Power Users Installing Software

[Guest]

Members of the local group, Power Users, are installing programs in our
domain. I thought only administrators could install programs. How do I stop
this?

 

[Mark Dormer]

Power Users can:
Run legacy applications, in addition to Windows 2000 or Windows XP
Professional certified applications.
Install programs that do not modify operating system files or install system
services.
Customize systemwide resources including printers, date, time, power
options, and other Control Panel resources.
Create and manage local user accounts and groups.
Stop and start system services which are not started by default.

Power Users do not have permission to add themselves to the Administrators
group.
Power Users do not have access to the data of other users on an NTFS volume,
unless those users grant them permission.

Remove the users from the Power Users group, but this will likely break
legacy applications.
You need to test it to see what the ramifications are for your users.

T0 get around it you can try using Software Restriction policies

How To Use Software Restriction Policies in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;324036

Regards
Mark Dormer

 

[Steven L Umbach]

As Mark said Software Restriction Policies can be used to restrict what
applications a user can install or run. But consider that a power user can
create network shares AND local user accounts. The reason why that is
significant is that the user can create a local user account to logon to in
order to avoid domain level Group Policy restrictions. If you take a hard
look you probably will find you have no reason why your users need to be
power users. If they can not run an application as a regular user but can as
a power user then you need to adjust some folder and possibly registry
permissions for that application.

Steve

 

[Guest]

Thanks guys.