Deny Software Installation to Students

Archived from groups: microsoft.public.win2000.security (More info?)

Could someone please help me find a way to deny members of a certain domain
group (students, in this case) from installing software on our domain's 2K/XP
clients? I understood that as limited users, this would not be possible, but
students still seem able to install such things as Winamp...etc. Ideally, I
would like to create a group policy on the server so that I don't have to
impliment changes over dozens of clients.

Thank you in advance for any insight in this manner.
--
BJM
ACE Assistant
Gary Allan High School
4 answers Last reply
More about deny software installation students
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    You should consider the possibility that students may be local
    administrators. You should check a couple of those computers to see. There
    are easily available fee tools on the internet that allow any user who can
    boot a computer from a floppy or cdrom to become local administrator by
    resetting the password of the local administrator account to a password that
    they know. Configuring cmos to not allow booting from anything other than
    the system disk will help but you still would need to password protect the
    cmos settings and make sure they can not open the computer case to reset the
    cmos. Even after doing that there may be ways to discover the cmos password.

    Having said that you can use Group Policy Restricted Groups to enforce local
    administrator membership though be default that setting will be applied only
    every 90 minutes though that period can be reduced for computer
    configuration. XP Pro will allow you to use Software Restriction Policies to
    manage what software users can run and install and most XP Pro Group Policy
    including Software Restriction Policies [computer configuration only I
    believe though] can be managed in a Windows 2000 domain. Windows 2000 does
    not include SRP. You need to rely on group membership, ntfs permissions, and
    Group Policy Windows application settings available under user
    configuration/administrative templates/ system to manage application use
    though if a user can rename an application/executable they can bypass that
    Group Policy settings. To start with add setup.exe, install.exe, and
    msiexec.exe to the disallowed list. The links below should help get you
    started. --- Steve

    http://support.microsoft.com/default.aspx?scid=kb;en-us;323525
    http://support.microsoft.com/?kbid=310791
    http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
    http://support.microsoft.com/default.aspx?scid=kb;en-us;203607
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/156780ef-eb36-4433-b3fe-1b1a15c18f6a.mspx


    "B. Meincke" <garyallan@highschool.ca> wrote in message
    news:A438E710-899F-4CA5-8023-4BB013802094@microsoft.com...
    > Could someone please help me find a way to deny members of a certain
    > domain
    > group (students, in this case) from installing software on our domain's
    > 2K/XP
    > clients? I understood that as limited users, this would not be possible,
    > but
    > students still seem able to install such things as Winamp...etc. Ideally,
    > I
    > would like to create a group policy on the server so that I don't have to
    > impliment changes over dozens of clients.
    >
    > Thank you in advance for any insight in this manner.
    > --
    > BJM
    > ACE Assistant
    > Gary Allan High School
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Thank you for your response Steven. I can assure you that our students are
    not admitting themselves to the local admin group or resetting its password!

    And I will take a look at your suggested links. Thank you again for your help.
    --
    BJM
    ACE Assistant
    Gary Allan High School
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Sounds good that you must have some discipline and rules. Many admins from
    schools have posted similar questions to yours and basically described an
    out of control network where students could do whatever they want. Let us
    know if you have any more questions. You should find Software Restriction
    Policies very effective once you learn how to tweak them. If you run into
    problems look in the system/application log for pertinent info and keep in
    mind that desktop shortcuts are considered executable content as far as SRP
    are concerned. --- Steve


    "B. Meincke" <garyallan@highschool.ca> wrote in message
    news:D7AFC64B-249E-4B2B-81A0-82B639A78ED0@microsoft.com...
    > Thank you for your response Steven. I can assure you that our students are
    > not admitting themselves to the local admin group or resetting its
    > password!
    >
    > And I will take a look at your suggested links. Thank you again for your
    > help.
    > --
    > BJM
    > ACE Assistant
    > Gary Allan High School
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Use Software Restriction Policy...for users or/and machines...
    With SRP you control all software in your network....
    but...do it carrefoully


    --
    Regards,
    Cezar H.


    "B. Meincke" wrote:

    > Could someone please help me find a way to deny members of a certain domain
    > group (students, in this case) from installing software on our domain's 2K/XP
    > clients? I understood that as limited users, this would not be possible, but
    > students still seem able to install such things as Winamp...etc. Ideally, I
    > would like to create a group policy on the server so that I don't have to
    > impliment changes over dozens of clients.
    >
    > Thank you in advance for any insight in this manner.
    > --
    > BJM
    > ACE Assistant
    > Gary Allan High School
Ask a new question

Read More

Software Windows