How to limit software installation to Admins only?

[Alex Moratorio]

Hi all-
I'm relatively new to AD - but I have a need that will
save me dozens of hours of time if AD can accomplish
this. I have approximately 200 workstations in our 7
offices. Some have domain users setup as local Admin
users. I need to be able to disable all users (Except
Domain admins) ability to install software - is this
possible? Or will I have to go to each PC and remove
them from the local Admin group?
Thanks!
Alex

 

[Matjaz Ladava [MVP]]

local Admin right I a powerful right and such gives your user ability to
install software. there are some policies you could use, but they can be
bypassed. The best thing to do is to look into Restricted groups, which can
centrally govern which groups or users can be local Admin without visiting
each machine.

--

Regards
Matjaz Ladava, MCSA, MCSE, MCT, MVP
Microsoft MVP Windows Server - Active Directory
(e-mail address removed), (e-mail address removed)

 

[RSP]

Did you manually add them to the Power Users Group to
install software?

 

[Chriss3]

Hi there Alex.

I suppose you can do this by assign a logon script within a Group Policy.
i'm also suppose you can do this with the built in policy
Restricted Groups
Computer Configuration\Windows Settings\Security Settings\Restricted Groups

More information about Restricted Groups:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/141.asp


HOW TO: Assign Scripts in Windows 2000:
http://support.microsoft.com/default.aspx?scid=kb;en-us;322241

On error resume next
Dim net, DomainString, UserString, UserObj

set net = Wscript.CreateObject("Wscript.Network")

strComputer = "."
DomainString = net.UserDomain
UserString = net.UserName


Set objDomainUser = GetObject("WinNT://" & DomainString & "/" & UserString)


For Each ObjGroup In UserObj.Groups
Select Case GroupObj.Name

Case "Domain Users"



Set objLocalGroup = GetObject("WinNT://" & strComputer &
"/Administrators,group")
objGroup.Add(objDomainUser.ADsPath)

End Select
Next


--
Regards,

Christoffer Andersson
No email replies please - reply in the newsgroup
If the information was help full, you can let me know at:
http://www.itsystem.se/employers.asp?ID=1

 

[tfallon]

You can accomplish this through the use of GPO's (Group Policies)Ther
are several different ways to do this, such as HIDE programs from user
and / or their ability to interact with the file system (ie. instal
new programs , limit the user from changing graphics drivers etc. Yo
can take away programs like their ability to use/see RUN for instance
Network Neighborhood to name a few.) I suggest you read a good doc o
Group Policy and Using the GPO editor --called GPE....Try this one....

http://www.oreilly.com/catalog/win2000ads/chapter/ch08.html

*Did you manually add them to the Power Users Group to
install software?

-
tfallo

 

[Alex]

Thanks for pointing me in the right direction - I'll be
reading up on Restricted Groups this week!
Cheers!
Alex

 

[Alex]

Yes, they were manually added to Admin and Power User
local groups.