Restrict power users from installing programs?

[ivwshane]

I have a work group at an office location where the weekend receptionist is a kid (under 18) and she's constantly installing crap on computers, messenger programs and the like.

Unfortunately due to crappy programming of critical apps we use and the required use of IE I can only set the users to power users instead of just users.

Is there a GPO or a third party app that will allow me to restrict either power users from installing software or restrict what software they can install?

I've already restricted yahoo messenger download page (the main IM program she uses) in ie but there are a ton of other places to download the software and there is no way I can find them all.


What are my options?

Management will be spoken to shortly but I would like a more permanent solution.

 

[mechBgon]

Is the system running WinXP Professional Edition? If so, I can suggest a trick. Several, in fact.

Also, what antivirus software do you guys use? If it happens to be VirusScan Enterprise 8.0i then I can suggest some Access Protection > File, Share & Folder Protection rules you could use really effectively.

 

[ivwshane]

Yes it is xp pro. AVG free edition for the av.

 

[mechBgon]

Here is my first suggestion:

1) make an Administrator account and password-protect it. Let's say you name this account Admin. I don't know if you have a domain but it sounds like you probably don't.

2) make her account a Limited or Restricted-User account. Oh noes, the bad software won't run! :Q but don't panic yet

3) make a shortcut to the problem software on her desktop screen.

4) right-click these new shortcuts, and change the "Start In" line to be "C:\Documents and Settings\HerAccountName\". Also, add runas /user:Admin /savecred in front of the Target line that's got the path to the executable.


Now her account is a Limited account, but this particular program gets run with Admin privileges thanks to the runas /user:Admin part, and the password gets saved thanks to the /savecred switch, so you know the password and she doesn't.

If you do have a domain, then make a second domain account for her, and make the line go runas /useromain\username /savecred, and make that domain account a member of her system's Power User or Administrator group.



Another option is to go Start > Run > gpedit.msc to start the Local Group Policy editor, and then go down to User Configuration > System and set up the Run Only Allowed Windows Applications to include precisely the programs you want her to be able to use, and nothing else.



You could also go to Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies and create a disallowed-by-default SRP (Windows Media Player screencapture movie demo). Make it apply to Administrators in the Enforcement section there. This would prevent her from executing installers and stuff from the places that she'd be likely to download them to.



If she keeps trying to install the same stuff every time, like AIM for example, then you could leave the empty AIM folder in C:\Program Files, but remove all Security clearance on that folder to anyone, even to SYSTEM, so it's inaccessible. This would effectively stop installation of anything into that folder, since it can't be entered, deleted or modified. "Scorched-earth" policy :evil:



AVG Free Edition is not licensed for business use, last I knew of. You may want to smack your management upside the head with the importance of proper licensing Anyway, if you end up with VirusScan Enterprise 8.0i somehow, LMK because I have plenty of suggestions there.

 

[ivwshane]

I've tried the first suggestion and it just creates too much hassle with the programs they have to use:|

Another option is to go Start > Run > gpedit.msc to start the Local Group Policy editor, and then go down to User Configuration > System and set up the Run Only Allowed Windows Applications to include precisely the programs you want her to be able to use, and nothing else.



You could also go to Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies and create a disallowed-by-default SRP (Windows Media Player screencapture movie demo). Make it apply to Administrators in the Enforcement section there. This would prevent her from executing installers and stuff from the places that she'd be likely to download them to.



If she keeps trying to install the same stuff every time, like AIM for example, then you could leave the empty AIM folder in C:\Program Files, but remove all Security clearance on that folder to anyone, even to SYSTEM, so it's inaccessible. This would effectively stop installation of anything into that folder, since it can't be entered, deleted or modified. "Scorched-earth" policy

Those are some good idea's and sound more like what I'm looking for!!!

Thanks!


Regarding licensing, let me put it this way, the previous IT guy used pirated XP on a majority of the systems and charged them for it! It's a tough pill to swallow when the replacement costs are in the several thousands! I'm working on it though.

 

[nweaver]

tell them the fines if they get caught are lots more then the cost of getting legal.

 

[ivwshane]

Originally posted by: nweaver
tell them the fines if they get caught are lots more then the cost of getting legal.

I did that and I kept a copy of the email for myself along with their response