Re: Policy

From: Sam (sam.security_at_link.net)
Date: 09/13/04 

Date: Mon, 13 Sep 2004 09:33:45 +0300

Thanks a lot

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:uvvRnROmEHA.3340@TK2MSFTNGP14.phx.gbl...
> First make sure that the domain users are only in the users account on
their
> workstations which will prevent them from installing most software which
includes any
> packages that need to modify/write files to the program files or system
folder.
>
> You can use Group Policy to further restrict access. For Windows 2000
computers you
> can use the Windows applications restrictions in user
configuration/administrative
> templates/system. Be sure to read the full explanation of those settings.
For the
> disallowed applications it may help to add install.exe and setup.exe to
the list. I
> would also look at disabling the command prompt and registry editing while
there. The
> link below explains one of the settings in more detail.
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;323525
>
> For Windows XP Pro, the very powerful Software Restriction Policies can be
used and
> applied via Group Policy. You can use hash, path, and certificate rules
[after
> enabling ] to restrict users from running or installing unauthorized
software
> starting with a disallowed or unrestricted default rule. The default
disallowed rule
> will allow users to logon to the computer and not much else except
possibly running
> the executable binaries in the system root folder that can be further
restricted. See
> the link below for more info on SRP. --- Steve
>
>
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
>
> "Sam" <sam.security@link.net> wrote in message
> news:Ok3OT1KmEHA.704@TK2MSFTNGP09.phx.gbl...
> > How can I set up a policy that says no user has the right to install or
> > remove programs ?? but I don't want to go on each workstation and do it
I
> > need to apply it from the server.
> > I am using windows 2003 server and XP, windows 2000 clients.
> > Thanks
> >
> >
> >
>
>

Relevant Pages

  • Re: Windows clock
    ... For XP Pro, this can be restricted via the Group Policy Editor. ... Go to Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment. ... you would have to restrict access to the TIMEDATE.CPL application. ...
    (microsoft.public.windowsxp.newusers)
  • Re: Policy
    ... workstations which will prevent them from installing most software which includes any ... You can use Group Policy to further restrict access. ... For Windows 2000 computers you ...
    (microsoft.public.windows.server.security)
  • Re: Help with Policys
    ... > If these users logon to Windows XP Pro computers then you can use Software ... > Organizational Unit with it's own Group Policy linked to it and configure ... I would like to restrict this group from being able to ... >>install programs on the workstation, ...
    (microsoft.public.windows.group_policy)
  • Re: Re: Redirecting Word docs in group policy
    ... >>Hi, That is a good idea, but we restrict the C: ... I use Folder Redirection in Group Policy to "redirect" ... > This only works for Windows 2000 or Windows XP clients in an Active ... > I found this was the best way to make sure my users were saving on the ...
    (microsoft.public.win2000.group_policy)
  • Re: Restricting installations
    ... You can restrict these programs using the registry. ... Restrict Users from Running Specific Applications (Windows 2000/Me/XP): ... > there anyway to stop them from installing any software. ...
    (microsoft.public.windowsxp.security_admin)