Prevent Administrators from Installing programs

  • Thread starter Thread starter James
  • Start date Start date
J

James

Ok, I have a stupid program that only seems to work when your using a
windows 2000 administrator account. So I put the user in the administrators
group, then I create another group, and apply some group policy settings to
it. I found a disable windows installer, but it still lets the user install
programs. Is there somethign I can do to keep the user in the admin group,
but prevent the install of programs?
running windows 2000 server

Thanks
 
Ok, I have a stupid program that only seems to work when your using a
windows 2000 administrator account. So I put the user in the administrators
group, then I create another group, and apply some group policy settings to
it. I found a disable windows installer, but it still lets the user install
programs. Is there somethign I can do to keep the user in the admin group,
but prevent the install of programs?
running windows 2000 server

Thanks
Click to expand...
No.

Your stupid program probably on needs permissions on some registry keys to work.


Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com
 
James,

Not sure that it is possible to do what you are asking. I mean, think about
this for a second. If the domain user account object is a member of the
local computer's Administrators group then the domain user account object is
a local Administrator. As such, it can do everything and go everywhere.

What you might want to consider is to go to http://www.sysinternals.com and
look at regmon and filemon. These two utilities will allow you to determine
where the problems are ( such as the domain user account object not having
the necessary permissions to such and such a folder or registry key ). Then
you can fix it.....

Then, remove the domain user account objects from being members of the local
computer Administrators group.

HTH,

Cary
 
hey that worked great, thanks a lot!

Cary Shultz said:
James,

Not sure that it is possible to do what you are asking. I mean, think
about
this for a second. If the domain user account object is a member of the
local computer's Administrators group then the domain user account object
is
a local Administrator. As such, it can do everything and go everywhere.

What you might want to consider is to go to http://www.sysinternals.com
and
look at regmon and filemon. These two utilities will allow you to
determine
where the problems are ( such as the domain user account object not having
the necessary permissions to such and such a folder or registry key ).
Then
you can fix it.....

Then, remove the domain user account objects from being members of the
local
computer Administrators group.

HTH,

Cary
Click to expand...
 
Back
Top