Re: Policy

From: Sal-ICA (Sal-ICA_at_discussions.microsoft.com)
Date: 09/23/04 

Date: Thu, 23 Sep 2004 13:43:16 -0700

Steven,

I trying to do the same thing Sam is but in a NT 4.0 workstation
environment. Can it be done?

"Steven L Umbach" wrote:

> First make sure that the domain users are only in the users account on their
> workstations which will prevent them from installing most software which includes any
> packages that need to modify/write files to the program files or system folder.
>
> You can use Group Policy to further restrict access. For Windows 2000 computers you
> can use the Windows applications restrictions in user configuration/administrative
> templates/system. Be sure to read the full explanation of those settings. For the
> disallowed applications it may help to add install.exe and setup.exe to the list. I
> would also look at disabling the command prompt and registry editing while there. The
> link below explains one of the settings in more detail.
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;323525
>
> For Windows XP Pro, the very powerful Software Restriction Policies can be used and
> applied via Group Policy. You can use hash, path, and certificate rules [after
> enabling ] to restrict users from running or installing unauthorized software
> starting with a disallowed or unrestricted default rule. The default disallowed rule
> will allow users to logon to the computer and not much else except possibly running
> the executable binaries in the system root folder that can be further restricted. See
> the link below for more info on SRP. --- Steve
>
> http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
>
> "Sam" <sam.security@link.net> wrote in message
> news:Ok3OT1KmEHA.704@TK2MSFTNGP09.phx.gbl...
> > How can I set up a policy that says no user has the right to install or
> > remove programs ?? but I don't want to go on each workstation and do it I
> > need to apply it from the server.
> > I am using windows 2003 server and XP, windows 2000 clients.
> > Thanks
> >
> >
> >
>
>
>

Relevant Pages

  • RE: Remote Assistance not working
    ... Windows XP workstation. ... Only Windows XP OS and Windows 2003 have the remote assistance ... Start the Microsoft Management Console Group Policy snap-in. ...
    (microsoft.public.windows.server.sbs)
  • Re: Windows clock
    ... For XP Pro, this can be restricted via the Group Policy Editor. ... Go to Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment. ... you would have to restrict access to the TIMEDATE.CPL application. ...
    (microsoft.public.windowsxp.newusers)
  • Local Group Policy Not working in Windows 2003
    ... I have a windows 2003 server that was upgraded from NT. ... Now we have decided to upgrade the workstation to ... Our local group policy does not work. ...
    (microsoft.public.windows.group_policy)
  • Re: File permissions - AD Group Policy
    ... > We are attempting to lock down USB storage in Windows XP. ... > Group Policy in AD specifically restricting access to these two files. ... > Controller by applying policy? ...
    (microsoft.public.win2000.group_policy)
  • Re: Help with Policys
    ... > If these users logon to Windows XP Pro computers then you can use Software ... > Organizational Unit with it's own Group Policy linked to it and configure ... I would like to restrict this group from being able to ... >>install programs on the workstation, ...
    (microsoft.public.windows.group_policy)