Re: restricting software installation

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 07/28/05 

Date: Wed, 27 Jul 2005 19:49:30 -0700

Nathan is correct, that if you client machines are XP at a relatively
native state as per initial install, then just making the domain users
log in as on Users group members will go a long way to restricting
their install capabilities (not stop it totally however).
The main vehicle today to go the next step is the same software
restriction policies you have been trying. Just take a machine in
a new test OU, a test domain user account also in the OU, and
evolve your software restrictions in a new GPO that is linked to
that test OU. When you get the desired result, link the GPO to
the OU that holds the real client machines. 

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA,  MCSE W2k3+W2k+Nt4
<param@community.nospam> wrote in message 
news:O4Rd7HskFHA.1996@TK2MSFTNGP10.phx.gbl...
> Hi all,
>
> We run a single Server 2003 domain running on SBS2003. What I want to do 
> is restrict users from installing programs on their machine. If they want 
> to install a program they would have to call an Admin to do it. Ideally, 
> it would be nice if I can have an approved list of programs that they can 
> install, and anything not in the list they would have to contact an admin. 
> Any suggestions/best practices on this? I have tried messing with the 
> Software Restriction Policies in the gpedit tool, but that ended up giving 
> all kinds of errors on the machines including error messages when Outlook 
> was opened. Probably because of Adobe Professional plugins that get 
> installed into Outlook & Office products.
>
> thanks!
>

Relevant Pages

  • Re: restricting software installation
    ... How would I go about setting up an OU and will that new OU disrupt my SBS ... > native state as per initial install, then just making the domain users ... > their install capabilities. ... > the OU that holds the real client machines. ...
    (microsoft.public.windows.server.security)
  • Group Policy Help
    ... I run an AD domain with windows server 200 and all xp client machines. ... I'm trying to set-up group policy objects that install software and run ...
    (microsoft.public.windows.server.general)
  • Re: Simple way to how domain users log on as restricted users?
    ... restricted users, or is there more than this software install ... Some software will install as users for use by the ... machines using NTFS? ... >>This makes all members of Domain Users local restricted ...
    (microsoft.public.windowsxp.security_admin)
  • auto update and non-admin login
    ... I have the auto update set to download and install on my client machines. ...
    (microsoft.public.windowsupdate)
  • test lab set-up
    ... We are about to install 2 linux machines in ... a 'test lab' in order to enhance knowledge and experience and would like to ... and DHCP.- to enable the client machines to run network ... We expect to increase the no of client machines. ...
    (Security-Basics)