0

I've just set up a new server on a new Domain Controller. I have implemented my Group Policy too. However, I would like to implement a policy to restrict the installation of all software by users and not by local administrators or Domain Admins.

Any ideas are much greatly appreciated. Thank you.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
Computeristic
  • 27
  • 6

2 Answers2

1

Create group policy, and define there Computer Configurations > Administrative templates > Windows Components > Windows Installer > Disable windows installer parameter. Link this policy to users' OU or use security filtering for users' security group.

ko4evneg
  • 234
  • 2
  • 10
  • Thanks for your suggestion. Will this prevent users from installing software from the Internet, CD and USB regardless of the file type such as *.msi and *.exe and all other types of installation formats? And how about running software that the users shouldn't be running such as software that doesn't need to be installed and just needs to be run? – Computeristic Oct 22 '13 at 21:57
  • It will prevent only running of windows installer. If you want to restrict user from running already installed programms you should consider using of AppLocker policies or Software Restriction Policies. But them both not very effective, if user have or had administrator privilieges. Also these policies will work only for signed applications or casual users, because they are very easy to be bypassed. – ko4evneg Oct 23 '13 at 10:28
  • All users have standard accounts - no administrative rights whatsoever. And I'd like to prevent them from being able to install software from the Internet and from USB and CD.I'll use Software Restriction Policy but my only concern is that some clients have some software installed but some don't for example some clients have some MS Office installed but some clients don't. So how can I allow MS Office to run on some clients but not all for certain users? – Computeristic Oct 23 '13 at 21:54
  • @Computeristic Use a software restriction policy that blacklists everything by default, and then whitelist directories that normal users can't write to (Program Files, Windows folder etc) – pauska Oct 23 '13 at 21:56
  • Okay I will do. Is there a guide I could follow as this isthe first time I will be iimplementing this and I don't have a test server or any other resources to test unless I add a spare computer to a new OU in Active Directory? – Computeristic Oct 23 '13 at 22:01
  • [Here](http://technet.microsoft.com/en-us/library/bb457006.aspx) you can read whitepaper on this topic. – ko4evneg Oct 24 '13 at 06:06
1

You can set up Software Restriction Policy such that Administrators are exempt from it. Then they can install software (to C:\ProgramFiles), which all users can execute, but if users want to install software themselves, Software Restriction Policy will not permit them. Even portable applications, that do not need to be installed, will be blocked.

Klaus Hartnegg
  • 331
  • 1
  • 7