Re: How to prevent users from installing programs.

RandyH <RHollaw@xxxxxxxxxxx> wrote:
I was looking at Disable Windows Installer setting and see another
setting called, Prohibit User Installs.

Would that prevent users from installing programs?

The Disable Windows Installer, would that only apply to MSI's?

Thanks again,
RandyH

Did you try my suggestion? I think you're going to make yourself crazy with
this one. The right answer is to revoke the admin rights (as well as run
general policy lockdown). Anything else you do will be a kluge and not a
simple one.



Lanwench [MVP - Exchange] wrote:
RandyH <RHollaw@xxxxxxxxxxx> wrote:
I guess Disable Windows Installer could have been a good answer too.
Thanks for the KB, I had followed most of that article minus the
Disable Windows Installer setting.

do you know anything about Worldox? it's a POS and we've tried what
you have suggested in the past without success.

again, thanks for the KB...

No prob. I presume that by POS you don't mean "point of sale" but
something else. ;-)
And no, I'm not familiar with it. Just try the sysinternals
tool...it's very handy.


Lanwench [MVP - Exchange] wrote:
RandyH <RHollaw@xxxxxxxxxxx> wrote:
We have an app that requires users to be local admins, crappy I
know, but I how can i prevent users from installing programs?

If the TS has be in admin mode anyway, why would MS let programs
get installed otherwise????? - rant..
You can lock down most everything you need to --and should-- but
why not fix the underlying problem with this application first? You
should be able to identify the file system & registry areas to
which it wants access - try using Process Monitor from Sysinternals
(available for download on the MS website). Users should not be
admins on workstations, let alone servers & you shouldn't have to
leave them that way. Basics: you should be running Terminal
Services on a dedicated
member server with *no* other roles on the network. It should be
set up in its own OU, with a policy specifically for TS (including
loopback processing so that all users who log in get the same
settings, regardless of their own inherited user policy settings).
See KB 278295 for some good lockdown suggestions. Also see MVP
Patrick Rouse's articles at
http://www.sessioncomputing.com/articles.htm



.

Relevant Pages

  • Virtual PC 2007 and 2007 SP1 - One Buggy Program
    ... errors while installing programs; ... Programs that would just stop responding while installing them from a CDROM. ... everthing worked fine on my dual core machine as well. ...
    (microsoft.public.mac.virtualpc)
  • Re: Multiple versions
    ... have had regarding installing programs, ... the syntax of his question is not concise you may waste time answering the ... there is a great thing we, as humans, have that the computers we use ...
    (comp.os.linux.misc)
  • Re: How to prevent users from installing programs.
    ... Would that prevent users from installing programs? ... If the TS has be in admin mode anyway, ... set up in its own OU, with a policy specifically for TS ...
    (microsoft.public.windows.terminal_services)
  • Re: How to prevent users from installing programs.
    ... Would that prevent users from installing programs? ... The Disable Windows Installer, would that only apply to MSI's? ... The right answer is to revoke the admin rights (as well as run general policy lockdown). ...
    (microsoft.public.windows.terminal_services)
  • Re: Oddity with updates
    ... Installing a mail server really shouldn't ... It of course propagates across the entire domain, so updates ... Then of course how it modiies policy without ... >> It did this both under the local administrator account as well as the ...
    (microsoft.public.windows.server.general)