Try to prevent installs

  • Thread starter Thread starter WP
  • Start date Start date
W

WP

We have workstations that need a global group in the power
users local group. 3/4 of the users are in this group to
run 1 certain app. how can i lock down the machines to
prevent these users from installing applications on the
local workstation.
TIA
WP
 
Hi there

I would challenge your first statement and rephrase it as "I have an
application that won't run when the user is logged in as a ordinary user.
Since I don't know what the program is trying to do that causing it to fail,
I resort to making the users members of the Power Users group".

Does that sound more like it? The notion of a restricted administrator or a
restricted power user is really a false one. Oh, and the definition of a
power user? An administrator who hasn't made himself an administrator yet.

Anyway, what you need to do is to find out what the program is doing that it
shouldn't be. Some useful tools here are FileMon and RegMon from
www.sysinternals.com. Install and run these programs and then run the
poorly-written application.

The problem is almost certain to be either file permissions or registry
permissions. Once you've found the files, directories or registry keys that
the program is trying to write to, loosen the permissions on them.

You can use regedt32.exe (note, no "i") for registry permissions (and
Explorer, obviously, for file permissions).

Group Policy also has facilities for changing registry permissions and file
permissions. Otherwise, you can script file permission changes using
cacls.exe (built in) and registry permission changes using regini.exe and
several other (and, frankly, better) tools.

Hope this helps

Oli
 
That will be difficult. You may try to add install.exe and setup.exe to the list of
disallowed programs in Group Policy as explained in the KB link below that may stop
less knowledgeable users. A better solution would be to contact the software
publisher about what ntfs/registry permissions would need to be changed to allow
regular users to use the application. You could try to do that yourself using free
third party tools from Sysinternals - regmon and filemon. While logged on as a
regular user, use runas to invoke filemon or regmon just before you try to run the
application. Then view the logs to see where access was denied, document/make
permission modifications and try again. If you can not get it to work, you may want
to consider using the compatws.inf template on those workstations which will give
users the same ntfs/registry permissions as power users, but without the extra rights
that a power user has such as creating shares. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;323525
http://www.sysinternals.com/
http://support.microsoft.com/default.aspx?scid=kb;en-us;269259
 
Back
Top