Sign in with
Sign up | Sign in
Your question

Prevent user to install software

Last response: in Windows 2000/NT
Share
Anonymous
October 7, 2004 8:11:20 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Dear,

I want make all user as local administrator member but
want to prevent them to install new software in their PC.

What's setting I have to change in GPO?

Thanks,
Cahya
Anonymous
October 7, 2004 8:31:33 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

"Cahya" <anonymous@discussions.microsoft.com> said

> Dear,
>
> I want make all user as local administrator member but
> want to prevent them to install new software in their PC.
>

AFAIK that is not possible without some very extreme software restriction
policies (and I'm not even sure that would work).

A Local Administrator is precisely that - They have FULL control over that
machine.

Why do they need to be local admins?


--
Andy
Anonymous
October 7, 2004 1:04:33 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Cahya,

As the other two posters have already pointed out, how exactly do you plan
to accomplish something like this? If the domain user account object is a
member of the computer's local Administrators group how do think that the
domain user account could be prevented from installing software on that
machine? If your domain user account object is a member of the local
Administrators group then you have all of the permissions to the file
directory and registry that are necessary to install software as it is the
permissions to the file directory and registry that is preventing the domain
user account object from installing software in the first place.

I am not sure if you know that by default the Domain Users group is a member
of the Users local group on all WIN2000 and WIN XP Pro systems. And,
naturally, all domain user account objects - save a few - are members of the
Domain Users group. This ( the local Users group ) is a very restrictive
group.

As both of the previous posters have correctly asked, what is it that you
are trying to accomplish? We might be able to help you get to where you are
trying to get without having to do something that is going to ultimately
cause you a whole bunch of problems. I speak from experience ( where I
used to work - in a 300+ environment - my colleagues would often log on as
local Administrator and change the local group membership of the domain user
account object from Power Users to Administrators and forget to change that
back when they were finished.....lots of stupid things happened on those
systems, like people deleting their FONTS folder in order to make more room
for their music files or, er, 'pictures'. And that is a tame example of
what sort of thing would happen ).

You could also go to http://www.sysinternals.com and use both filemon and
regmon to see what registry entry / entries are causing your a problem (
assuming that you are trying to install software and are being told that you
have to be a member of the local Administrators to do so ).

HTH,

Cary



"Cahya" <anonymous@discussions.microsoft.com> wrote in message
news:3de901c4ac5e$5fe01200$a501280a@phx.gbl...
> Dear,
>
> I want make all user as local administrator member but
> want to prevent them to install new software in their PC.
>
> What's setting I have to change in GPO?
>
> Thanks,
> Cahya
Related resources
October 7, 2004 5:34:05 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi Cahya,

why would you want to make them all admins? Once they are made members of
the local Administrator group they own the machine and can do what they
want. Tell us what you want to achieve and we may be able to help.

cheers,

--
Marco [ www.neovalens.com ]
--

"Cahya" <anonymous@discussions.microsoft.com> wrote in message
news:3de901c4ac5e$5fe01200$a501280a@phx.gbl...
> Dear,
>
> I want make all user as local administrator member but
> want to prevent them to install new software in their PC.
>
> What's setting I have to change in GPO?
>
> Thanks,
> Cahya
Anonymous
October 7, 2004 11:07:20 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Cary,

Thanks for your explanation. Actually I was managing
Windows 2000 network for a year. In the last year I try
to set user just the User, not local admin but since that
I get a lot of complain from my user until I set back
them as local admin.

This Week I try to remove them from local user again
after I (little) understand how to using GPO to manage
user. But this 3 days I get alot of complain again like:

1. Some user cannot open email attachment like Winzip,
jpg because registration error when try to open using MS
Picture Manager.

2. One of my user still using DOS application and that
mean I have to set printer to LPT1 using NET USE command.
It's ask for user and password but not if I set as local
admin.
3. My mobile user cannot change their IP when they go to
the branch which is still using static IP.

That what I get for three days. So, May be you can give
another solution the best setting for User?

Best Regards,
Cahya


>-----Original Message-----
>Cahya,
>
>As the other two posters have already pointed out, how
exactly do you plan
>to accomplish something like this? If the domain user
account object is a
>member of the computer's local Administrators group how
do think that the
>domain user account could be prevented from installing
software on that
>machine? If your domain user account object is a member
of the local
>Administrators group then you have all of the
permissions to the file
>directory and registry that are necessary to install
software as it is the
>permissions to the file directory and registry that is
preventing the domain
>user account object from installing software in the
first place.
>
>I am not sure if you know that by default the Domain
Users group is a member
>of the Users local group on all WIN2000 and WIN XP Pro
systems. And,
>naturally, all domain user account objects - save a few -
are members of the
>Domain Users group. This ( the local Users group ) is a
very restrictive
>group.
>
>As both of the previous posters have correctly asked,
what is it that you
>are trying to accomplish? We might be able to help you
get to where you are
>trying to get without having to do something that is
going to ultimately
>cause you a whole bunch of problems. I speak from
experience ( where I
>used to work - in a 300+ environment - my colleagues
would often log on as
>local Administrator and change the local group
membership of the domain user
>account object from Power Users to Administrators and
forget to change that
>back when they were finished.....lots of stupid things
happened on those
>systems, like people deleting their FONTS folder in
order to make more room
>for their music files or, er, 'pictures'. And that is a
tame example of
>what sort of thing would happen ).
>
>You could also go to http://www.sysinternals.com and use
both filemon and
>regmon to see what registry entry / entries are causing
your a problem (
>assuming that you are trying to install software and are
being told that you
>have to be a member of the local Administrators to do
so ).
>
>HTH,
>
>Cary
>
>
>
>"Cahya" <anonymous@discussions.microsoft.com> wrote in
message
>news:3de901c4ac5e$5fe01200$a501280a@phx.gbl...
>> Dear,
>>
>> I want make all user as local administrator member but
>> want to prevent them to install new software in their
PC.
>>
>> What's setting I have to change in GPO?
>>
>> Thanks,
>> Cahya
>
>
>.
>
!