GP to prevent domain users from installing any software

5 pts.
Tags:
GPO
Microsoft Windows Server 2003
Dear All, I have Windows 2003 domain and some users have local admin rights. I would like to prevent these users from installing any software on their PCs. Thanks and regards, Ziad

Answer Wiki

Thanks. We'll let you know when a new response is added.

One way that we do this is to not allow programs like setup.exe and
install.exe to run. This is not a perfect solution but keeps most of our
users from installing crap. To enable and list the programs you don’t want run go to

User Configuration->Administrative Templates->System->Don’t allow
specified Windows applications in group policy editor.

If the users were not admins that would be a better solution.

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Pjb0222
    If they have local administrative access on the system you cannot prevent them from installing software. You can only make it more difficult. Note that in Windows, certain classes of applications do not need administrative privileges to install. This is true in many OSs. The only method of lockdown that might succeed is a restrictive mandatory profile that locks down the desktop and start menu along with a white list of allowable applications. In conjunction with senior management, create an acceptable use policy with teeth and enforce it. Setup logging for the system and audit who does what. Also, you can require those with local administrative access to be responsible for reloading their own systems anytime an unauthorized application is found on their system. This requires a good automated lite touch or zero touch build process (and the always required senior management backing). It does wonders to get people to stop loading software on their own. Especial after they have to explain to their manager why that report is late because of the fifth system reload for the month because they broke software installation policy. There are also utilities that available to assist with removing the need for local administrative privileges. Finally there are things like MS Steady State or other 3rd party products that return a system to a known state. It can be an interesting experience to watch someone install and application, reboot the system to complete and the system comes back up to the state prior to the install...
    3,310 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following