Prevent user to install software

  • Thread starter Thread starter Cahya
  • Start date Start date
C

Cahya

Dear,

I want make all user as local administrator member but
want to prevent them to install new software in their PC.

What's setting I have to change in GPO?

Thanks,
Cahya
 
Cahya said:
Dear,

I want make all user as local administrator member but
want to prevent them to install new software in their PC.
Click to expand...

AFAIK that is not possible without some very extreme software restriction
policies (and I'm not even sure that would work).

A Local Administrator is precisely that - They have FULL control over that
machine.

Why do they need to be local admins?
 
Hi Cahya,

why would you want to make them all admins? Once they are made members of
the local Administrator group they own the machine and can do what they
want. Tell us what you want to achieve and we may be able to help.

cheers,
 
Cahya,

As the other two posters have already pointed out, how exactly do you plan
to accomplish something like this? If the domain user account object is a
member of the computer's local Administrators group how do think that the
domain user account could be prevented from installing software on that
machine? If your domain user account object is a member of the local
Administrators group then you have all of the permissions to the file
directory and registry that are necessary to install software as it is the
permissions to the file directory and registry that is preventing the domain
user account object from installing software in the first place.

I am not sure if you know that by default the Domain Users group is a member
of the Users local group on all WIN2000 and WIN XP Pro systems. And,
naturally, all domain user account objects - save a few - are members of the
Domain Users group. This ( the local Users group ) is a very restrictive
group.

As both of the previous posters have correctly asked, what is it that you
are trying to accomplish? We might be able to help you get to where you are
trying to get without having to do something that is going to ultimately
cause you a whole bunch of problems. I speak from experience ( where I
used to work - in a 300+ environment - my colleagues would often log on as
local Administrator and change the local group membership of the domain user
account object from Power Users to Administrators and forget to change that
back when they were finished.....lots of stupid things happened on those
systems, like people deleting their FONTS folder in order to make more room
for their music files or, er, 'pictures'. And that is a tame example of
what sort of thing would happen ).

You could also go to http://www.sysinternals.com and use both filemon and
regmon to see what registry entry / entries are causing your a problem (
assuming that you are trying to install software and are being told that you
have to be a member of the local Administrators to do so ).

HTH,

Cary
 
Cary,

Thanks for your explanation. Actually I was managing
Windows 2000 network for a year. In the last year I try
to set user just the User, not local admin but since that
I get a lot of complain from my user until I set back
them as local admin.

This Week I try to remove them from local user again
after I (little) understand how to using GPO to manage
user. But this 3 days I get alot of complain again like:

1. Some user cannot open email attachment like Winzip,
jpg because registration error when try to open using MS
Picture Manager.

2. One of my user still using DOS application and that
mean I have to set printer to LPT1 using NET USE command.
It's ask for user and password but not if I set as local
admin.
3. My mobile user cannot change their IP when they go to
the branch which is still using static IP.

That what I get for three days. So, May be you can give
another solution the best setting for User?

Best Regards,
Cahya
 
Back
Top