How can I prevent a user from installing unwanted software?

Tags:
Group Policy
Windows Security
How can I restrict a user from installing any software by making a Group Policy on domain server?

Answer Wiki

Thanks. We'll let you know when a new response is added.

Software restrictions allows for this scenario by restricting software that can be executed by a user– including installers.

This can be done in two locations, but typically is done in both locations for greater security. The first location os in the computer policy, in Group policy management go to “Computer Configuration -> Windows Settings -> Security Settings -> Software restrictions Policy -> security levels” and set the policy to “Disallowed” to be enabled. (Note that you may not have that last section of Security levels until you right click software restrictions policy and create a software restriction policy.)

Secondly you do something similar to this in “User Configuration -> Windows Settings -> Security Settings -> Software restrictions Policy -> security levels”.

Remember, User policies apply to OU’s where users are stores and computer policies apply to OU’s where computers are stored… there is no benefit of applying a user policy to an OU where only computers reside, unless a child OU contains users.

The hardest part of getting software restrictions right is that by default it restricts EVERYTHING from running outside of the standard OS components– thankfully Microsoft gives us these locations and files by default when you create the policy.

There are Several ways you can allow applications to run (Or not run):

  1. Via a Path
  2. Via a FileName
  3. Via a MD5 HASH of the file

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Wrobinson
    You can use group policy to restrict user's ability to install and run software as outlined above. For example, you can restrict access to Add/Remote programs and if I remember correctly, also use of the Microsoft Installer but if users do not have privileges to install software in the first place, such as by not being local administrators on their computers, then much of this worry is avoided. If this is not possible, then group policy can definitely be of use in accomplishing these and other tasks.
    5,625 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following