Prevent local administrators installing software

[Guest]

I work for a company who delivers IT support to schools. Unfortunately some
of the educational software will only run properly if a user is a member of
the local administrators group of each machine. Typically each school runs a
2000 domain with a single server.

We try as much as we can to lock down machines using domain group policy,
but as users are local administrators, they can install whatever software
they like to the machine and as yet I can't find a part of group policy to
stop installations. This is causing major annoyance as kids are downloading
free software from the web and installing it all over the place.

The only way we have been able to stop this is to use web security to block
the download of exe and zip files. We would like to stop users installing
anything on the machines.

If anyone has any suggestions they would be greatly appreciated.

 

[Phillip Windell]

The problem is the "educational software". That is the problem, that is
what you need to correct. The software needs to be updated or patched so it
doesn't require the admin privledges. It may also be possible to find out
why it requires admin rights and try to find a workaround that lets it run.

 

[Guest]

Unfortunately this is not really an option as among the multiple different
titles the schools use, there is well over 200, a good percentage of them
have this problem. The software companies that produce them rarely produce
patches, and are of little help. It is also impossible to stop the schools
ordering specific software.

The problem is the "educational software". That is the problem, that is
what you need to correct. The software needs to be updated or patched so it
doesn't require the admin privledges. It may also be possible to find out
why it requires admin rights and try to find a workaround that lets it run.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

I work for a company who delivers IT support to schools. Unfortunately some
of the educational software will only run properly if a user is a member of
the local administrators group of each machine. Typically each school runs a
2000 domain with a single server.

We try as much as we can to lock down machines using domain group policy,
but as users are local administrators, they can install whatever software
they like to the machine and as yet I can't find a part of group policy to
stop installations. This is causing major annoyance as kids are downloading
free software from the web and installing it all over the place.

The only way we have been able to stop this is to use web security to block
the download of exe and zip files. We would like to stop users installing
anything on the machines.

If anyone has any suggestions they would be greatly appreciated.

 

[Richard G. Harper]

As Phillip has pointed out, you have a dilemma. There are no good choices
here. Either stop using the software in question or use non-technological
means (enforcement of rules, disciplinary policies, etc) to prevent
non-approved uses of your computers. There is no third solution available
to you.

--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

Unfortunately this is not really an option as among the multiple different
titles the schools use, there is well over 200, a good percentage of them
have this problem. The software companies that produce them rarely produce
patches, and are of little help. It is also impossible to stop the schools
ordering specific software.

The problem is the "educational software". That is the problem, that is
what you need to correct. The software needs to be updated or patched so
it
doesn't require the admin privledges. It may also be possible to find
out
why it requires admin rights and try to find a workaround that lets it
run.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

I work for a company who delivers IT support to schools. Unfortunately some
of the educational software will only run properly if a user is a
member of
the local administrators group of each machine. Typically each school
runs a
2000 domain with a single server.

We try as much as we can to lock down machines using domain group
policy,
but as users are local administrators, they can install whatever
software
they like to the machine and as yet I can't find a part of group policy
to
stop installations. This is causing major annoyance as kids are downloading
free software from the web and installing it all over the place.

The only way we have been able to stop this is to use web security to block
the download of exe and zip files. We would like to stop users
installing
anything on the machines.

If anyone has any suggestions they would be greatly appreciated.

 

[Lanwench [MVP - Exchange]]

In addition to the other replies, you may be able to tweak NTFS/registry
permissions for these badly-written applications to run under a limited
account. See FileMon and RegMon from www.sysinternals.com and see what you
can do.

Remember, there is no such thing as a "limited administrator account".

 

[Steven L Umbach]

It is difficult if users are local administrators. What may help is to use
Group Policy user configuration/administrative templates/system to take
advantage of the two settings for run only and do not allow Windows
Applications after reading the whole description of what the settings do. It
may help to add at least install.exe, setup.exe, and msiexec.exe to the
Group Policy. Note that this domain/OU user configuration will not apply if
they figure out how to create a local user account and logon with that. If
you are lucky enough to be using Windows XP Pro, Software Restriction
Policies can be used to lock down all users on a domain computer - even
local administrators. Of course even with that they could unjoin the
computer from the domain to bypass SRP. Make sure that regular users are NOT
allowed to join workstations to the domain. By default they can do it ten
times. If you want to change that remove authenticated users from the user
right to add workstations to the domain in Domain Controller Security
Policy. --- Steve

 

[Phillip Windell]

Yes Regmon and FileMon is exactly what I had in mind. Most of these screwy
programs I have seen that only run with Admin privledges seem due to
registry permissions and not file permissions. I may be possible to apply
permissions to a particular registry key that allows it to run. Tools like
this would probably be needed because if the vendor wasn't skilled (or
cared) enough to write the App properly then they probably for the same
reason don't know how o correct it.

Programmer Beatings are my favorite solution, but sometimes I guess, you
just can't

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Lanwench [MVP - Exchange]"

 

[Phillip Windell]

Unfortunately this is not really an option as among the multiple different
titles the schools use, there is well over 200, a good percentage of them
have this problem. The software companies that produce them rarely produce
patches, and are of little help. It is also impossible to stop the schools
ordering specific software.

I understand, I've been there too, but we have pretty much eliminated all
of those Apps except one that only a few use. Check out Lanwench's post and
my reply with it. It gives the only solution I can think of short of just
giving Local Admin access and forget it.

 

[Lanwench [MVP - Exchange]]

Steven L Umbach wrote:

users are NOT allowed to join workstations to the domain. By default
they can do it ten times. If you want to change that remove
authenticated users from the user right to add workstations to the
domain in Domain Controller Security Policy. --- Steve

To be honest, I have always wondered why that was enabled by default!

 

[Steven L Umbach]

Me too. I have never seen a good reason for it, especially default. Maybe it
has something to do with Remote Installation Service --- Steve


"Lanwench [MVP - Exchange]"