Prevent users from installing software

Archived from groups: microsoft.public.win2000.security (More info?)

Hi All,

How can I use the GP on a W2k DC to stop users from installing software when
the users is part of the local Administrators group?

I have been able to stop software from being installed which uses the
Windows Installer using the GP setting under :-

User Config\Admin Templates\ Windows Installer\Disable media source for any
install (enabled)

But with other software I have not been able to. The client PC's are on
Windows XP SP2

I really need help on this issuse. Thanks for taking time to read and
provide feedback to this problem.

Thanks

Sandip
7 answers Last reply
More about prevent users installing software
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    AFAIK if the user is an admin of their computer, you can't.

    Why do they need to be admins on the local computer?


    hth
    DDS W 2k MVP MCSE

    "Sandip" <Sandip@discussions.microsoft.com> wrote in message
    news:BDDDCBD8-80C9-4B53-8658-655B84C232BA@microsoft.com...
    > Hi All,
    >
    > How can I use the GP on a W2k DC to stop users from installing software
    > when
    > the users is part of the local Administrators group?
    >
    > I have been able to stop software from being installed which uses the
    > Windows Installer using the GP setting under :-
    >
    > User Config\Admin Templates\ Windows Installer\Disable media source for
    > any
    > install (enabled)
    >
    > But with other software I have not been able to. The client PC's are on
    > Windows XP SP2
    >
    > I really need help on this issuse. Thanks for taking time to read and
    > provide feedback to this problem.
    >
    > Thanks
    >
    > Sandip
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    First off it is extremely difficult to restrict an administrator and you
    should do everything you can including modifying permissions for
    applications so that they do not need to be an administrator to do such.
    Having said that you are somewhat in luck. Windows XP Pro has a feature
    called Software Restriction Policies that can be used to restrict what
    applications a user can install or run with hash, certificate, and path
    rules. In high security situations you can start with a default disallowed
    security level and then create rules for what the user is allowed to run. If
    you do such keep in mind that desktop shortcuts are considered restricted
    under SRP.

    You can manage SRP for computer configuration in a Windows 2000 domain for
    XP Pro computers. SRP also has an enforcement rule that can apply SRP to
    local administrators. Note however that local administrators can bypass SRP
    by booting into safe mode so beware of that. An additional possibility is to
    use Group Policy user configuration/administrative templates/system and add
    setup.exe and install.exe to the disallowed Windows applications list though
    that is not near as effective as SRP. The links below should help. ---
    Steve

    http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
    http://www.windowsecurity.com/articles/Windows-XP-Group-Policy-Windows-2000-Domain-Part2.html
    http://support.microsoft.com/default.aspx?kbid=842933 --- install this
    patch FIRST on domain controllers.

    "Sandip" <Sandip@discussions.microsoft.com> wrote in message
    news:BDDDCBD8-80C9-4B53-8658-655B84C232BA@microsoft.com...
    > Hi All,
    >
    > How can I use the GP on a W2k DC to stop users from installing software
    > when
    > the users is part of the local Administrators group?
    >
    > I have been able to stop software from being installed which uses the
    > Windows Installer using the GP setting under :-
    >
    > User Config\Admin Templates\ Windows Installer\Disable media source for
    > any
    > install (enabled)
    >
    > But with other software I have not been able to. The client PC's are on
    > Windows XP SP2
    >
    > I really need help on this issuse. Thanks for taking time to read and
    > provide feedback to this problem.
    >
    > Thanks
    >
    > Sandip
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Steve & Danny,

    Steven

    I want to say a big thank you for you feedback I will be applying the GP
    security template first to see if this is a soloution that I will be happy
    with, if not I will look into applying SRP. Am I correct in thinking that if
    I want to apply SRP, it can be applied on a W2k DC with clients on a mixture
    of Windows 2000 and Win Xp SP1 & SP2.

    Danny

    The reason why users on Windows XP need to be Admin group is due to a in
    house database we use, if a user is on a XP PC the permissions have to be
    changed for certain features to work correctly, if a user is on W2k no
    changes need to be made. I suppose the last resort would be to roll all
    users back to Windows 2000.

    Thanks all again and I shall keep you posted, if you have any additional
    info please post it.

    Take Care

    Sandip


    "Steven L Umbach" wrote:

    > First off it is extremely difficult to restrict an administrator and you
    > should do everything you can including modifying permissions for
    > applications so that they do not need to be an administrator to do such.
    > Having said that you are somewhat in luck. Windows XP Pro has a feature
    > called Software Restriction Policies that can be used to restrict what
    > applications a user can install or run with hash, certificate, and path
    > rules. In high security situations you can start with a default disallowed
    > security level and then create rules for what the user is allowed to run. If
    > you do such keep in mind that desktop shortcuts are considered restricted
    > under SRP.
    >
    > You can manage SRP for computer configuration in a Windows 2000 domain for
    > XP Pro computers. SRP also has an enforcement rule that can apply SRP to
    > local administrators. Note however that local administrators can bypass SRP
    > by booting into safe mode so beware of that. An additional possibility is to
    > use Group Policy user configuration/administrative templates/system and add
    > setup.exe and install.exe to the disallowed Windows applications list though
    > that is not near as effective as SRP. The links below should help. ---
    > Steve
    >
    > http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
    > http://www.windowsecurity.com/articles/Windows-XP-Group-Policy-Windows-2000-Domain-Part2.html
    > http://support.microsoft.com/default.aspx?kbid=842933 --- install this
    > patch FIRST on domain controllers.
    >
    > "Sandip" <Sandip@discussions.microsoft.com> wrote in message
    > news:BDDDCBD8-80C9-4B53-8658-655B84C232BA@microsoft.com...
    > > Hi All,
    > >
    > > How can I use the GP on a W2k DC to stop users from installing software
    > > when
    > > the users is part of the local Administrators group?
    > >
    > > I have been able to stop software from being installed which uses the
    > > Windows Installer using the GP setting under :-
    > >
    > > User Config\Admin Templates\ Windows Installer\Disable media source for
    > > any
    > > install (enabled)
    > >
    > > But with other software I have not been able to. The client PC's are on
    > > Windows XP SP2
    > >
    > > I really need help on this issuse. Thanks for taking time to read and
    > > provide feedback to this problem.
    > >
    > > Thanks
    > >
    > > Sandip
    >
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    SRP can be configured in a Windows 2000 domain via Group Policy but will
    only apply to XP Pro domain computers. --- Steve


    "Sandip" <Sandip@discussions.microsoft.com> wrote in message
    news:83E61879-51A5-491D-B217-5F695DD94C4B@microsoft.com...
    > Hi Steve & Danny,
    >
    > Steven
    >
    > I want to say a big thank you for you feedback I will be applying the GP
    > security template first to see if this is a soloution that I will be happy
    > with, if not I will look into applying SRP. Am I correct in thinking that
    > if
    > I want to apply SRP, it can be applied on a W2k DC with clients on a
    > mixture
    > of Windows 2000 and Win Xp SP1 & SP2.
    >
    > Danny
    >
    > The reason why users on Windows XP need to be Admin group is due to a in
    > house database we use, if a user is on a XP PC the permissions have to be
    > changed for certain features to work correctly, if a user is on W2k no
    > changes need to be made. I suppose the last resort would be to roll all
    > users back to Windows 2000.
    >
    > Thanks all again and I shall keep you posted, if you have any additional
    > info please post it.
    >
    > Take Care
    >
    > Sandip
    >
    >
    > "Steven L Umbach" wrote:
    >
    >> First off it is extremely difficult to restrict an administrator and you
    >> should do everything you can including modifying permissions for
    >> applications so that they do not need to be an administrator to do such.
    >> Having said that you are somewhat in luck. Windows XP Pro has a feature
    >> called Software Restriction Policies that can be used to restrict what
    >> applications a user can install or run with hash, certificate, and path
    >> rules. In high security situations you can start with a default
    >> disallowed
    >> security level and then create rules for what the user is allowed to run.
    >> If
    >> you do such keep in mind that desktop shortcuts are considered restricted
    >> under SRP.
    >>
    >> You can manage SRP for computer configuration in a Windows 2000 domain
    >> for
    >> XP Pro computers. SRP also has an enforcement rule that can apply SRP to
    >> local administrators. Note however that local administrators can bypass
    >> SRP
    >> by booting into safe mode so beware of that. An additional possibility is
    >> to
    >> use Group Policy user configuration/administrative templates/system and
    >> add
    >> setup.exe and install.exe to the disallowed Windows applications list
    >> though
    >> that is not near as effective as SRP. The links below should help. ---
    >> Steve
    >>
    >> http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
    >> http://www.windowsecurity.com/articles/Windows-XP-Group-Policy-Windows-2000-Domain-Part2.html
    >> http://support.microsoft.com/default.aspx?kbid=842933 --- install this
    >> patch FIRST on domain controllers.
    >>
    >> "Sandip" <Sandip@discussions.microsoft.com> wrote in message
    >> news:BDDDCBD8-80C9-4B53-8658-655B84C232BA@microsoft.com...
    >> > Hi All,
    >> >
    >> > How can I use the GP on a W2k DC to stop users from installing software
    >> > when
    >> > the users is part of the local Administrators group?
    >> >
    >> > I have been able to stop software from being installed which uses the
    >> > Windows Installer using the GP setting under :-
    >> >
    >> > User Config\Admin Templates\ Windows Installer\Disable media source for
    >> > any
    >> > install (enabled)
    >> >
    >> > But with other software I have not been able to. The client PC's are
    >> > on
    >> > Windows XP SP2
    >> >
    >> > I really need help on this issuse. Thanks for taking time to read and
    >> > provide feedback to this problem.
    >> >
    >> > Thanks
    >> >
    >> > Sandip
    >>
    >>
    >>
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    "Sandip" <Sandip@discussions.microsoft.com> wrote in message
    news:BDDDCBD8-80C9-4B53-8658-655B84C232BA@microsoft.com...
    > Hi All,
    >
    > How can I use the GP on a W2k DC to stop users from installing software
    > when
    > the users is part of the local Administrators group?
    >
    > I have been able to stop software from being installed which uses the
    > Windows Installer using the GP setting under :-
    >
    > User Config\Admin Templates\ Windows Installer\Disable media source for
    > any
    > install (enabled)
    >
    > But with other software I have not been able to. The client PC's are on
    > Windows XP SP2
    >
    > I really need help on this issuse. Thanks for taking time to read and
    > provide feedback to this problem.
    >
    > Thanks
    >
    > Sandip

    If they're admin... not really. You can prevent users from installing any
    ..msi files however. But that's not really the same thing!
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    Sandip wrote:
    > Hi Steve & Danny,
    >
    > Steven
    >
    > I want to say a big thank you for you feedback I will be applying the GP
    > security template first to see if this is a soloution that I will be happy
    > with, if not I will look into applying SRP. Am I correct in thinking that if
    > I want to apply SRP, it can be applied on a W2k DC with clients on a mixture
    > of Windows 2000 and Win Xp SP1 & SP2.
    >
    > Danny
    >
    > The reason why users on Windows XP need to be Admin group is due to a in
    > house database we use, if a user is on a XP PC the permissions have to be
    > changed for certain features to work correctly, if a user is on W2k no
    > changes need to be made. I suppose the last resort would be to roll all
    > users back to Windows 2000.
    >
    > Thanks all again and I shall keep you posted, if you have any additional
    > info please post it.
    >
    > Take Care
    >
    > Sandip
    >
    >
    > "Steven L Umbach" wrote:
    >
    >
    >>First off it is extremely difficult to restrict an administrator and you
    >>should do everything you can including modifying permissions for
    >>applications so that they do not need to be an administrator to do such.
    >>Having said that you are somewhat in luck. Windows XP Pro has a feature
    >>called Software Restriction Policies that can be used to restrict what
    >>applications a user can install or run with hash, certificate, and path
    >>rules. In high security situations you can start with a default disallowed
    >>security level and then create rules for what the user is allowed to run. If
    >>you do such keep in mind that desktop shortcuts are considered restricted
    >>under SRP.
    >>
    >>You can manage SRP for computer configuration in a Windows 2000 domain for
    >>XP Pro computers. SRP also has an enforcement rule that can apply SRP to
    >>local administrators. Note however that local administrators can bypass SRP
    >>by booting into safe mode so beware of that. An additional possibility is to
    >>use Group Policy user configuration/administrative templates/system and add
    >>setup.exe and install.exe to the disallowed Windows applications list though
    >>that is not near as effective as SRP. The links below should help. ---
    >>Steve
    >>
    >>http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
    >>http://www.windowsecurity.com/articles/Windows-XP-Group-Policy-Windows-2000-Domain-Part2.html
    >>http://support.microsoft.com/default.aspx?kbid=842933 --- install this
    >>patch FIRST on domain controllers.
    >>
    >>"Sandip" <Sandip@discussions.microsoft.com> wrote in message
    >>news:BDDDCBD8-80C9-4B53-8658-655B84C232BA@microsoft.com...
    >>
    >>>Hi All,
    >>>
    >>>How can I use the GP on a W2k DC to stop users from installing software
    >>>when
    >>>the users is part of the local Administrators group?
    >>>
    >>>I have been able to stop software from being installed which uses the
    >>>Windows Installer using the GP setting under :-
    >>>
    >>>User Config\Admin Templates\ Windows Installer\Disable media source for
    >>>any
    >>>install (enabled)
    >>>
    >>>But with other software I have not been able to. The client PC's are on
    >>>Windows XP SP2
    >>>
    >>>I really need help on this issuse. Thanks for taking time to read and
    >>>provide feedback to this problem.
    >>>
    >>>Thanks
    >>>
    >>>Sandip
    >>
    >>
    >>
    Have you tried the power users group rather than administrators, we have
    to do that for a couple of apps here. If it's an issue of registry keys
    you might be able to change permsissions on them but it's a tricky option
  7. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <83E61879-51A5-491D-B217-5F695DD94C4B@microsoft.com>,
    Sandip@discussions.microsoft.com says...
    > Hi Steve & Danny,
    >
    > Steven
    >
    > I want to say a big thank you for you feedback I will be applying the GP
    > security template first to see if this is a soloution that I will be happy
    > with, if not I will look into applying SRP. Am I correct in thinking that if
    > I want to apply SRP, it can be applied on a W2k DC with clients on a mixture
    > of Windows 2000 and Win Xp SP1 & SP2.
    >
    > Danny
    >
    > The reason why users on Windows XP need to be Admin group is due to a in
    > house database we use, if a user is on a XP PC the permissions have to be
    > changed for certain features to work correctly, if a user is on W2k no
    > changes need to be made. I suppose the last resort would be to roll all
    > users back to Windows 2000.
    >
    > Thanks all again and I shall keep you posted, if you have any additional
    > info please post it.
    >
    > Take Care
    >
    > Sandip
    >
    >
    > "Steven L Umbach" wrote:
    >
    > > First off it is extremely difficult to restrict an administrator and you
    > > should do everything you can including modifying permissions for
    > > applications so that they do not need to be an administrator to do such.
    > > Having said that you are somewhat in luck. Windows XP Pro has a feature
    > > called Software Restriction Policies that can be used to restrict what
    > > applications a user can install or run with hash, certificate, and path
    > > rules. In high security situations you can start with a default disallowed
    > > security level and then create rules for what the user is allowed to run. If
    > > you do such keep in mind that desktop shortcuts are considered restricted
    > > under SRP.
    > >
    > > You can manage SRP for computer configuration in a Windows 2000 domain for
    > > XP Pro computers. SRP also has an enforcement rule that can apply SRP to
    > > local administrators. Note however that local administrators can bypass SRP
    > > by booting into safe mode so beware of that. An additional possibility is to
    > > use Group Policy user configuration/administrative templates/system and add
    > > setup.exe and install.exe to the disallowed Windows applications list though
    > > that is not near as effective as SRP. The links below should help. ---
    > > Steve
    > >
    > > http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
    > > http://www.windowsecurity.com/articles/Windows-XP-Group-Policy-Windows-2000-Domain-Part2.html
    > > http://support.microsoft.com/default.aspx?kbid=842933 --- install this
    > > patch FIRST on domain controllers.
    > >
    > > "Sandip" <Sandip@discussions.microsoft.com> wrote in message
    > > news:BDDDCBD8-80C9-4B53-8658-655B84C232BA@microsoft.com...
    > > > Hi All,
    > > >
    > > > How can I use the GP on a W2k DC to stop users from installing software
    > > > when
    > > > the users is part of the local Administrators group?
    > > >
    > > > I have been able to stop software from being installed which uses the
    > > > Windows Installer using the GP setting under :-
    > > >
    > > > User Config\Admin Templates\ Windows Installer\Disable media source for
    > > > any
    > > > install (enabled)
    > > >
    > > > But with other software I have not been able to. The client PC's are on
    > > > Windows XP SP2
    > > >
    > > > I really need help on this issuse. Thanks for taking time to read and
    > > > provide feedback to this problem.
    > > >
    > > > Thanks
    > > >
    > > > Sandip

    It is unlikely to require admin privs for it to work correctly, it just
    needs access rights setting properly on the areas users or power users
    are having problems with.

    Run this tool:-

    http://www.sysinternals.com/ntw2k/source/filemon.shtml

    and

    http://www.sysinternals.com/ntw2k/source/regmon.shtml

    to find out what it is they are getting denied access to so you can then
    set your permissions on those areas of files or registry.
Ask a new question

Read More

Windows Installer Software Windows