Limit Software Installation for End Users

Home Forums Microsoft Networking and Management Services GPO Limit Software Installation for End Users

This topic contains 6 replies, has 4 voices, and was last updated by  h0me 1 year, 8 months ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author

  • todd231

    Pre Question statement: Most, if not every single one, of the users at all of my clients are local admins on their computers.

    I want to see if I can limit the ability of the end users to install software. I know this can be done a myriad of ways, the easiest and most common is to dump all of the users out of the “Local Admin” group on their computers and put them in a power user type role.

    But, say we don’t do that.. Say we want to keep those users as local admins… My job gets a little tougher.

    I know I can restrict software installation via GPO using things like AppLocker and editing the security levels in Software Restriction Policies.

    I’ve never done that before so I’m not 100% sure it’s going to work as I am planning. Some of the questions I have…

    1) If I use Software Restriction Policies, should I use Computer or User based policies?
    2) Is AppLocker worth setting up? I’ve never used it.
    3) Should I create an OU specific GPO for software restrictions or use the default domain policy, I’m still a little hazy as to whether or not OU overrides default domain…

    Again, and as always, any help or guidance would be greatly appreciated!


    Get the users out of the admins group!!! I don’t even run my own computers as an admin user. If I need to do an admin task, I use an admin account for that. The risks to too great and the protection you get from exploits outweighs the headaches IMO. You will mitigate so much just by doing this one best practice.


    I know, I know! everywhere I’ve worked, except one place, has had all users as local admins…

    I think, in all honesty, that’s the best and easiest solution. I’m going to pitch it over everything else.


    Cool, sounds good. :) Good luck!


    Wow this sheds some light on why I was tasked with finding this out… so one of our clients that we took over about 11 months ago is getting audited by the government. Long story short, they’re over their license count for Microsoft Office and Adobe Pro. Their old IT company kept no record of their license count or where the licenses were installed. When we took over as their managed services provider (prior to me coming on board), we didn’t due enough due diligence and find out what their actual license count was.

    So, we are going to be removing all users from the Local Admin group and putting them as power users. Our main goal is to prevent users from installing cracked/bogus copies of legit software.

    We’re also redoing our contracts to include stiffer security measures and whatnot to ensure that we are operating properly.


    So should I remove them from teh Local Admin group with an edit to teh default domain policy or create OU policies for each OU.. I’m going to be running a test tomorrow, so we’ll see.


    I would not modify the default domain policy – add an additional policy at the appropriate level (domain or OU – your choice). If your modified default policy becomes corrupted, it is the devil to sort out

    Coming back to your original post, if you use AppLocker (IMHO better than SRPs) check which edition of Windows you have – it is licensed in Win7 Enterprise only, but I think it came down to Pro for Win10)

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.