBS console.
                    That must be why people are slowly losing administrative privileges - must be taking a while for the settings to propagate. Everyone, by default only has standard access to their computer apparently - at least that's the way it is now after my 2003 -> 2011 migration. This whole thing was really throwing me for a loop. Makes my life easier now that I know this though. Thanks!

                    Comment


                    • #11
                      Re: Program Installation

                      Make sure all of your users and computers are in the correct OUs under My Business in AD, and not in the default containers as the policies that control everything won't apply to the default containers.
                      BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                      sigpic
                      Cruachan's Blog

                      Comment

                      Working...
                      X