Re: Prevent users from installing software
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 04/29/05
- Next message: Steven L Umbach: "Re: Security Event Log madness."
- Previous message: Steven L Umbach: "Re: Event ID 577 & 578 are filling Security Event Logs"
- In reply to: Sandip: "Prevent users from installing software"
- Next in thread: Sandip: "Re: Prevent users from installing software"
- Reply: Sandip: "Re: Prevent users from installing software"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 28 Apr 2005 17:04:41 -0500
First off it is extremely difficult to restrict an administrator and you
should do everything you can including modifying permissions for
applications so that they do not need to be an administrator to do such.
Having said that you are somewhat in luck. Windows XP Pro has a feature
called Software Restriction Policies that can be used to restrict what
applications a user can install or run with hash, certificate, and path
rules. In high security situations you can start with a default disallowed
security level and then create rules for what the user is allowed to run. If
you do such keep in mind that desktop shortcuts are considered restricted
under SRP.
You can manage SRP for computer configuration in a Windows 2000 domain for
XP Pro computers. SRP also has an enforcement rule that can apply SRP to
local administrators. Note however that local administrators can bypass SRP
by booting into safe mode so beware of that. An additional possibility is to
use Group Policy user configuration/administrative templates/system and add
setup.exe and install.exe to the disallowed Windows applications list though
that is not near as effective as SRP. The links below should help. ---
Steve
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
http://www.windowsecurity.com/articles/Windows-XP-Group-Policy-Windows-2000-Domain-Part2.html
http://support.microsoft.com/default.aspx?kbid=842933 --- install this
patch FIRST on domain controllers.
"Sandip" <Sandip@discussions.microsoft.com> wrote in message
news:BDDDCBD8-80C9-4B53-8658-655B84C232BA@microsoft.com...
> Hi All,
>
> How can I use the GP on a W2k DC to stop users from installing software
> when
> the users is part of the local Administrators group?
>
> I have been able to stop software from being installed which uses the
> Windows Installer using the GP setting under :-
>
> User Config\Admin Templates\ Windows Installer\Disable media source for
> any
> install (enabled)
>
> But with other software I have not been able to. The client PC's are on
> Windows XP SP2
>
> I really need help on this issuse. Thanks for taking time to read and
> provide feedback to this problem.
>
> Thanks
>
> Sandip
- Next message: Steven L Umbach: "Re: Security Event Log madness."
- Previous message: Steven L Umbach: "Re: Event ID 577 & 578 are filling Security Event Logs"
- In reply to: Sandip: "Prevent users from installing software"
- Next in thread: Sandip: "Re: Prevent users from installing software"
- Reply: Sandip: "Re: Prevent users from installing software"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
