Re: How to prevent users from installing programs.
- From: "Lanwench [MVP - Exchange]" <lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 4 Aug 2008 15:54:57 -0400
RandyH <RHollaw@xxxxxxxxxxx> wrote:
We have an app that requires users to be local admins, crappy I know,
but I how can i prevent users from installing programs?
If the TS has be in admin mode anyway, why would MS let programs get
installed otherwise????? - rant..
You can lock down most everything you need to --and should-- but why not fix
the underlying problem with this application first? You should be able to
identify the file system & registry areas to which it wants access - try
using Process Monitor from Sysinternals (available for download on the MS
website). Users should not be admins on workstations, let alone servers &
you shouldn't have to leave them that way.
Basics: you should be running Terminal Services on a dedicated member server
with *no* other roles on the network. It should be set up in its own OU,
with a policy specifically for TS (including loopback processing so that all
users who log in get the same settings, regardless of their own inherited
user policy settings). See KB 278295 for some good lockdown suggestions.
Also see MVP Patrick Rouse's articles at
http://www.sessioncomputing.com/articles.htm
.
- Follow-Ups:
- Re: How to prevent users from installing programs.
- From: RandyH
- Re: How to prevent users from installing programs.
- References:
- How to prevent users from installing programs.
- From: RandyH
- How to prevent users from installing programs.
- Prev by Date: Re: Restricting users to login on the server.
- Next by Date: Re: How to prevent users from installing programs.
- Previous by thread: How to prevent users from installing programs.
- Next by thread: Re: How to prevent users from installing programs.
- Index(es):
