Prevent Software Installation on Clients Windows Server 2008

5 pts.
Group Policy
Network security
Windows Server 2008
Can someone tell me how difficult it is to remove Installation rights from a group of users who use workstations on a Windows 2008 network? I've been told that doing so requires one to do a file audit of all files on the workstations to find out which programs need to write to the local disks to allow them access to do that, but that seems like that would be way overboard to have to do that. All I would want to do is prevent "normal" employees from downloading and installing stuff they find on the internet, or from their home CDs, but yet to ensure they can still use company software that does write to the local disk as well as to the network. Thank you.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Preventing users from installing software.

Users love to install stuff on their computers—I’m thinking Google toolbar, Yahoo toolbar, Skype and so on. Unfortunately many business don’t want users to be able to do this because if installing such software should destabilize their systems, support costs will escalate.

What are some of the ways you can try to prevent users from installing software on their computers?

First, make sure users are ordinary users and not members of the Power Users or Administrators local groups on their machines.

This should always be your first line of defense.

Second, you can implement software restriction policy using Group Policy to block specific executables or msi files from being run on targeted users’ machines.

Third, (AND MOST IMPORTANTLY!) you can block users from accessing the websites where they can download such software by configuring your perimeter firewall/proxy server.

And fourth, you could implement mandatory user profiles.

There are many ways to do it and you creativity and imagination is all that limits you. Good luck and if you need more specific advice let me know!


You are right, first a complete study needs to be done with regards to all the applications that you have in your organisation and the rights that are needed to work on these applications.
I have come across many such custom bulit applications that require a user to have administrator rights to even execute !!!!

The best way is to identify a single machine, make it a test bed for all applications and check each application individually .


You could partially prevent software installations by disabling the windows installer through a GPO, but since not all applications use the windows installer, this is not a complete solution.

To disable it, open the appropriate GPO in the Group Policty Management editor and enable the ‘disable windows installer’ option in Computer Configuration -> Policies -> Administrative templates -> Windows components -> Windows installer.

Discuss This Question:  

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: