Sign in with
Sign up | Sign in
Your question

Prevent users from installing software

Last response: in Windows 2000/NT
Share
Anonymous
April 28, 2005 10:40:15 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi All,

How can I use the GP on a W2k DC to stop users from installing software when
the users is part of the local Administrators group?

I have been able to stop software from being installed which uses the
Windows Installer using the GP setting under :-

User Config\Admin Templates\ Windows Installer\Disable media source for any
install (enabled)

But with other software I have not been able to. The client PC's are on
Windows XP SP2

I really need help on this issuse. Thanks for taking time to read and
provide feedback to this problem.

Thanks

Sandip
Anonymous
April 28, 2005 7:01:23 PM

Archived from groups: microsoft.public.win2000.security (More info?)

AFAIK if the user is an admin of their computer, you can't.

Why do they need to be admins on the local computer?


hth
DDS W 2k MVP MCSE

"Sandip" <Sandip@discussions.microsoft.com> wrote in message
news:BDDDCBD8-80C9-4B53-8658-655B84C232BA@microsoft.com...
> Hi All,
>
> How can I use the GP on a W2k DC to stop users from installing software
> when
> the users is part of the local Administrators group?
>
> I have been able to stop software from being installed which uses the
> Windows Installer using the GP setting under :-
>
> User Config\Admin Templates\ Windows Installer\Disable media source for
> any
> install (enabled)
>
> But with other software I have not been able to. The client PC's are on
> Windows XP SP2
>
> I really need help on this issuse. Thanks for taking time to read and
> provide feedback to this problem.
>
> Thanks
>
> Sandip
Anonymous
April 28, 2005 9:04:41 PM

Archived from groups: microsoft.public.win2000.security (More info?)

First off it is extremely difficult to restrict an administrator and you
should do everything you can including modifying permissions for
applications so that they do not need to be an administrator to do such.
Having said that you are somewhat in luck. Windows XP Pro has a feature
called Software Restriction Policies that can be used to restrict what
applications a user can install or run with hash, certificate, and path
rules. In high security situations you can start with a default disallowed
security level and then create rules for what the user is allowed to run. If
you do such keep in mind that desktop shortcuts are considered restricted
under SRP.

You can manage SRP for computer configuration in a Windows 2000 domain for
XP Pro computers. SRP also has an enforcement rule that can apply SRP to
local administrators. Note however that local administrators can bypass SRP
by booting into safe mode so beware of that. An additional possibility is to
use Group Policy user configuration/administrative templates/system and add
setup.exe and install.exe to the disallowed Windows applications list though
that is not near as effective as SRP. The links below should help. ---
Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/m...
http://www.windowsecurity.com/articles/Windows-XP-Group...
http://support.microsoft.com/default.aspx?kbid=842933 --- install this
patch FIRST on domain controllers.

"Sandip" <Sandip@discussions.microsoft.com> wrote in message
news:BDDDCBD8-80C9-4B53-8658-655B84C232BA@microsoft.com...
> Hi All,
>
> How can I use the GP on a W2k DC to stop users from installing software
> when
> the users is part of the local Administrators group?
>
> I have been able to stop software from being installed which uses the
> Windows Installer using the GP setting under :-
>
> User Config\Admin Templates\ Windows Installer\Disable media source for
> any
> install (enabled)
>
> But with other software I have not been able to. The client PC's are on
> Windows XP SP2
>
> I really need help on this issuse. Thanks for taking time to read and
> provide feedback to this problem.
>
> Thanks
>
> Sandip
Related resources
Anonymous
April 29, 2005 7:34:05 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Steve & Danny,

Steven

I want to say a big thank you for you feedback I will be applying the GP
security template first to see if this is a soloution that I will be happy
with, if not I will look into applying SRP. Am I correct in thinking that if
I want to apply SRP, it can be applied on a W2k DC with clients on a mixture
of Windows 2000 and Win Xp SP1 & SP2.

Danny

The reason why users on Windows XP need to be Admin group is due to a in
house database we use, if a user is on a XP PC the permissions have to be
changed for certain features to work correctly, if a user is on W2k no
changes need to be made. I suppose the last resort would be to roll all
users back to Windows 2000.

Thanks all again and I shall keep you posted, if you have any additional
info please post it.

Take Care

Sandip


"Steven L Umbach" wrote:

> First off it is extremely difficult to restrict an administrator and you
> should do everything you can including modifying permissions for
> applications so that they do not need to be an administrator to do such.
> Having said that you are somewhat in luck. Windows XP Pro has a feature
> called Software Restriction Policies that can be used to restrict what
> applications a user can install or run with hash, certificate, and path
> rules. In high security situations you can start with a default disallowed
> security level and then create rules for what the user is allowed to run. If
> you do such keep in mind that desktop shortcuts are considered restricted
> under SRP.
>
> You can manage SRP for computer configuration in a Windows 2000 domain for
> XP Pro computers. SRP also has an enforcement rule that can apply SRP to
> local administrators. Note however that local administrators can bypass SRP
> by booting into safe mode so beware of that. An additional possibility is to
> use Group Policy user configuration/administrative templates/system and add
> setup.exe and install.exe to the disallowed Windows applications list though
> that is not near as effective as SRP. The links below should help. ---
> Steve
>
> http://www.microsoft.com/technet/prodtechnol/winxppro/m...
> http://www.windowsecurity.com/articles/Windows-XP-Group...
> http://support.microsoft.com/default.aspx?kbid=842933 --- install this
> patch FIRST on domain controllers.
>
> "Sandip" <Sandip@discussions.microsoft.com> wrote in message
> news:BDDDCBD8-80C9-4B53-8658-655B84C232BA@microsoft.com...
> > Hi All,
> >
> > How can I use the GP on a W2k DC to stop users from installing software
> > when
> > the users is part of the local Administrators group?
> >
> > I have been able to stop software from being installed which uses the
> > Windows Installer using the GP setting under :-
> >
> > User Config\Admin Templates\ Windows Installer\Disable media source for
> > any
> > install (enabled)
> >
> > But with other software I have not been able to. The client PC's are on
> > Windows XP SP2
> >
> > I really need help on this issuse. Thanks for taking time to read and
> > provide feedback to this problem.
> >
> > Thanks
> >
> > Sandip
>
>
>
Anonymous
April 29, 2005 5:38:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

SRP can be configured in a Windows 2000 domain via Group Policy but will
only apply to XP Pro domain computers. --- Steve


"Sandip" <Sandip@discussions.microsoft.com> wrote in message
news:83E61879-51A5-491D-B217-5F695DD94C4B@microsoft.com...
> Hi Steve & Danny,
>
> Steven
>
> I want to say a big thank you for you feedback I will be applying the GP
> security template first to see if this is a soloution that I will be happy
> with, if not I will look into applying SRP. Am I correct in thinking that
> if
> I want to apply SRP, it can be applied on a W2k DC with clients on a
> mixture
> of Windows 2000 and Win Xp SP1 & SP2.
>
> Danny
>
> The reason why users on Windows XP need to be Admin group is due to a in
> house database we use, if a user is on a XP PC the permissions have to be
> changed for certain features to work correctly, if a user is on W2k no
> changes need to be made. I suppose the last resort would be to roll all
> users back to Windows 2000.
>
> Thanks all again and I shall keep you posted, if you have any additional
> info please post it.
>
> Take Care
>
> Sandip
>
>
> "Steven L Umbach" wrote:
>
>> First off it is extremely difficult to restrict an administrator and you
>> should do everything you can including modifying permissions for
>> applications so that they do not need to be an administrator to do such.
>> Having said that you are somewhat in luck. Windows XP Pro has a feature
>> called Software Restriction Policies that can be used to restrict what
>> applications a user can install or run with hash, certificate, and path
>> rules. In high security situations you can start with a default
>> disallowed
>> security level and then create rules for what the user is allowed to run.
>> If
>> you do such keep in mind that desktop shortcuts are considered restricted
>> under SRP.
>>
>> You can manage SRP for computer configuration in a Windows 2000 domain
>> for
>> XP Pro computers. SRP also has an enforcement rule that can apply SRP to
>> local administrators. Note however that local administrators can bypass
>> SRP
>> by booting into safe mode so beware of that. An additional possibility is
>> to
>> use Group Policy user configuration/administrative templates/system and
>> add
>> setup.exe and install.exe to the disallowed Windows applications list
>> though
>> that is not near as effective as SRP. The links below should help. ---
>> Steve
>>
>> http://www.microsoft.com/technet/prodtechnol/winxppro/m...
>> http://www.windowsecurity.com/articles/Windows-XP-Group...
>> http://support.microsoft.com/default.aspx?kbid=842933 --- install this
>> patch FIRST on domain controllers.
>>
>> "Sandip" <Sandip@discussions.microsoft.com> wrote in message
>> news:BDDDCBD8-80C9-4B53-8658-655B84C232BA@microsoft.com...
>> > Hi All,
>> >
>> > How can I use the GP on a W2k DC to stop users from installing software
>> > when
>> > the users is part of the local Administrators group?
>> >
>> > I have been able to stop software from being installed which uses the
>> > Windows Installer using the GP setting under :-
>> >
>> > User Config\Admin Templates\ Windows Installer\Disable media source for
>> > any
>> > install (enabled)
>> >
>> > But with other software I have not been able to. The client PC's are
>> > on
>> > Windows XP SP2
>> >
>> > I really need help on this issuse. Thanks for taking time to read and
>> > provide feedback to this problem.
>> >
>> > Thanks
>> >
>> > Sandip
>>
>>
>>
April 29, 2005 5:44:22 PM

Archived from groups: microsoft.public.win2000.security (More info?)

"Sandip" <Sandip@discussions.microsoft.com> wrote in message
news:BDDDCBD8-80C9-4B53-8658-655B84C232BA@microsoft.com...
> Hi All,
>
> How can I use the GP on a W2k DC to stop users from installing software
> when
> the users is part of the local Administrators group?
>
> I have been able to stop software from being installed which uses the
> Windows Installer using the GP setting under :-
>
> User Config\Admin Templates\ Windows Installer\Disable media source for
> any
> install (enabled)
>
> But with other software I have not been able to. The client PC's are on
> Windows XP SP2
>
> I really need help on this issuse. Thanks for taking time to read and
> provide feedback to this problem.
>
> Thanks
>
> Sandip

If they're admin... not really. You can prevent users from installing any
..msi files however. But that's not really the same thing!
Anonymous
April 29, 2005 7:15:55 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Sandip wrote:
> Hi Steve & Danny,
>
> Steven
>
> I want to say a big thank you for you feedback I will be applying the GP
> security template first to see if this is a soloution that I will be happy
> with, if not I will look into applying SRP. Am I correct in thinking that if
> I want to apply SRP, it can be applied on a W2k DC with clients on a mixture
> of Windows 2000 and Win Xp SP1 & SP2.
>
> Danny
>
> The reason why users on Windows XP need to be Admin group is due to a in
> house database we use, if a user is on a XP PC the permissions have to be
> changed for certain features to work correctly, if a user is on W2k no
> changes need to be made. I suppose the last resort would be to roll all
> users back to Windows 2000.
>
> Thanks all again and I shall keep you posted, if you have any additional
> info please post it.
>
> Take Care
>
> Sandip
>
>
> "Steven L Umbach" wrote:
>
>
>>First off it is extremely difficult to restrict an administrator and you
>>should do everything you can including modifying permissions for
>>applications so that they do not need to be an administrator to do such.
>>Having said that you are somewhat in luck. Windows XP Pro has a feature
>>called Software Restriction Policies that can be used to restrict what
>>applications a user can install or run with hash, certificate, and path
>>rules. In high security situations you can start with a default disallowed
>>security level and then create rules for what the user is allowed to run. If
>>you do such keep in mind that desktop shortcuts are considered restricted
>>under SRP.
>>
>>You can manage SRP for computer configuration in a Windows 2000 domain for
>>XP Pro computers. SRP also has an enforcement rule that can apply SRP to
>>local administrators. Note however that local administrators can bypass SRP
>>by booting into safe mode so beware of that. An additional possibility is to
>>use Group Policy user configuration/administrative templates/system and add
>>setup.exe and install.exe to the disallowed Windows applications list though
>>that is not near as effective as SRP. The links below should help. ---
>>Steve
>>
>>http://www.microsoft.com/technet/prodtechnol/winxppro/m...
>>http://www.windowsecurity.com/articles/Windows-XP-Group...
>>http://support.microsoft.com/default.aspx?kbid=842933 --- install this
>>patch FIRST on domain controllers.
>>
>>"Sandip" <Sandip@discussions.microsoft.com> wrote in message
>>news:BDDDCBD8-80C9-4B53-8658-655B84C232BA@microsoft.com...
>>
>>>Hi All,
>>>
>>>How can I use the GP on a W2k DC to stop users from installing software
>>>when
>>>the users is part of the local Administrators group?
>>>
>>>I have been able to stop software from being installed which uses the
>>>Windows Installer using the GP setting under :-
>>>
>>>User Config\Admin Templates\ Windows Installer\Disable media source for
>>>any
>>>install (enabled)
>>>
>>>But with other software I have not been able to. The client PC's are on
>>>Windows XP SP2
>>>
>>>I really need help on this issuse. Thanks for taking time to read and
>>>provide feedback to this problem.
>>>
>>>Thanks
>>>
>>>Sandip
>>
>>
>>
Have you tried the power users group rather than administrators, we have
to do that for a couple of apps here. If it's an issue of registry keys
you might be able to change permsissions on them but it's a tricky option
Anonymous
May 2, 2005 10:38:27 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <83E61879-51A5-491D-B217-5F695DD94C4B@microsoft.com>,
Sandip@discussions.microsoft.com says...
> Hi Steve & Danny,
>
> Steven
>
> I want to say a big thank you for you feedback I will be applying the GP
> security template first to see if this is a soloution that I will be happy
> with, if not I will look into applying SRP. Am I correct in thinking that if
> I want to apply SRP, it can be applied on a W2k DC with clients on a mixture
> of Windows 2000 and Win Xp SP1 & SP2.
>
> Danny
>
> The reason why users on Windows XP need to be Admin group is due to a in
> house database we use, if a user is on a XP PC the permissions have to be
> changed for certain features to work correctly, if a user is on W2k no
> changes need to be made. I suppose the last resort would be to roll all
> users back to Windows 2000.
>
> Thanks all again and I shall keep you posted, if you have any additional
> info please post it.
>
> Take Care
>
> Sandip
>
>
> "Steven L Umbach" wrote:
>
> > First off it is extremely difficult to restrict an administrator and you
> > should do everything you can including modifying permissions for
> > applications so that they do not need to be an administrator to do such.
> > Having said that you are somewhat in luck. Windows XP Pro has a feature
> > called Software Restriction Policies that can be used to restrict what
> > applications a user can install or run with hash, certificate, and path
> > rules. In high security situations you can start with a default disallowed
> > security level and then create rules for what the user is allowed to run. If
> > you do such keep in mind that desktop shortcuts are considered restricted
> > under SRP.
> >
> > You can manage SRP for computer configuration in a Windows 2000 domain for
> > XP Pro computers. SRP also has an enforcement rule that can apply SRP to
> > local administrators. Note however that local administrators can bypass SRP
> > by booting into safe mode so beware of that. An additional possibility is to
> > use Group Policy user configuration/administrative templates/system and add
> > setup.exe and install.exe to the disallowed Windows applications list though
> > that is not near as effective as SRP. The links below should help. ---
> > Steve
> >
> > http://www.microsoft.com/technet/prodtechnol/winxppro/m...
> > http://www.windowsecurity.com/articles/Windows-XP-Group...
> > http://support.microsoft.com/default.aspx?kbid=842933 --- install this
> > patch FIRST on domain controllers.
> >
> > "Sandip" <Sandip@discussions.microsoft.com> wrote in message
> > news:BDDDCBD8-80C9-4B53-8658-655B84C232BA@microsoft.com...
> > > Hi All,
> > >
> > > How can I use the GP on a W2k DC to stop users from installing software
> > > when
> > > the users is part of the local Administrators group?
> > >
> > > I have been able to stop software from being installed which uses the
> > > Windows Installer using the GP setting under :-
> > >
> > > User Config\Admin Templates\ Windows Installer\Disable media source for
> > > any
> > > install (enabled)
> > >
> > > But with other software I have not been able to. The client PC's are on
> > > Windows XP SP2
> > >
> > > I really need help on this issuse. Thanks for taking time to read and
> > > provide feedback to this problem.
> > >
> > > Thanks
> > >
> > > Sandip

It is unlikely to require admin privs for it to work correctly, it just
needs access rights setting properly on the areas users or power users
are having problems with.

Run this tool:-

http://www.sysinternals.com/ntw2k/source/filemon.shtml

and

http://www.sysinternals.com/ntw2k/source/regmon.shtml

to find out what it is they are getting denied access to so you can then
set your permissions on those areas of files or registry.
!