RE: How to block users from installing other apps

From: Harley, Chay (Chay.Harley_at_kbcfp.com)
Date: 06/27/03

  • Next message: Dirk Wierdemann: "Limiting the creation of new files to specific types." 
    Date: Fri, 27 Jun 2003 14:13:35 +0900
To: "Jane Han" <janehan22@yahoo.com>, <focus-ms@securityfocus.com>

    Jane,

    The easiest way to fix this, is:

    1) run mmc (as the local admin)
    2) add/remove snap in
    3) add security configuration and analysis
    4) right-click on "sec...config... etc", and say "open database"
    5) create a tmp.sdb database (anywhere is fine)
    6) after that, you're prompted which template to apply - select compatws.inf (compatible workstation)
    7) Right-click on "sec...config...etc" and say "configure workstation"

    When it's finished, test it's fine by taking away the local admin rights, and see if you can run the in-house applications, but not as a local admin.

    You can automate this by using secedit to apply this template on all workstations via the login script (or however you deploy things, i.e.: Group Policy, etc.)

    Hope this helps.

    Chay Harley
    MCSE+I

    -----Original Message-----
    From: Jane Han [mailto:janehan22@yahoo.com]
    Sent: Thursday, 26 June 2003 5:22 AM
    To: focus-ms@securityfocus.com
    Subject: How to block users from installing other apps

    Due to several customized inhouse applications, the
    users need to be local aministrator to lauch the
    applications.  Since most users are local
    admin, they can download and install applications such
    as games, AOL instant messages...from internet. 

    Is it possible to block users from installing
    applications through Group Policy in this case?  or
    disable internet explorer?

    Any solutions or suggestions?

    Thanks in advance,
    Jane

    __________________________________
    Do you Yahoo!?
    SBC Yahoo! DSL - Now only $29.95 per month!
    http://sbc.yahoo.com

    -----------------------------------------------------------------------------
    ------------------------------------------------------------------------------

    -----------------------------------------------------------------------------
    ------------------------------------------------------------------------------

  • Next message: Dirk Wierdemann: "Limiting the creation of new files to specific types."

    Relevant Pages

    • RE: How to block users from installing other apps
      ... How to block users from installing other apps ... and add their domain account to the local admin group. ...
      (Focus-Microsoft)
    • RE: How to block users from installing other apps
      ... How about a locked down / minimal Terminal Server with Local Admin ... How to block users from installing other apps ... Due to several customized inhouse applications, ...
      (Focus-Microsoft)
    • Re: Add the loged in user to the local admin group during logon pr
      ... This was something my predecessor implemented because one of the applications running on the users desktop requires local admin. ... users only logginto their own workstaion so there is no risk to haev soembody logging to someone else workstation. ... This way you only need to change the membership of the group when a new account is created or when someone else needs access. ... I'd probably give the group a name that matches the application and perhaps change the access permissions for the applications folder/files so that only members of that group are even allowed access to the application. ...
      (microsoft.public.scripting.vbscript)
    • GP settings for Windows Firewall?
      ... We are just migrating to Win2003 and are now joining all these workgroup ... workstations to the domain. ... admins and then not able to "unblock" the applications. ... without giving them local admin? ...
      (microsoft.public.windows.group_policy)
    • Re: Local Administrators
      ... It depends on the applications that are running on those computers. ... bottom line is, if they don't need to be in the local admin group, don't put ... Some months ago I inquired need to make sbs 2003 users administrators of ... machine or may not allow to install at all. ...
      (microsoft.public.windows.server.sbs)
    • Quantcast