Archived from groups: microsoft.public.win2000.security (
More info?)
Sandip wrote:
> Hi Steve & Danny,
>
> Steven
>
> I want to say a big thank you for you feedback I will be applying the GP
> security template first to see if this is a soloution that I will be happy
> with, if not I will look into applying SRP. Am I correct in thinking that if
> I want to apply SRP, it can be applied on a W2k DC with clients on a mixture
> of Windows 2000 and Win Xp SP1 & SP2.
>
> Danny
>
> The reason why users on Windows XP need to be Admin group is due to a in
> house database we use, if a user is on a XP PC the permissions have to be
> changed for certain features to work correctly, if a user is on W2k no
> changes need to be made. I suppose the last resort would be to roll all
> users back to Windows 2000.
>
> Thanks all again and I shall keep you posted, if you have any additional
> info please post it.
>
> Take Care
>
> Sandip
>
>
> "Steven L Umbach" wrote:
>
>
>>First off it is extremely difficult to restrict an administrator and you
>>should do everything you can including modifying permissions for
>>applications so that they do not need to be an administrator to do such.
>>Having said that you are somewhat in luck. Windows XP Pro has a feature
>>called Software Restriction Policies that can be used to restrict what
>>applications a user can install or run with hash, certificate, and path
>>rules. In high security situations you can start with a default disallowed
>>security level and then create rules for what the user is allowed to run. If
>>you do such keep in mind that desktop shortcuts are considered restricted
>>under SRP.
>>
>>You can manage SRP for computer configuration in a Windows 2000 domain for
>>XP Pro computers. SRP also has an enforcement rule that can apply SRP to
>>local administrators. Note however that local administrators can bypass SRP
>>by booting into safe mode so beware of that. An additional possibility is to
>>use Group Policy user configuration/administrative templates/system and add
>>setup.exe and install.exe to the disallowed Windows applications list though
>>that is not near as effective as SRP. The links below should help. ---
>>Steve
>>
>>http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
>>http://www.windowsecurity.com/articles/Windows-XP-Group-Policy-Windows-2000-Domain-Part2.html
>>http://support.microsoft.com/default.aspx?kbid=842933 --- install this
>>patch FIRST on domain controllers.
>>
>>"Sandip" <Sandip@discussions.microsoft.com> wrote in message
>>news:BDDDCBD8-80C9-4B53-8658-655B84C232BA@microsoft.com...
>>
>>>Hi All,
>>>
>>>How can I use the GP on a W2k DC to stop users from installing software
>>>when
>>>the users is part of the local Administrators group?
>>>
>>>I have been able to stop software from being installed which uses the
>>>Windows Installer using the GP setting under :-
>>>
>>>User Config\Admin Templates\ Windows Installer\Disable media source for
>>>any
>>>install (enabled)
>>>
>>>But with other software I have not been able to. The client PC's are on
>>>Windows XP SP2
>>>
>>>I really need help on this issuse. Thanks for taking time to read and
>>>provide feedback to this problem.
>>>
>>>Thanks
>>>
>>>Sandip
>>
>>
>>
Have you tried the power users group rather than administrators, we have
to do that for a couple of apps here. If it's an issue of registry keys
you might be able to change permsissions on them but it's a tricky option