Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Preventing Users installing Apps.

Status
Not open for further replies.
uplinx

uplinx

IS-IT--Management
Oct 20, 2005
7
GB
We're looking at implementing a new policy to prevent users in certain OU's from installing programs other than windows updates.

Is this achieved by disabling Add/Remove in the control panel or is there something else I should do. I see that there is an option to run only allowed windows programs but I guess this involves users still ebing able to install?

Any advice would be great, cheers!!
 
Sort by date Sort by votes
This can't be done on Windows 2000 without additional software. Basically, there is no magic "software installation" switch that you can turn off. Some applications write to the registry during install, some do not. Some write to areas of the filesystem or registry that you need admin rights to write to, others will not. For some applications the entire installation process is create a directory, put the program in it, and you're done. It all depends upon how the particular application is installed. Some can only be installed with admin rights, others can be installed by power users or just plain users.

I do know that there is no group policy in Windows 2000 to prevent users from installing software. I have heard that with 2003 Server there is such a policy, but I doubt that it works in 100% of cases because of the wide variety of ways in which applications can be installed.
 
Upvote 0 Downvote
You can make users 'ordinary users' this will greatly reduce the applications that can be installed as they do not have write access to the program files directory, the windows directory or the registry (other than HK current user). They only place they can install to is their own work folder and installs there will not alter the integrity of the OS.
Unfortunatly they will be unable to perform any admin tasks like using windows update, to get around this you could uses WSUS so updates install automatically.
 
Upvote 0 Downvote
Depends what you are trying to prevent. At our company we have it set so only an approved list of apps are allowed to run. (from their own user account - not system apps / services / processes)
This is very restrictive; but it does allow us to keep a tight control on what is on our network.

Also, by making users just 'standard' users without admin access they can still run apps that don't use a customer installer. E.G. Installing office won't work as it uses Microsoft Windows Installer. Same with apps that use InstallShield etc. However if they do not use installer applications such as older games that only need a folder and a small handfull of .exe's under it to run then you can't do it.

Autoupdates really are recommended on workstations (not servers though). For more control then SUS is great.

Hope this helps,


Steve.

Steve.

"They have the internet on computers now!" - Homer Simpson
 
Upvote 0 Downvote
What are you using to restrict the executables that the user can run? That might do the trcik for my site too.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

tviman
  • Locked
  • Question
How to restrict RDP users to the desktop 2
Replies
13
Views
470
strongm
strongm
tviman
  • Locked
  • Question
Remote Apps vs Remote Desktop Connection
Replies
0
Views
161
tviman
tviman
kolob4all
  • Locked
  • Question
Restrict AD users to login to specific computers
Replies
0
Views
141
kolob4all
kolob4all
abm-support
  • Locked
  • Question
Essentials Server 2012 not showing users or devices
Replies
0
Views
169
abm-support
abm-support
Hfnet
  • Locked
  • Question
Publishing apps on RDS 2012 R2 from another server
Replies
0
Views
120
Hfnet
Hfnet

Part and Inventory Search

Sponsor

Back
Top