Preventing Software from being installed in a domain environment

[Leythos]

We have many XP machines in a Windows 2003 environment. What is the best
policy in AD or on the desktop to prevent a regular user from installing
software. I'd like to make sure it doesn't prevent them from modifying the
PC time or anything too restrictive.

I appreciate your advice.

The system time should be sync'd with the server, users should not have
control of the time.

As for installing software at the local machines - just making them local
Users and not local administrators works wonders.

 

[boe]

We have many XP machines in a Windows 2003 environment. What is the best
policy in AD or on the desktop to prevent a regular user from installing
software. I'd like to make sure it doesn't prevent them from modifying the
PC time or anything too restrictive.

I appreciate your advice.


Thanks

 

[Carey Frisch [MVP]]

Please visit the experts in the Group Policy newsgroup
news://msnews.microsoft.com/microsoft.public.windows.group_p­olicy

How To Use the Group Policy Editor to Manage Local Computer
Policy in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;307882

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
Microsoft Newsgroups

Be Smart! Protect Your PC!
http://www.microsoft.com/athome/security/protect/default.mspx

------------------------------------------------------------------------------

:

| We have many XP machines in a Windows 2003 environment. What is the best
| policy in AD or on the desktop to prevent a regular user from installing
| software. I'd like to make sure it doesn't prevent them from modifying the
| PC time or anything too restrictive.
|
| I appreciate your advice.
|
| Thanks

 

[Mike Hall \(MS-MVP\)]

In addition to advice given, remind the users that their computers are for
company use and business only, that any software installed must be by
approval of the system administrator, and that they will be cautioned if
found to be doing unauthorised things.. it is easy enough to construct a
list of software that is acceptable to the company..

As for changing the time, why would a user feel the need to do this.. I
can't think of one instance where changing the time would be beneficial
other than in the case of a failing CMOS battery..

 

[Tom Penharston]

You cannot prevent all applications.

Some apps are distributed in self extracting executables or compressed
files. If your users are permitted to unzip their own compressed files
then they will also be permitted to unzip compressed files containing
applications.

Once the app is unzipped, the next step is execution. Users have
permission to execute from My Documents. I think the default security
status is Full Control. For example: a user can execute an installer
from the My Documents folder.

Users can add shortcuts to the Start Menu for their profile unless you
edit Group Policy. If you see new shortcuts in the Start Menu there
are two possiblities (1) an app was partially installed, shortcuts were
applied, yet the app is not functional because the installer tried to
modify the registry (or another restricted file) and the user was
notified that permissions were not sufficient for installation. The
installer quit without cleaning up the new shortcuts. (2) an app was
installed to My Documents or a similar directory and works to some
extent for the user

 

[Plato]

In addition to advice given, remind the users that their computers are for
company use and business only, that any software installed must be by
approval of the system administrator, and that they will be cautioned if
found to be doing unauthorised things.. it is easy enough to construct a
list of software that is acceptable to the company..

Grin, my wife just got a brand new laptop from work. The IT guy make it
pretty simple.
"If you install ANYTHING - we take the laptop back."

 

[Mike Hall \(MS-MVP\)]

Nazis..