GPO Software Restriction

Discussion in 'Windows Server' started by Luca Rossi, Sep 9, 2008.

  1. Luca Rossi

    Luca Rossi Guest

    Hi to all, i 've a qestion regarding the software installation policy.

    We have a Windows Server 2003 Active Directory domain, and XP Pro clients.
    On the clients the users owner of the pc is inserted in the local admin
    group, this because we have some procedures that does not work as normal
    user o power user....
    Can we prevent this type of users to install software ? Or can we enable
    only a specific domain admin account (or group) to install software ?

    Thanks in advance
    Regards
    Luca
     
    Luca Rossi, Sep 9, 2008
    #1
    1. Advertisements

  2. Hello Luca,

    If the user is local admin she/he can do anything on the local machine. Better
    try to figure out with process monitor what additional rights are needed
    to run the software as normal user, so there is no need to be local admin.
    But keep in mind, there will be a lot of software that you can run/install
    without being local admin.

    http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

    Best regards

    Meinolf Weber
     
    Meinolf Weber, Sep 9, 2008
    #2
    1. Advertisements

  3. Windows Server 2003 and later do have software restriction policy but it is
    very difficult to implement.
    When your local user is local admin, then there is no way to stop this
    person from installing software and reconfiguring his/her computer.

    I have no problem with users being local admins, but you must have some
    policies enforced in your company. This is, however, responsibility of the
    higher management and you must win their sponsorship when it comes to
    security procedures.

    In plain words, it's like traffic control. You can speed and violate traffic
    rules, but when you are caught, you will pay.
     
    Dusko Savatovic, Sep 9, 2008
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.