Prevent users from installing software? 1

[pgarrett42]

Ok, I'm hoping I'm missing something very obvious here.

We are starting our conversion to a w2k environment. I need a way to configure the user accounts (domain) so that the individual user cannot install/remove (priority is to prevent install) software onto their machines. We would like to restrict this function to administrator accounts only. The closest item I've found is a setting to prevent the user from installing device drivers.

Can anyone point me in the right direction here?

Thanks in advance...

 

[itpro34]

Just DONOT give them "local" administrative rights. This will prevent them from loading software from any media device to that local machine.
Cheers

 

[doomhamur]

itpro is right, just dont assing Administrator rights to the users. You should also checkout Group Policy. There are alot of lockdown options that can help.

Have a nice day Doomhamur
Network Engineer
"Certifications? we dont need no stinking certifiaction."

 

[tainguyen]

go to users and passwords in control panel, under users tap click the user that you want to restrict and click property and check restricted user. that's it. they will not be able to install anything.
\

 

[pgarrett42]

These tips seem to work perfectly with local logins to the machines. However, I need a way to restrict domain logins. These accounts do not even appear in the user/password app in the control panel. I'm still reading up on group policy but as of yet have not been able to block the users ability to install.

I've been looking for a utility similar to what we used in win98 (policy/profile editor) but so far have come up empty.

 

[martoine]

pgarrett,

default NTFS permissions give normal users Read only rights to C:\Program Files - so no installation possible. Unfortunately you can only keep these permissions if you've got all Win2k compliant software. We don't, so I've had to really loosen the NTFS permissions in our environment.

I haven't found too many GPObjects that help, but here's one that prevents them from bringing it in and installing:

UserConfig\AdminTemplates\WindowsComponents\WindowsInstaller
- enable the "Disable Media source for any install"

You can also disable Windows Installer via GPO for users - but things like Yahoo Messenger and the like often install via web downloads, and do not use it.

One last thing that we've done is to prevent the running of some applications such as ypager.exe via GPO. You can find that one here:
UserConfig\System - "don't run specified windows applications" create a list of a few and try it out.

We also tried a product recently called Clean Slate - very pricey, highly touted, but REALLY buggy and entirely too complicated for our environment.

Still looking for the killer app here too...
Best,

Marty

 

[evadjm]

Hi

Make them power users this way they can't install programs or alter ip address etc. To do this right click my computer and click manage, double click local users and groups, groups sub and power users and add authenicated users then ok. This makes all users who log on to the domain, power users. We use this system when installing all new pcs in the hospital where I work. Hope this helps.

Dave

 

[Davetoo]

Unfortunately, none of these "solutions" will actually do what you're probably wanting to do, prevent the user from installing any new software not specifically authorized by the IT department.

While they will prevent users from installing certain software in certain scenarios, there are ways around each method listed, or software that can still be installed with the above obstacles in place. That's really all you can do is place obstacles in the way of the users from installing software on their own.

Take a look at

http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolicy.asp,

lot of good information there on how to manage most of what you want to do via GPO's. Coordinate that implementation with a tight company policy, and you're doing the best you can do until some of the promised vaporware arrives in shrink wrap.

Dave