Re: Can I use Group Policy to deny software installation?

From: Julian Dragut (julianmd_at_groups.com)
Date: 06/02/05 

Date: Thu, 02 Jun 2005 15:51:50 GMT

Correct,

In AD's GPO you have the option to restrict what software should be run.
There's very long (time consuming) and trial-and-error path, but is seems
to be your choice given your case.

As Roger said, restrict all but what you need for normal operations.

Julian

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:upQDSXmZFHA.1152@tk2msftngp13.phx.gbl...
> In general the answer is, I believe, going to be no, there is no way.
> This is because there is no one or few "choke points" through which
> all "installs" must pass. For example, preventing the code behind a
> msi install will have no impact on an exe install that does not use the
> Windows installer technology. In the worse case, some software
> requires only to be run, hence may be "install" merely by copying it
> onto the disk. You could start down the path of stopping this and
> that form of install, but you would never reach complete coverage.
> There is a specification for user installable applications which when
> installed by a limited users will install for use by that user. There is
> specification for drag-and-drop install. Etc.
>
> You may need to look at positive software restriction (whitelisting)
> instead of negetive (blacklisting), that is, to look at denying all except
> for the specifically allowed.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "B. Meincke" <garyallan@highschool.ca> wrote in message
> news:2501FC78-C838-44BC-ACC4-CB9B3CADDB5A@microsoft.com...
> > I have done some research and found (and implimented...thank you again,
> > Steven) ways to deny student users under our domain to launch certain
> > installed software, but is there some way (a domain-level group policy,
> > perhaps) that I can keep them downloading/installing certain programs in
> the
> > first place?
> >
> > Also, how might this impact their ability to use key drives under
Windows
> > 2000/2K?
> >
> > Thank you in advance for any insight in this matter.
> > --
> > BJM
> > ACE Assistant
> > Gary Allan High School
>
>

Relevant Pages

  • Re: What Linux distro to use for old Intel machine, that fits on CDs?
    ... faster download speeds from this site". ... click install is what you want then either the Fedora 9 or Ubuntu Live CDs ... if LiveCD supports a dialup modem, ... I'll just reinstall Windows 2000 on this old system and maybe restrict ...
    (comp.os.linux.misc)
  • Re: Novell hits homerun
    ... should keep Novell from being sued by someone in the entertainment industry. ... If you write s..t, write shit, or don't write it at all. ... In no way doe SUSE attempt to restrict you to install anything. ...
    (alt.os.linux.suse)
  • Re: Restrict Install Privelidges
    ... Moving them to a different group will restrict their ... abilities to install infected garbage. ... install useful apps, ... Sounds like moving the users into different groups is the solution to your ...
    (microsoft.public.win2000.security)
  • Re: Novell hits homerun
    ... That attempt is a crock of s..t but should keep Novell from being sued by someone in the entertainment industry. ... In no way doe SUSE attempt to restrict you to install anything. ... I have tried several times to install video players, including following the directions given in other posts, and it has never worked, even when it completed the install successfully - it still would not open most small videos freely available on the web and not at all related to DVD. ... a few minutes ago and used their process to send additional letters. ...
    (alt.os.linux.suse)