Restrict Users from Installing programs

[Dankwa]

I use a windows 2000 Professional on a small network in a
workgroup so all the User can use all the resources on the
network.
My problem is that User are now installing all kind of
programs on their computers.
I will want to restrict them from downloading and
installing any programs on theeir computers.
I know that can be done with gpedit.msc on individual
computers, but how do I do that.
Help needed please.
Thanks

 

[Lanwench [MVP - Exchange]]

The first thing I'd suggest is that you take away their local admin rights.
Do they need such rights to run any of their software?
Also, make sure it's a known company policy that users are *not* to install
anything, and that there will be consequences if they don't comply. Remind
them that this is not their home computer.

 

[Herb Martin]

I use a windows 2000 Professional on a small network in a
workgroup so all the User can use all the resources on the
network.
My problem is that User are now installing all kind of
programs on their computers.
I will want to restrict them from downloading and
installing any programs on theeir computers.
I know that can be done with gpedit.msc on individual
computers, but how do I do that.

Actually this is pretty hard. In some sense it cannot be done
(for ordinary users) or it is fairly complex to approach.

First, use a firewall or Proxy server with filters to STOP the
downloading or even take away Internet privilege -- ISA is
great for this, allowing you to control access to the Internet
by user or group membership.

Second user permissions to control WHERE the user can
place items but understand if you give them a "HOME" or
My Documents directory they are going to be able to WRITE
to the drive and that's all many programs take.

You can also try removing the DEFAULT permissions for
EXECUTE from the "Advanced and Special" permissions without
removing READ etc. Perhaps by making a Group and denying
execute explicitly. This only truly works if you own the directory
and your users don't know how to change permissions (the owner
can always change permissions if they can find the tools.)

You can use Software restriction policy which is the closest to
what you really want but this is touchy to set up for large numbers
of users -- combine it with permissions so that only those marked
by signature in the locations the users can control can work.

You might also consider "quotas" but that is a brute force
technique.

 

[Herb Martin]

"Lanwench [MVP - Exchange]"

The first thing I'd suggest is that you take away their local admin rights.
Do they need such rights to run any of their software?
Also, make sure it's a known company policy that users are *not* to install
anything, and that there will be consequences if they don't comply. Remind
them that this is not their home computer.

I like that -- really -- tell them to STOP THAT!

 

[Steven L Umbach]

Some things to try.

1. Make sure they are only regular users.

2. Make sure that everyone/users have no more than read/list/execute
permissions to the root/drive folder and be sure to check advanced
permissions also.

3. You might try changing the ntfs permissions to the profile under
documents and settings using special permissions to deny them creating new
folders for apply onto "folders and subfolders". It will make it more
difficult for them to install software in their profiles as many
applications will try to create a folder during the install.

4. In Internet Explorer configure the internet zone properties to not allow
downloads. You will have to configure local Group Policy so they can not
access those settings.

5. Consider a personal firewall so that they can only use authorized
applications for the internet such as Internet Explorer and not other
browsers or things like kazzaa.

6. Use local Group policy via gpedit.msc. Keep in mind that local Group
Policy will apply to ALL users on a computer by default. Administrators can
still manage a computer locked down via Group Plicy remotely however while
logged onto another network computer with admin credentials on the target
computer via mmc Group Policy snapin and select "other computer" In local GP
go to user configuration/administrative templates/system where you can
populate the disallowed Windows Applications list [after reading the full
explaination of the setting]. I would put minimum of command.com, setup.exe,
and install.exe in that list. You may also want to disable the command
prompt and registry editing while there. Good luck. In extreme cases you may
want to lock the computer down with the "allow only" list of Windows
Applications. That setting FYI will allow a user to logon to a computer and
not do much else if that setting is enabled but no entries are in the
st. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;323525 --- use GP
to restrict software applications.

 

[Michael Johnston [MSFT]]

The easiest way to accomplish this is to remove administrative privileges from these users. Remove them from the
Administrators group and Power Users group and they will not have the rights to install apps. This may break some
applications though so you'll need to test thoroughly.

Thank you,
Mike Johnston
Microsoft Network Support
--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the
terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from
which they originated.

 

[Herb Martin]

Some apps don't need any specific permissions or rights,
nor to be formally installed to be effectively installed and
run.

--
Herb Martin

The easiest way to accomplish this is to remove administrative privileges

from these users. Remove them from the

Administrators group and Power Users group and they will not have the

rights to install apps. This may break some

applications though so you'll need to test thoroughly.

Thank you,
Mike Johnston
Microsoft Network Support

rights. Use of included script samples are subject to the

terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this

message are best directed to the newsgroup/thread from

 

[Lanwench [MVP - Exchange]]

Hotbar!
(I think).

Some apps don't need any specific permissions or rights,
nor to be formally installed to be effectively installed and
run.

from these users. Remove them from the
rights to install apps. This may break some
rights. Use of included script samples are subject to the
message are best directed to the newsgroup/thread from

 

[Lanwench [MVP - Exchange]]

"Lanwench [MVP - Exchange]"

The first thing I'd suggest is that you take away their local admin
rights. Do they need such rights to run any of their software?
Also, make sure it's a known company policy that users are *not* to
install anything, and that there will be consequences if they don't
comply. Remind them that this is not their home computer.

I like that -- really -- tell them to STOP THAT!

Well, it may be hard to enforce, but it does need to be part of the official
policy of the company. ;-)

 

[Herb Martin]

Software restriction policies could be made to work for these.

If you only allows "approved directories" where you do NOT
allow the user to write, and approved APPs in the directories
where users might require write permissions, then you could
probably stop all "unapproved apps."

 

[Herb Martin]

I like that -- really -- tell them to STOP THAT!

Well, it may be hard to enforce, but it does need to be part of the official
policy of the company. ;-)

I was serious too. That's why I wrote "really" to make sure
that you know I was not being ironic or sarcastic.

Telling users what is proper and improper goes a long way
towards getting them to behave properly. Telling them why,
and making it easy to understand goes even further.

Making it easy to do the "right things" and hard or impossible
to "misbehave" accidentally is then about the best you can do.

--
Herb Martin
"Lanwench [MVP - Exchange]"

"Lanwench [MVP - Exchange]"

The first thing I'd suggest is that you take away their local admin
rights. Do they need such rights to run any of their software?
Also, make sure it's a known company policy that users are *not* to
install anything, and that there will be consequences if they don't
comply. Remind them that this is not their home computer.

 

[Lanwench [MVP - Exchange]]

I was serious too. That's why I wrote "really" to make sure
that you know I was not being ironic or sarcastic.

Telling users what is proper and improper goes a long way
towards getting them to behave properly. Telling them why,
and making it easy to understand goes even further.

Making it easy to do the "right things" and hard or impossible
to "misbehave" accidentally is then about the best you can do.

Social engineering, definitely. ;-)

"Lanwench [MVP - Exchange]"
message The first thing I'd suggest is that you take away their local admin
rights. Do they need such rights to run any of their software?
Also, make sure it's a known company policy that users are *not* to
install anything, and that there will be consequences if they don't
comply. Remind them that this is not their home computer.

 

[Steven L Umbach]

Except unless there has been some update I am not aware of [extremely possible] SRP
are not available on W2K. --- Steve

Software restriction policies could be made to work for these.

If you only allows "approved directories" where you do NOT
allow the user to write, and approved APPs in the directories
where users might require write permissions, then you could
probably stop all "unapproved apps."



--
Herb Martin
"Lanwench [MVP - Exchange]"

Hotbar!
(I think).