RE: Prevent users/admin from installing softwares.



Let's not forget how easy it is to circumvent the application of Group Policy:

1) Unjoin the computer from the domain, reboot, install your software, rejoin.
2) Reboot the computer and remove the network tap so GPOs aren't pulled down. Install your software. Put the network tap back in.

--
Devin L. Ganger, Exchange MVP Email: deving@xxxxxxxxxx
3Sharp LLC Phone: 425.882.1032
14700 NE 95th Suite 210 Cell: 425.239.2575
Redmond, WA 98052 Fax: 425.702.8455
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Gregory N Pendergast/AC/VCU
Sent: Thursday, February 22, 2007 1:53 PM
To: Rocky
Cc: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Re: Prevent users/admin from installing softwares.


To my knowledge, there's no built-in way to directly prevent the
administrator from installing software. However, you can use Software
Restriction Policies (Group Policy Editor > Computer Configuration >
Windows Settings > Security > Software Restriction Policies) to limit
software execution so that software only runs from a set of predefined
paths. By limiting the paths from which software can execute, you may be
able to severely-limit an Administrator's ability to install software.
However, there are obvious problems with this:

1) If you're setting this in Local Group Policy (as opposed to
Domain-level), the Local Administrator can easily remove the Software
Restriction Policies
2) The obvious "hack" is to copy your installation file to a path where
software is permitted to execute, then to install said software to a
permitted location. Whether this is an acceptable risk depends on the
cleverness of your administrators and the sensitivity of your systems.

Beyond this, I don't personally know of a solution that doesn't involve
3rd party software.

Good luck,
Greg Pendergast

-----listbounce@xxxxxxxxxxxxxxxxx wrote: -----


To: focus-ms@xxxxxxxxxxxxxxxxx
From: Rocky <pixscreenpoint@xxxxxxxxx>
Sent by: listbounce@xxxxxxxxxxxxxxxxx
Date: 02/22/2007 07:51AM
Subject: Prevent users/admin from installing softwares.

Hey Guys,

Is there a way to restrict everyone including adminisrator rights
from installing softwares in xp pro? It should be done on registry
or gpedit?

we don't want to use 3rd party softwares like winguard.

Thanks a lot!



Relevant Pages

  • Re: Homepage defaults to MSN at random
    ... In addition to updating and running your AV, download, install and run the programs below in Safe Mode with Hidden Files enabled. ... CastleCops HiJackThis Forum ... The IE start page is locked via group policy, end users cannot change it, ... > rather than at the intranet site specified in Group Policy. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: User in two groups Admin and Power User
    ... it looks like the Group Policy doesn't allow the local ... Power Users / Administrators to install that particular software. ... | In this case, the user account was a domain account, and I believe my ... |> on to the local machine, as a local administrator can install ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Windows Update Error on XP 64bit: update is redirected from v6
    ... I stopped it, did a cold boot, and afterward tried windows update, but still ... This was a fresh install on a new hd and has been extremely stable .. ... Proxycfg settings WORKED. ... Microsoft Windows 2000 Operating System Group Policy Result tool ...
    (microsoft.public.windowsupdate)
  • Re: Windows Update Error on XP 64bit: update is redirected from v6
    ... In order to enable AHCI without reinstalling windows I had to pull ... under 'Reset the default security provider in Windows XP '. ... was this a clean reinstall of XP or a Repair Install? ... Microsoft Windows 2000 Operating System Group Policy Result tool ...
    (microsoft.public.windowsupdate)
  • Re: Advanced Client Installations on Restricted W2K machines
    ... Add the group policy snap in to MMC then choose default domain policy. ... client and will need to re-direct the source file resolution to that source. ... >> user to launch the SMS client installation as an administrative user. ... >>> the equation and install the SMS client via login scripts, ...
    (microsoft.public.sms.admin)