Re: How to prevent users from installing programs.

RandyH <RHollaw@xxxxxxxxxxx> wrote:
I guess Disable Windows Installer could have been a good answer too.
Thanks for the KB, I had followed most of that article minus the
Disable Windows Installer setting.

do you know anything about Worldox? it's a POS and we've tried what
you have suggested in the past without success.

again, thanks for the KB...

No prob. I presume that by POS you don't mean "point of sale" but something
else. ;-)
And no, I'm not familiar with it. Just try the sysinternals tool...it's very
handy.



Lanwench [MVP - Exchange] wrote:
RandyH <RHollaw@xxxxxxxxxxx> wrote:
We have an app that requires users to be local admins, crappy I
know, but I how can i prevent users from installing programs?

If the TS has be in admin mode anyway, why would MS let programs get
installed otherwise????? - rant..

You can lock down most everything you need to --and should-- but why
not fix the underlying problem with this application first? You
should be able to identify the file system & registry areas to which
it wants access - try using Process Monitor from Sysinternals
(available for download on the MS website). Users should not be
admins on workstations, let alone servers & you shouldn't have to
leave them that way. Basics: you should be running Terminal Services on a
dedicated
member server with *no* other roles on the network. It should be set
up in its own OU, with a policy specifically for TS (including
loopback processing so that all users who log in get the same
settings, regardless of their own inherited user policy settings).
See KB 278295 for some good lockdown suggestions. Also see MVP
Patrick Rouse's articles at
http://www.sessioncomputing.com/articles.htm



.

Relevant Pages

  • Re: How to prevent users from installing programs.
    ... I had followed most of that article minus the Disable Windows Installer setting. ... users who log in get the same settings, regardless of their own inherited user policy settings). ...
    (microsoft.public.windows.terminal_services)
  • Re: Error 0x800A0046
    ... the "change settings" option was ... the Fix It tool came up and said that some windows installer ... [CallerId = AutomaticUpdates] ...
    (microsoft.public.windowsupdate)
  • Re: js.seeker and browser screw up
    ... You weren't asked for permission to initialize/run/script an ActiveX ... Given its installer had already been run, ... If all the toolbar did was change those settings then ...
    (alt.computer.security)
  • Re: problems sending mail
    ... I called Demon (service provider) on the phone and had them look at my data coming out. ... as I don't think the newer versions of skype will work on this model. ... Typically problems sending are incorrect SMTP settings, or trying to send mail through a foriegn server ... Alternately, you can copy/download the PPC installer directly to the device, and tap on it in File Manager and it will install on the device. ...
    (microsoft.public.pocketpc)
  • Re: Java Install problems.
    ... But, after I did a restart, I was getting a load of "Windows Encounted a ... something todo with the MSI package I've downloaded, or MSI installer on ... advanced settings in System Properties, ...
    (microsoft.public.windows.server.general)