Re: Prevent users from installing software

From: Ed Thurber (user@mail.com)
Date: 03/17/03 

From: "Ed Thurber" <user@mail.com>
Date: Mon, 17 Mar 2003 08:32:10 -0500

Just take them (the users) out of the admin group. Unless you have
extenuating circumstances, you should really think hard about giving any
"user" local admin rights. By having the users run with restricted rights,
you not only eliminating the ability to install, you also GREATLY reduce the
amount of damage that a virus can do. Most viruses run in the security
context of the currently logged in user. If that user has admin rights, the
virus can destroy just about anything it wants to. You don't have to worry
about the users profile changing. The reason that you got a new desktop was
because you created a new user. Just changing the users group membership
will not affect the users profile.

If your admins need to install software, just have them use the runas
functionality. With few exceptions, you can install software in the context
of an admin without having to log the current user out. About the only
thing I have not been able to do with runas is install local direct IP
printers, and USB devices.

Hope this helps.

Ed Thurber

"Mike" <Reply@Newsgroup.nogo> wrote in message
news:uxD27JC7CHA.2940@TK2MSFTNGP11.phx.gbl...
> Thanks for the reply's folks. I tried setting up a new user here on my
home
> machine running W2K, and did see that you could restrict installations and
> customize other permissions.
> For the administrator or power user to install apps, it should be as
simple
> as logging off and logging on as one of them to install the software, and
> then logging back in as the whichever user correct?
> Also i noticed that a lot of my desktop icons disappeared when i logged in
> as this new user. Im planning on doing this on three of the PC's on this
> network, all of which the users have been logging on with administrative
> rights.
> Is there a simple way of retaining their desktop and user preferences,
> favorites, email and the like?
>
>
> "Tony Sheppard" <grumbledook@mac.com> wrote in message
> news:b530b4$25338r$1@ID-155810.news.dfncis.de...
> >
> > "KR" <kreal@concentric.net> wrote in message
> > news:gZ6da.64882$gi1.41347@nwrdny02.gnilink.net...
> > > "Mike" <Reply@Newsgroup.nogo> wrote in message
> > > news:#jw5yr#6CHA.2328@TK2MSFTNGP10.phx.gbl...
> > > > Can anyone tell me how to prevent certain users from installing new
> > > software
> > > > on their computers.
> > > > All networked PC's are running W2K Pro. I would still want to allow
> > > > Administrators to install software if need be.
> > > >
> > > Hope this helps
> > >
> > > If your clients are running Windows XP, you can also consider using
> > Software
> > > Restriction Policies, which allow you to effectively block anything
from
> > > running except approved programs. This is much more foolproof than the
> > above
> > > method, but isn't available for Windows 2000 clients.
> > >
> > Yes it is, can't remember the exact section of the GPO but this has been
> > availabe in one form or another since W95. I will endevour to track down
> the
> > exact policy unless someone comes up with it before hand.
> >
> > Because we have such a large number of apps installed we cannot do it
this
> > way and have to make do just blocking certain things instead, usually
> > setup.exe, wssetup.exe, install.exe and so on .... we have tried it with
a
> > few .msi files too but had problems with software we publish in the
group
> > policies, so have left them out at the moment.
> >
> > HTH
> >
> > Tony Sheppard
> >
> >
>
>

Relevant Pages

  • Re: Running Applications and Adming Rights
    ... Again, I didn't give the Domain Admin rights, I am an application developer ... access rights for the install. ... >> the application folders, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Client Installation Issues: SMS 2.0 SP5
    ... Lets say the account I use for> the SMS Services is SMSAdmin. ... I setup the Client> Installation Account as what was listed above being our local admin ... password on some> of those, but any other idea's why prior to this, the client didn't want to> install? ... Grant the>> service account admin rights on every box, ...
    (microsoft.public.sms.setup)
  • Re: Running Applications and Adming Rights
    ... Well you can still give the user Admin rights to workstation. ... account if he wanted to... ... > access rights for the install. ...
    (microsoft.public.windowsxp.security_admin)
  • Printer will only work in Admin Account
    ... > other programs I install, for that matter) show up on all ... > will only work in the Admin account. ... I then gave a user account Admin rights and it ...
    (microsoft.public.windowsxp.print_fax)
  • Re: Client software installation
    ... All you need to do is to add the users to the local admin group of the ... All of the PC's are logging onto the domain, ... Being a small, fairly autonomous office, they want to be able to install ... moment by logging off their profile, logging on as administrator, ...
    (microsoft.public.windows.server.sbs)