Re: How to prevent users from installing programs.

Tech-Archive recommends: Fix windows errors by optimizing your registry

You could also remove the execute file permissions from key directories.
this works beautifully for most things.

--
Jeff Pitsch
Microsoft MVP - Terminal Services

"RandyH" <RHollaw@xxxxxxxxxxx> wrote in message
news:%23ta7tQ99IHA.224@xxxxxxxxxxxxxxxxxxxxxxx
Thank you again Vera.

I had a user install WinRar. My boss told me I need to take an outage and
remove winrar and install it in admin mode..

Vera Noest [MVP] wrote:
No, this setting is about the difference between installing applications
per computer or per user.
Tip: read the "Explain" text that is available for all GPO settings:

This setting allows you to configure user installs. To configure this
setting, set it to enabled and use the drop-down list to select the
behavior you want. If this setting is not configured, or if the setting
is enabled and Allow User Installs is selected, the installer allows and
makes use of products that are installed per user, and products that are
installed per computer. If the installer finds a per-user install of an
application, this hides a per-computer installation of that same product.
If this setting is enabled and Hide User Installs is selected, the
installer ignores per-user applications. This causes a per-computer
installed application to be visible to users, even if those users have a
per-
user install of the product registered in their user profile. If this
setting is enabled and Prohibit User Installs is selected, the installer
prevents applications from being installed per user, and it ignores
previously installed per-user applications. An attempt to perform a
per-user installation causes the installer to display an error message
and stop the installation. This setting is useful in environments where
the administrator only wants per-computer applications installed, such as
on a kiosk or a Windows Terminal Server.

And for the setting Disable Windows Installer, the "Explain" text says:
"This setting affects Windows Installer only. It does not prevent users
from using other methods to install and upgrade programs."

You're only option is to limit the user's rights and permissions.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

RandyH <RHollaw@xxxxxxxxxxx> wrote on 06 aug 2008 in
microsoft.public.windows.terminal_services:
I was looking at Disable Windows Installer setting and see
another setting called, Prohibit User Installs.

Would that prevent users from installing programs?

The Disable Windows Installer, would that only apply to MSI's?

Thanks again,
RandyH



Lanwench [MVP - Exchange] wrote:
RandyH <RHollaw@xxxxxxxxxxx> wrote:
I guess Disable Windows Installer could have been a good
answer too. Thanks for the KB, I had followed most of that
article minus the Disable Windows Installer setting.

do you know anything about Worldox? it's a POS and we've
tried what you have suggested in the past without success.

again, thanks for the KB...
No prob. I presume that by POS you don't mean "point of sale" but
something else. ;-)
And no, I'm not familiar with it. Just try the sysinternals
tool...it's very handy.

Lanwench [MVP - Exchange] wrote:
RandyH <RHollaw@xxxxxxxxxxx> wrote:
We have an app that requires users to be local admins,
crappy I know, but I how can i prevent users from installing
programs?
If the TS has be in admin mode anyway, why would MS let
programs get installed otherwise????? - rant..
You can lock down most everything you need to --and should--
but why not fix the underlying problem with this application
first? You should be able to identify the file system &
registry areas to which it wants access - try using Process
Monitor from Sysinternals (available for download on the MS
website). Users should not be admins on workstations, let
alone servers & you shouldn't have to leave them that way.
Basics: you should be running Terminal Services on a dedicated member
server with *no* other roles on the network.
It should be set up in its own OU, with a policy specifically
for TS (including loopback processing so that all users who
log in get the same settings, regardless of their own
inherited user policy settings). See KB 278295 for some good
lockdown suggestions. Also see MVP Patrick Rouse's articles
at http://www.sessioncomputing.com/articles.htm



.

Relevant Pages

  • Re: Word 2000 problems/errors
    ... BUT once I went back to Microsoft ... Error Starting Programs Due to Missing Installer ... >>Suzanne S. Barnhill ... >>Microsoft MVP ...
    (microsoft.public.word.application.errors)
  • Re: Reinstall windows installer
    ... download this SP1 update for WIndows Installer: ... Jabez Gan [MVP] ... Microsoft MVP: Windows Server ...
    (microsoft.public.windows.server.general)
  • Re: Reinstall windows installer
    ... Microsoft MVP: Windows Server ... MSBLOG: http://msblog.resdev.net ... Installer isn't part of Sp1). ...
    (microsoft.public.windows.server.general)
  • Re: Reinstall windows installer
    ... so assume my updates are really messed up. ... Microsoft MVP: Windows Server ... Win Installer isn't part of Sp1). ...
    (microsoft.public.windows.server.general)
  • Re: newbee - first time using the package and deploy wizard
    ... I think you mean Visual Installer... ... Chris Hanscom - Microsoft MVP ... "JP Bless" wrote in message ... >>> windows do the resolution. ...
    (microsoft.public.vb.general.discussion)