GPO Software Restriction

  • Thread starter Thread starter Luca Rossi
  • Start date Start date
L

Luca Rossi

Guest
Hi to all, i 've a qestion regarding the software installation policy.

We have a Windows Server 2003 Active Directory domain, and XP Pro clients.
On the clients the users owner of the pc is inserted in the local admin
group, this because we have some procedures that does not work as normal
user o power user....
Can we prevent this type of users to install software ? Or can we enable
only a specific domain admin account (or group) to install software ?

Thanks in advance
Regards
Luca
 
Re: GPO Software Restriction

Hello Luca,

If the user is local admin she/he can do anything on the local machine. Better
try to figure out with process monitor what additional rights are needed
to run the software as normal user, so there is no need to be local admin.
But keep in mind, there will be a lot of software that you can run/install
without being local admin.

http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi to all, i 've a qestion regarding the software installation policy.
>
> We have a Windows Server 2003 Active Directory domain, and XP Pro
> clients.
> On the clients the users owner of the pc is inserted in the local
> admin
> group, this because we have some procedures that does not work as
> normal
> user o power user....
> Can we prevent this type of users to install software ? Or can we
> enable
> only a specific domain admin account (or group) to install software ?
> Thanks in advance
> Regards
> Luca
 
Re: GPO Software Restriction

Windows Server 2003 and later do have software restriction policy but it is
very difficult to implement.
When your local user is local admin, then there is no way to stop this
person from installing software and reconfiguring his/her computer.

I have no problem with users being local admins, but you must have some
policies enforced in your company. This is, however, responsibility of the
higher management and you must win their sponsorship when it comes to
security procedures.

In plain words, it's like traffic control. You can speed and violate traffic
rules, but when you are caught, you will pay.


"Luca Rossi" <sistemi@alervarese.it> wrote in message
news:OMQmLqlEJHA.4488@TK2MSFTNGP04.phx.gbl...
> Hi to all, i 've a qestion regarding the software installation policy.
>
> We have a Windows Server 2003 Active Directory domain, and XP Pro clients.
> On the clients the users owner of the pc is inserted in the local admin
> group, this because we have some procedures that does not work as normal
> user o power user....
> Can we prevent this type of users to install software ? Or can we enable
> only a specific domain admin account (or group) to install software ?
>
> Thanks in advance
> Regards
> Luca
 

Similar threads

A
IIS Admin Service unable to start - How and Why it can happen?
Replies
0
Views
246
ashfana
A
D
Windows Defender Antimalware Platform 4.18.2101.4-0 causes problems with group policy and Active Directory MMC add-in.
Replies
0
Views
142
D4rtual
D
K
Windows 10 Pushing software via GPO fails unless on network and rebooted twice.
Replies
0
Views
181
KJSTech1
K
S
Windows 10 Issue creating desktop shortcut thru GPO (AD, Windows 10 workstations)
Replies
0
Views
243
SteveBinReno
S
A
Windows 7 Phone and Modem Option
Replies
0
Views
385
Anti95
A
Back
Top