Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Need help locking down a Windows 2000 Pro desktop

Status
Not open for further replies.

ppapared

Technical User
Nov 5, 2002
4
US
I have a Windows 2000 Pro computer in which I have to give the users Power User access on the local machine to be able to run a program. How can I keep the users from being able to install any type of program while being in the Power Users group on the local machine. The program requires them to be in the Power Users group and will not run if they are in the Users Group on the local machine. I keeps giving an error. I could upgrade the software but it is an expense we are trying to avoid.
 
What I would do is find out exactly why you have to give them Power User capabilities. Many programs just need the user to have read and write access to certain files and folder. Some of those folders are in WINNT and SYSTEM32 which is restricted to regular users. Find THOSE needed files and folders and grant read write permissions to EVERYONE. Then you won't need to grant PowerUser permissions.

I checked Local Group policies and I don't see any option for you to disable anyone from being able to install software. Not saying it's not there, I just didn't find it.
 
Oh, I should have thought of this. To find out what files and folders you users need access to, get filemon.exe from Microsofts website. It will make a log of all files accessed while running the computer. Run it when you execute the program in question and then review it. There will be a lot of information to review (because other processes are running) but it can be a good place to start.

Also, you might need to grant access to some registry keys. Remember that regedit doesn't let you set security settings for the registry but regedt32 does. I think there is a program like filemon.exe that does the same for the registry. regmon.exe perhaps????
 
As long as you aren't running group policy, try this. Open the local security settings folder as author. Add the snap-ins for group policy and security templates. When group policy is not in place the group policy sttings you make are appliend to the local workstation only. You can hide the ADD/Remove programs icon, or any other icon you want, as well as all kinds of other neat restrictions!

Sue
 
You could also try Fortres 101 which will allow you to select certain icons or programs and set them up so that when a user tries to execute it nothing will happen. It is set up to where you have to press CTRL-L to even get prompted for a password to have access to that icon or program.
 
I would look into a local policy. With a policy you can disable the windows installer as well as a whole bunch of other stuff. This is the route I took for my lab computers.

Or you can edit the permissions for the program and what it needs to run as a user. I always start checking permissions with the programs folder and work my way in the the registry. With regedt32 you can change any additional needed permissions.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top