Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Preventing Users installing Apps.

Status
Not open for further replies.

uplinx

IS-IT--Management
Oct 20, 2005
7
GB
We're looking at implementing a new policy to prevent users in certain OU's from installing programs other than windows updates.

Is this achieved by disabling Add/Remove in the control panel or is there something else I should do. I see that there is an option to run only allowed windows programs but I guess this involves users still ebing able to install?

Any advice would be great, cheers!!
 
This can't be done on Windows 2000 without additional software. Basically, there is no magic "software installation" switch that you can turn off. Some applications write to the registry during install, some do not. Some write to areas of the filesystem or registry that you need admin rights to write to, others will not. For some applications the entire installation process is create a directory, put the program in it, and you're done. It all depends upon how the particular application is installed. Some can only be installed with admin rights, others can be installed by power users or just plain users.

I do know that there is no group policy in Windows 2000 to prevent users from installing software. I have heard that with 2003 Server there is such a policy, but I doubt that it works in 100% of cases because of the wide variety of ways in which applications can be installed.
 
You can make users 'ordinary users' this will greatly reduce the applications that can be installed as they do not have write access to the program files directory, the windows directory or the registry (other than HK current user). They only place they can install to is their own work folder and installs there will not alter the integrity of the OS.
Unfortunatly they will be unable to perform any admin tasks like using windows update, to get around this you could uses WSUS so updates install automatically.
 
Depends what you are trying to prevent. At our company we have it set so only an approved list of apps are allowed to run. (from their own user account - not system apps / services / processes)
This is very restrictive; but it does allow us to keep a tight control on what is on our network.

Also, by making users just 'standard' users without admin access they can still run apps that don't use a customer installer. E.G. Installing office won't work as it uses Microsoft Windows Installer. Same with apps that use InstallShield etc. However if they do not use installer applications such as older games that only need a folder and a small handfull of .exe's under it to run then you can't do it.

Autoupdates really are recommended on workstations (not servers though). For more control then SUS is great.

Hope this helps,


Steve.

Steve.

"They have the internet on computers now!" - Homer Simpson
 
What are you using to restrict the executables that the user can run? That might do the trcik for my site too.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top