• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Restricting Power Users from installing software

A

acunje

Junior Member
Hello all!

Here at my office we are implementing new standard imaging for laptops and security policies. A large portion of users need full access to quite a few files to be able to run their IDEA CPA software. To over come this the lowest privilege they can use is the power user group. Is there anyway for me to place a restriction on this group so that they can't install software? Part of the standard image was to wipe the laptops of a lot of the junk that they have installed and restrict software to an approved software list which is pre-installed on the machines.

If you have any ideas on how i can go about doing this please let me know! I would really like some input on this.

~Andrew
 
As far as I know, in XP and 2000, there's no way to prevent the INSTALLATION of software if the User is a Local Power User or Administrator. You can restrict, through Local or Group Policy, what programs can be RUN, but that's not the same thing.

If your ONLY problem with making Users "Restricted Users" on their computers is that one accounting program, I suggest you look harder at the Registry and/or file permissions that are needed to make that software run when the users are "Restricted Users".

There are tricks that can be perfomed, like banning the exectution of "Setup.exe" and "Install.exe", but a computer-knowledgeable users will just rename the installation file.
 
Or server with is runing Windows 2003 Server...all clients are windows xp....

Hope that helps.

any and all input i sappreciated!!!!
 
Originally posted by: acunje
Can software restriction policies help on this matter?
Click to expand...
Why not try it and find out, it would take all of 5 minutes to set that up and see if you can overcome it 🙂 But I'd listen to RebateMonger and his suggestion, because what you really want is Restricted Users. Period.

 
Well, just give it a try, using the "Disallowed" option. I didn't really encourage it earlier, because, for most offices, it's a pain. But if you really do have standard images, it could be worth the time to go through testing on one of the boxes and see what it will take to only allow the applications that are needed for people to do their jobs.

Microsoft article on Software Restriction Policy on XP

MS Knowledgebase 324036: How to Use Software Restriction Policies in Windows Server 2003

Only thing is....by the time you add up the time needed to list all the programs that need to be allowed, create the necessary list, and keep the "allowed list" maintained, it might be faster to figure out how to make IDEA CPA run on a "Restricted" Account.
 
Thanks for the help. I got it working, i does what we want, but i can see why its a pain....anything even ofice products, and disk clean up will not run unless added to the list of programs to run....are there any pre made policies out there that i can just implement and add to this so that the basics are covered?

let me know

thanks again for all the great help
 
I agree with RebateMonger - I've spent a lot of time creating images, and there are very few programs out there that can't be run as a restricted user with a few tweaks (i.e write access to their folder, etc)

Tim
 
i will try expreimenting with trying to fix access problems to folders....hopefully i have some luck, do u have any sugesstions on fixing access rights and or links for something like this?
 
Grab filemon and regmon from sysinternals, (now owned by Microsoft). Run each of them separately as an admin and launch the program. You will have to scroll through a lot of junk, but make note of what the program itself is trying to access when it is launched.

This is of course assuming that the maker of the product doesn't document all of this (unlikely 🙂 )
 
Microsoft bought them just in time. It was becoming widely recognized that many of us were using Sysinternals utilities illegally....they weren't supposed to be used for commercial purposes unless you paid for a $1000+ license.
 
Once i have found what files and reg values that this program is using, how do i grant access to reg stuff and files? so that the prog can run as a user?
 
Although you can be more restrictive than this if your users are all in a security group (such as "acme employees") I generally grant access to a particular file or folder by using the authenticated users group. For files\folders, you right click on the file\folder, choose properties, and then the Security Tab. For Reg keys, its basically the same thing although you right click from within regedit. I'd suggest doing this for the bare minimum, i,e if the program requires that the user have write access only to its folder, don't grant the user write access to the Programs Folder, etc.

I'd also recommend learning more about NTFS permissions if you are going to be managing images going forward - its important stuff to know.

 
i am not exactly sure about that being an option in a group policy any one else know about that?

thanks for in input on the folders permission etc as well tyanni!

but really quickly, i was just messing with the software restriction policies...and i learned quite a bit in a short time, but when it comes to blockign acces to say C:\Program Files\Winamp\winamp.exe for example...is there a more generic way of writing this so that i can just restrict people from opening say just winamp.exe regardless of where the file is located?

thanks again!
 
Hello all again, on this topic i found a good way of blocking software installs by blocking the default install locations exe files. I also in combination with this when into the local computer policy and disabled prohibit user installs, enable user control over installs, and disable indos installer...which provided the results that we wanted except that it affected the administrator account when i tried to uninstal windows defender.....


is there a setting that makes it so that this doesnt apply to administrators....or is there a way to force this upon just powerusers and users whether it be by the local or domain level.

Thanks a bunch!!!!
 
under enforcement, you can choose to apply the policy to all users except local administrators. Or, you can make the gpo apply to only certain users and have a separate gpo for software restriction that is only applied to certain groups.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top