Restrict users from installing software

[Jon Montana]

I want to restrict users from installing s/w on their PCs, but not by adding
them to Power Users as suggested in some of the posts.

I want the ability to move them from an OU that restricts them from
installing s/w to an OU that will enable them to install s/w.

So far, I have been unable to locate a group policy or domain policy that
will allow me to do this.

I would greatly appreciate any input.

--
(DISCLAIMER: The preceding message reflects the opinion of only 1 out of
billions of Internet and Newsgroup users. It does not reflect the opinions
of any businesses, clubs, organizations, religious groups, unions,
associations, corporations, people, or small farm animals.)

--

 

[Oli Restorick [MVP]]

Adding users to the Power Users group will allow them to install software.
Once you make a user a Power User you have given them a large amount of
rights to the machine.

You can use restricted groups to control membership of local machine groups.

If you have software that does not run properly as a normal user then you
should, aside from looking at buying software from a company that knows how
to program, give just the permissions that program needs to run and not, as
some people do, give users power user or administrator rights to the
machines.

You should look at security templates for a method of enforcing uniformity
in your workstation security.

Regards

Oli

 

[Oli Restorick [MVP]]

I agree.

Once you've given a user temporary admin rights to the machine, though, it's
just a few mouse clicks to give their domain account admin rights. Unless
you, as an administrator, are very thorough in auditing access rights once
you remove their temporary access, the user may well have admin rights
anyway.

If your users aren't abel to work that out, they probably shouldn't be in a
position to install their own software anyway.

Oli

I dislike the cutesy built-in groups like "power users" and "guests". Make
your own groups and assign the rights they need, not the rights microsoft
thought they'd want.

You can't prevent users from installing _any_ software without severly
limiting their ability to use the computer. Some programs (our labs get
littered with programs like trillian, for example) will both install and run
as an unpriviledged user. The only way to avoid this (that immediately comes
to mind) is to make a policy that says "only these applications can be run:
winword.exe, excel.exe, ..."

That said, by locking down your file system and registry, you can prevent
users from installing _most_ software. You can at least force them to
install/run from their home directory instead of the workstation's c: drive.
Users do not need write/modify permission to the vast majority of the
workstation's hard drive. Simply provide read/execute permission for
c:\winnt and c:\program files will be a start, for example. Same for the
registry - give read access as needed and write access only when really
necessary.

As for giving users permission to install when you want... I'd recommend
making a domain group (call it WorkstationAdmins or something) part of the
Administrators group on each workstation. By moving users into/out of the
domain WorkstationAdmins group, they will be given/revoked administrator
rights to the workstations, allowing/disallowing them software installation
priviledges.

Now my 2 cents: If you trust your users to install software on their own
boxes *some* of the time, you should trust them all the time. It's all or
nothing. Who's to say they won't install mrnastyprogram.exe when you grant
admin rights to install mrniceprogram.exe. If you want to prevent software
installation by users, you should only have administrators install software.
I guess I don't see the point of juggling around users to make them admins
sometimes but not alltimes.

\\ MadDHatteR