Re: Prevent local administrators installing software

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 10/05/04 

Date: Tue, 05 Oct 2004 02:06:55 GMT

It is difficult if users are local administrators. What may help is to use
Group Policy user configuration/administrative templates/system to take
advantage of the two settings for run only and do not allow Windows
Applications after reading the whole description of what the settings do. It
may help to add at least install.exe, setup.exe, and msiexec.exe to the
Group Policy. Note that this domain/OU user configuration will not apply if
they figure out how to create a local user account and logon with that. If
you are lucky enough to be using Windows XP Pro, Software Restriction
Policies can be used to lock down all users on a domain computer - even
local administrators. Of course even with that they could unjoin the
computer from the domain to bypass SRP. Make sure that regular users are NOT
allowed to join workstations to the domain. By default they can do it ten
times. If you want to change that remove authenticated users from the user
right to add workstations to the domain in Domain Controller Security
Policy. --- Steve

"markcromwell" <markcromwell@discussions.microsoft.com> wrote in message
news:CB59ED25-F06B-4801-85E6-1573D9117AE8@microsoft.com...
>I work for a company who delivers IT support to schools. Unfortunately some
> of the educational software will only run properly if a user is a member
> of
> the local administrators group of each machine. Typically each school runs
> a
> 2000 domain with a single server.
>
> We try as much as we can to lock down machines using domain group policy,
> but as users are local administrators, they can install whatever software
> they like to the machine and as yet I can't find a part of group policy to
> stop installations. This is causing major annoyance as kids are
> downloading
> free software from the web and installing it all over the place.
>
> The only way we have been able to stop this is to use web security to
> block
> the download of exe and zip files. We would like to stop users installing
> anything on the machines.
>
> If anyone has any suggestions they would be greatly appreciated.

Relevant Pages

  • Re: Error: the system administrator has set policies to prevent this
    ... It is probably not a group policy causing the problem. ... on the software you are installing. ... With most software power users will ...
    (microsoft.public.windowsxp.security_admin)
  • Re: restricted groups for local admin rights
    ... Restricted Groups will not want to do what you want them. ... Whether the user is in the local administrators group on a domain computer ... then bypass domain user configuration Group Policy. ... to impossible to get the application to work as a regular user. ...
    (microsoft.public.windows.group_policy)
  • Re: 5 most important Group Policy settings to configure
    ... After installing a new sbs2003 sp1 server and having XP clients what are your first edits to the group policy you set? ... a Windows Firewall exception for Anti-Virus software, ... Another useful one if you don't run users as local administrators, and therefore don't allocate users to PCs is: ... Steve Foster [SBS MVP] ...
    (microsoft.public.windows.server.sbs)
  • Applying User Configuration policies to non-administrators on Win2K3
    ... I created a test OU with three machines: Windows XP SP2, Windows Server ... Desktop Users group logs in via Remote Desktop, ... I put the user in the local administrators group, ... Running the scenario through the Group Policy ...
    (microsoft.public.windows.group_policy)
  • Re: Multiple Site Administration
    ... A domain would allow you to apply Group Policy but ... Restriction Policies to lock them down even if they are local administrators ... restrict them including setting standards for Internet Explorer Web Content ... $75] and some Linksys have SPI also. ...
    (microsoft.public.win2000.security)
Loading