Deny Software Installation to Students

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Could someone please help me find a way to deny members of a certain domain
group (students, in this case) from installing software on our domain's 2K/XP
clients? I understood that as limited users, this would not be possible, but
students still seem able to install such things as Winamp...etc. Ideally, I
would like to create a group policy on the server so that I don't have to
impliment changes over dozens of clients.

Thank you in advance for any insight in this manner.
--
BJM
ACE Assistant
Gary Allan High School

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

You should consider the possibility that students may be local
administrators. You should check a couple of those computers to see. There
are easily available fee tools on the internet that allow any user who can
boot a computer from a floppy or cdrom to become local administrator by
resetting the password of the local administrator account to a password that
they know. Configuring cmos to not allow booting from anything other than
the system disk will help but you still would need to password protect the
cmos settings and make sure they can not open the computer case to reset the
cmos. Even after doing that there may be ways to discover the cmos password.

Having said that you can use Group Policy Restricted Groups to enforce local
administrator membership though be default that setting will be applied only
every 90 minutes though that period can be reduced for computer
configuration. XP Pro will allow you to use Software Restriction Policies to
manage what software users can run and install and most XP Pro Group Policy
including Software Restriction Policies [computer configuration only I
believe though] can be managed in a Windows 2000 domain. Windows 2000 does
not include SRP. You need to rely on group membership, ntfs permissions, and
Group Policy Windows application settings available under user
configuration/administrative templates/ system to manage application use
though if a user can rename an application/executable they can bypass that
Group Policy settings. To start with add setup.exe, install.exe, and
msiexec.exe to the disallowed list. The links below should help get you
started. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;323525
http://support.microsoft.com/?kbid=310791
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
http://support.microsoft.com/default.aspx?scid=kb;en-us;203607
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/156780ef-eb36-4433-b3fe-1b1a15c18f6a.mspx


"B. Meincke" <garyallan@highschool.ca> wrote in message
news:A438E710-899F-4CA5-8023-4BB013802094@microsoft.com...
> Could someone please help me find a way to deny members of a certain
> domain
> group (students, in this case) from installing software on our domain's
> 2K/XP
> clients? I understood that as limited users, this would not be possible,
> but
> students still seem able to install such things as Winamp...etc. Ideally,
> I
> would like to create a group policy on the server so that I don't have to
> impliment changes over dozens of clients.
>
> Thank you in advance for any insight in this manner.
> --
> BJM
> ACE Assistant
> Gary Allan High School

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Thank you for your response Steven. I can assure you that our students are
not admitting themselves to the local admin group or resetting its password!

And I will take a look at your suggested links. Thank you again for your help.
--
BJM
ACE Assistant
Gary Allan High School

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Sounds good that you must have some discipline and rules. Many admins from
schools have posted similar questions to yours and basically described an
out of control network where students could do whatever they want. Let us
know if you have any more questions. You should find Software Restriction
Policies very effective once you learn how to tweak them. If you run into
problems look in the system/application log for pertinent info and keep in
mind that desktop shortcuts are considered executable content as far as SRP
are concerned. --- Steve


"B. Meincke" <garyallan@highschool.ca> wrote in message
news7AFC64B-249E-4B2B-81A0-82B639A78ED0@microsoft.com...
> Thank you for your response Steven. I can assure you that our students are
> not admitting themselves to the local admin group or resetting its
> password!
>
> And I will take a look at your suggested links. Thank you again for your
> help.
> --
> BJM
> ACE Assistant
> Gary Allan High School
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Use Software Restriction Policy...for users or/and machines...
With SRP you control all software in your network....
but...do it carrefoully


--
Regards,
Cezar H.


"B. Meincke" wrote:

> Could someone please help me find a way to deny members of a certain domain
> group (students, in this case) from installing software on our domain's 2K/XP
> clients? I understood that as limited users, this would not be possible, but
> students still seem able to install such things as Winamp...etc. Ideally, I
> would like to create a group policy on the server so that I don't have to
> impliment changes over dozens of clients.
>
> Thank you in advance for any insight in this manner.
> --
> BJM
> ACE Assistant
> Gary Allan High School