Restrict Software installs using Group Policy

[Guest]

Hi,

I have the following setup:

Windows 2003 domain (single domain single forest), mixed mode, windows
2000/xp clients in a wan connected enviroment. 3000 users.

I would like to achieve the following (if Possible):

1) Use GPO to prevent users from installing ANYTHING (all Software, not only
the windows installer) on their computers
2) Use GPO and maybe Logon Script (kitart)to install software on all client
computers when they logon
3)Make sure that required kixtart files and other TXT files can be copied to
the users system.
4) Make sure batch files can run on the users computer provided they don't
call an installer..

Any help would be greatly appreciated.

Thanking You

Elvis

 

[Ryan Hanisco]

Elvis,

See responses below:

1. Not really possible without other intervention. You can disable the
installer via GPO and then use User permissions, file permissions, and
security templates to lock the rest down. Alternatively, you can use a
program like DeepFreeze to lock down the system HD to prevent persistent
installation of applications.

2. There are a number of Docs on this on the MS site. I'd suggest you do a
search there for either their best practices or step-by-step guides.

3. With the system locked down, you'll need to elevate your privileges to
install. Look to the Sanur.exe utility to do this. It will allow you to
elevate in a batch without prompting for a password.

4. You're trying to have it both ways with that statement. Limit your
permissions to exactly what they need and elevate when you need alternate
permissions. That is the only way around that.

 

[Guest]

Hi Ryan,

Thanks for your input...To be honest this looks really complicated...I was
wondering if you could point me to any docs. This would be greatly
appreciated.

Thanking You

Elvis