XP SP2 --- How to prevent users from installing it?

[Fred Yarbrough]

We are concerned that some of our corporate users will download XP SP2 when
it comes out and screw up their machines. Who knows what applications will
be broken when it is installed. I am wondering if there is some way to
prevent our users from downloading SP2 before we can test it? I guess that
we could send out an "All Hands Email Bulletin" warning users to wait before
installing it so that our IT department can thoroughly test it. Is anyone
else out there thinking along these paranoid lines too?


Thanks,
Fred

 

[David Candy]

Speak to you network administrator. On a normal corporate network they would be unable to install it.

 

[Testy]

Lots IBM has informed all its employees NOT to install it for one and others
have concerns too read here:
http://channelzone.ziffdavis.com/article2/0,1759,1632395,00.asp

Testy

 

[Fred Yarbrough]

I am the network administrator.

Fred


Speak to you network administrator. On a normal corporate network they would
be unable to install it.

 

[David Candy]

Why would you think they can install it? What have YOU done to allow it.

 

[Fred Yarbrough]

Let me extrapolate. We do not enforce restrictive policies on our users. I
wish that we could, but our business is comprised of engineers, scientists,
and programmers that must have administrative privileges on their local
machines to do their job functions. Most of these guys are very sharp and
that is what concerns me


Thanks,
Fred.

 

[David Candy]

Well you need to set restrictive policies. You can set the SP2 filename and prevent it from running. But admins can do anything. If they are admins they can get around any restrictions anyway. If I worked there you couldn't stop me installing it, just make it hard to.

I would set a local password for the local admin account that only I know (if they are a local admin you can't stop them without stopping yourself). I would put all admins but me in one OU, and block at that level (but they can unblock themselves), I would then block them from changing the GP. But they can still override their local registry where it ends up, so you'd have to block them there to. You can still get around it but by know it really should be a sackable offense as breaching the core network security is a no-no.

Sack em if they do it, or make it a condition - if you break, you fix - without IT/IS help (that would be effective, imagining wanting to go home at 5pm on friday but you have to install XP then SP1, and then all your apps before you are allowed to).

 

[Rick \Nutcase\ Rogers]

Hi,

If you are going to allow them to run with local admin priviledges, then all
you can do is send out a warning not to install it. Then hope that they
listen.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Associate Expert - WindowsXP Expert Zone

Windows help - www.rickrogers.org

 

[Mike Kolitz]

Hi Fred,

I can understand what you're saying. We've got some users on our network
that have local authority to install software (not that we really like
that...). I would go with sending out an e-mail blast explaining the
reasons why they should not install it for now. Assuming these guys are as
sharp as you say, they should understand the risks involved, especially if
you provide a few good reasons.

 

[David Candy]

Make em power users, they can install software.

 

[V Green]

Let me extrapolate. We do not enforce restrictive policies on our users. I
wish that we could, but our business is comprised of engineers, scientists,
and programmers that must have administrative privileges on their local
machines to do their job functions. Most of these guys are very sharp and
that is what concerns me

Geezus, is this a business or a nursery school?

If they're as "sharp" as you say,
then THEY can take FULL responsibility and FIX their
own broken workstations when they screw them up.

Good lord, just lock them outta the Windows Update site
in your firewall ( you do have one, right? - or does that
"interfere" with their cognitive abilities?)! They can still bring
it in on a CD, but you can lock that down as well.

The network is (apparently) YOUR responsibility and YOUR a$$
will be on the line if these doofuses hose it up.

It's time to kick some engineer, scientist and programmer butt
and have a written policy regarding installation of software YOU
have not personally approved (as the Donald would say -
"You're fired.").

That's the way it works in the REAL world...

Either get tough, or get some SERIOUS drugs.

You're gonna need 'em.

 

[Fred Yarbrough]

Worse, these are government contractors. I am trying to implement some
subtle control over their machines but our upper management is very
sensitive to disrupting their business. I simply do not have upper
management's support on this.


Thanks,
Fred

 

[Courtney]

I am the network administrator.

Fred


Speak to you network administrator. On a normal corporate network they would
be unable to install it.

You can prevent it with a GPO. But, for what it's worth, it doesn't break
anything. However, it does enable the firewall by default (you can disable it
through the GPO), but disabling it solves any problems with software firewalls.

When installed, the program also checks for antivirus software, but, curiously,
although it can detect Symantec AntiVirus, it can't determine its state.
Therefore, it will complain that the software status is indetermined. You can
disable the detection when it complains.

Popup blocking is enabled (by default) in IE. I haven't detected any changes in
OE, though.

So far (last 12 hours), the service pack hasn't caused any problems.

courtney sends....

 

[Mike Kolitz]

We've tried all that David. Trust me, we've done our homework on this one.

--
Mike Kolitz MCSE 2000
MS-MVP - Windows Setup / Deployment


Make em power users, they can install software.

 

[Bruce]

Geezus, is this a business or a nursery school?

If they're as "sharp" as you say,
then THEY can take FULL responsibility and FIX their
own broken workstations when they screw them up.

Good lord, just lock them outta the Windows Update site
in your firewall ( you do have one, right? - or does that
"interfere" with their cognitive abilities?)! They can still bring
it in on a CD, but you can lock that down as well.

The network is (apparently) YOUR responsibility and YOUR a$$
will be on the line if these doofuses hose it up.

It's time to kick some engineer, scientist and programmer butt
and have a written policy regarding installation of software YOU
have not personally approved (as the Donald would say -
"You're fired.").

That's the way it works in the REAL world...

But, we're not dealing with the REAL world in situations like this. I work
in a similar environment. Pure research, some development, and we all have
admin rights. Even secretaries have admin rights. Management wants it
that way, but it drives our IT department nuts.

Scientists, researchers, and engineers are our bread and butter, and we
just don't go around locking users out of the Windows Update site. They're
coddled. If we treated them like you suggest, they'd walk, and our
business would fold.

"It's time to kick some engineer, scientist and programmer butt..."
Please, Vince, they run the show in this case, and people like you are just
functionaries, a dime a dozen.

 

[Colin Nash [MVP]]

It's pretty harmless for most home users but many businesses have "Line of
Business" applications that were written specifically for that company and
were only ever tested on that one platform. So if that platform changes,
who knows what could happen. Ironically, web-based applications have become
popular to increase 'portability' but with the new changes to IE, some of
the weird things that these apps were programmed to in IE do might not work
anymore.

 

[Guest]

This is paranoia at it's worst. First of all the SP2 has been undergoing
testing for months now and is the best and safest that it can be. That being
said there are inherent risks in even getting out of bed in the morning.
Quite honestly this is what backup programs are for. Have each of them do a
complete backup to disks and then should you have problems immediately after
install you have a restore available. Not hard really. I gather you wouldn't
consider hang gliding or parachuting ? {:~)

 

[Ron AG]

Do you really think SP2 will conflict with any programs? If they are working
fine with SP1 now, I bet you won't experience any problems in SP2 at all.

 

[Guest]

To turn off Automatic Updates
Open System, and then click the Automatic Updates tab.
– or –
If you are running Windows 2000, click Start, point to Settings, click
Control Panel, and then double-click Automatic Updates.
Ensure Automatic is de-selected.

 

[Guest]

Another method for prevention of the download is to BLOCK access to the URL
with your Firewall or any other access control applications that you may have.

No access - no download - no SP2