Modifying win 2000 pro to prevent software installs 1

[itcamefrommars]

I'm a unix guy, but starting to use win2000pro for workstations. Is there a way to prevent software installations by regular users on those workstations.
Note: sites contain a SCO unix server, no NT/2000 server.
only windows 2000 pro workstations.
and what other kinds of workstation management can be used to prevent normal users from messing with the workstation.
would really like to lock the workstations down to our client app, office 2000, and maybe internet browsing.

 

[DeanSpencer]

What I have done in a simular situation is to make the user a power user, or you can make them just a user instead of an administrator. You can do this in Computer Management in Control Panel. I had to make my users Power Users because they are using Lotus Smartsuite and the apps would not run while they were just users. It kept telling me that it was trying to make changes to the registry and because of their permissions W2kPro would not let them.

Hope this helps..

Dean

 

[mcconmw]

Poledit is my suggestion if your not wanting to spend any money. It is a utility from MS that will help you do everything mentioned including allowing only precise executables to launch. It is not the easiest product in the world to work with, though. Little snafus around every corner and the like. It is also very poorly documented by MS (surprise, surprise), but if you wrestle it into place it'll do ok and the price is right.

 

[randyQ]

If you are on a windows network, you might have to check with your administrator because the rights assigned at the highger level will overwrite what I a about to tell you. Open the run menu and type mmc. Then click Add/Remove Snap-in from the console menu. Locate Group Policy and enable it for the "Local computer". Then OK out of the Add/Remove wizard. Now, look under the following : Console Root, Local Computer Policy, Computer Configuration, Administrative Templates, Windows Components, Windows Installer. The first option in the right pane will be "Disable Windows Installer". Double-click it open and enable it, then set it to "Always". This is only a first line of defense against unauthorized installs. All this will do is disable the Windows' Installer, it won't prevent installs all together. It will also take some time before it goes through. I don't remember the default time for group policy updates. Also, if I remember correctly, any group policy objects defined at a higher level will over ride what you do locally. Just a reminder.

 

[randyQ]

Use your group policy editor to alter all the changes you want. You can do everything you metioned you wanted to do via the group policy editor. There are more options in the user configuration than in the computer configuration. Also, if you want to secure the desktop and all of its settings and icons, you can do that too. Just set it up the way you want it, then locate the user's profile in the "Documents and Settings" folder in the C drive. Then, while viewing hidden files, locate the "NTUSER.DAT" file. Rename it to "NTUSER.MAN" to make it a mandatory file. Now, whenever a user makes a change to their desktop (background, SS, icons, etc) it will revert back to the original settings when they log out. None of the changes they made will be saved. For clarity, the MAN extention basically stands for mandatory. The NTUSER file is the data file that holds all of the user's logon information. E-mail me for more detailed information on setting w2k pro or server settings. I will help with what I know. randaccss@hotmail.com

 

[BLarson]

I agree that the policy editor is the way to go. There is some pretty good documentation on it in the resource kit. And a whole guide on it usage (KB article Q161334). O'Reilly has a book on the policy editor, but it's geared more for 95/NT but has some excellent policy templates in it. (The guide in article Q161334 is also an excellent resource and a free download, but also written for NT. Don't worry though it all still applies in 2000.)

You will want to check out Knowledge Base Articles Q269799, Q225087, and download the 6 part Profiles and Policy Guide Q161334 on Microsoft's WebSite.

Plan to spend a good 6-8 hours with the guide in hand to get some working policies going, but well worth the effort in my humble opinion.

Being a Unix guy, if you aren't familir with MS site and Knowledge Base Articles. Go to

http://www.microsoft.com,

in the upper right hand corner is the "search" option, click on it and type the article # (I.E. Q######) and it will get you there.

Here is an overview. "

http://www.microsoft.com/WINDOWS2000/techinfo/reskit/samplechapters/dsec/dsec_pol_nrqn.asp"

With a download from a chapter in an MS Press publication about it.

Some more info from MS Developers Network. "

http://msdn.microsoft.com/library/default.asp?URL=/library/psdk/sysmgmt/syspol_4rs5.htm".

Good luck.