Prevent user to install software

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Dear,

I want make all user as local administrator member but
want to prevent them to install new software in their PC.

What's setting I have to change in GPO?

Thanks,
Cahya
4 answers Last reply
More about prevent user install software
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    "Cahya" <anonymous@discussions.microsoft.com> said

    > Dear,
    >
    > I want make all user as local administrator member but
    > want to prevent them to install new software in their PC.
    >

    AFAIK that is not possible without some very extreme software restriction
    policies (and I'm not even sure that would work).

    A Local Administrator is precisely that - They have FULL control over that
    machine.

    Why do they need to be local admins?


    --
    Andy
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Cahya,

    As the other two posters have already pointed out, how exactly do you plan
    to accomplish something like this? If the domain user account object is a
    member of the computer's local Administrators group how do think that the
    domain user account could be prevented from installing software on that
    machine? If your domain user account object is a member of the local
    Administrators group then you have all of the permissions to the file
    directory and registry that are necessary to install software as it is the
    permissions to the file directory and registry that is preventing the domain
    user account object from installing software in the first place.

    I am not sure if you know that by default the Domain Users group is a member
    of the Users local group on all WIN2000 and WIN XP Pro systems. And,
    naturally, all domain user account objects - save a few - are members of the
    Domain Users group. This ( the local Users group ) is a very restrictive
    group.

    As both of the previous posters have correctly asked, what is it that you
    are trying to accomplish? We might be able to help you get to where you are
    trying to get without having to do something that is going to ultimately
    cause you a whole bunch of problems. I speak from experience ( where I
    used to work - in a 300+ environment - my colleagues would often log on as
    local Administrator and change the local group membership of the domain user
    account object from Power Users to Administrators and forget to change that
    back when they were finished.....lots of stupid things happened on those
    systems, like people deleting their FONTS folder in order to make more room
    for their music files or, er, 'pictures'. And that is a tame example of
    what sort of thing would happen ).

    You could also go to http://www.sysinternals.com and use both filemon and
    regmon to see what registry entry / entries are causing your a problem (
    assuming that you are trying to install software and are being told that you
    have to be a member of the local Administrators to do so ).

    HTH,

    Cary


    "Cahya" <anonymous@discussions.microsoft.com> wrote in message
    news:3de901c4ac5e$5fe01200$a501280a@phx.gbl...
    > Dear,
    >
    > I want make all user as local administrator member but
    > want to prevent them to install new software in their PC.
    >
    > What's setting I have to change in GPO?
    >
    > Thanks,
    > Cahya
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Hi Cahya,

    why would you want to make them all admins? Once they are made members of
    the local Administrator group they own the machine and can do what they
    want. Tell us what you want to achieve and we may be able to help.

    cheers,

    --
    Marco [ www.neovalens.com ]
    --

    "Cahya" <anonymous@discussions.microsoft.com> wrote in message
    news:3de901c4ac5e$5fe01200$a501280a@phx.gbl...
    > Dear,
    >
    > I want make all user as local administrator member but
    > want to prevent them to install new software in their PC.
    >
    > What's setting I have to change in GPO?
    >
    > Thanks,
    > Cahya
  4. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Cary,

    Thanks for your explanation. Actually I was managing
    Windows 2000 network for a year. In the last year I try
    to set user just the User, not local admin but since that
    I get a lot of complain from my user until I set back
    them as local admin.

    This Week I try to remove them from local user again
    after I (little) understand how to using GPO to manage
    user. But this 3 days I get alot of complain again like:

    1. Some user cannot open email attachment like Winzip,
    jpg because registration error when try to open using MS
    Picture Manager.

    2. One of my user still using DOS application and that
    mean I have to set printer to LPT1 using NET USE command.
    It's ask for user and password but not if I set as local
    admin.
    3. My mobile user cannot change their IP when they go to
    the branch which is still using static IP.

    That what I get for three days. So, May be you can give
    another solution the best setting for User?

    Best Regards,
    Cahya


    >-----Original Message-----
    >Cahya,
    >
    >As the other two posters have already pointed out, how
    exactly do you plan
    >to accomplish something like this? If the domain user
    account object is a
    >member of the computer's local Administrators group how
    do think that the
    >domain user account could be prevented from installing
    software on that
    >machine? If your domain user account object is a member
    of the local
    >Administrators group then you have all of the
    permissions to the file
    >directory and registry that are necessary to install
    software as it is the
    >permissions to the file directory and registry that is
    preventing the domain
    >user account object from installing software in the
    first place.
    >
    >I am not sure if you know that by default the Domain
    Users group is a member
    >of the Users local group on all WIN2000 and WIN XP Pro
    systems. And,
    >naturally, all domain user account objects - save a few -
    are members of the
    >Domain Users group. This ( the local Users group ) is a
    very restrictive
    >group.
    >
    >As both of the previous posters have correctly asked,
    what is it that you
    >are trying to accomplish? We might be able to help you
    get to where you are
    >trying to get without having to do something that is
    going to ultimately
    >cause you a whole bunch of problems. I speak from
    experience ( where I
    >used to work - in a 300+ environment - my colleagues
    would often log on as
    >local Administrator and change the local group
    membership of the domain user
    >account object from Power Users to Administrators and
    forget to change that
    >back when they were finished.....lots of stupid things
    happened on those
    >systems, like people deleting their FONTS folder in
    order to make more room
    >for their music files or, er, 'pictures'. And that is a
    tame example of
    >what sort of thing would happen ).
    >
    >You could also go to http://www.sysinternals.com and use
    both filemon and
    >regmon to see what registry entry / entries are causing
    your a problem (
    >assuming that you are trying to install software and are
    being told that you
    >have to be a member of the local Administrators to do
    so ).
    >
    >HTH,
    >
    >Cary
    >
    >
    >
    >"Cahya" <anonymous@discussions.microsoft.com> wrote in
    message
    >news:3de901c4ac5e$5fe01200$a501280a@phx.gbl...
    >> Dear,
    >>
    >> I want make all user as local administrator member but
    >> want to prevent them to install new software in their
    PC.
    >>
    >> What's setting I have to change in GPO?
    >>
    >> Thanks,
    >> Cahya
    >
    >
    >.
    >
Ask a new question

Read More

Policy Microsoft Software Windows