none
Restrict Users from Installing Software / Applications on their own

    Question

  • Dear all,

    I have been tasked to figure out how we can restrict users from installing software & other applications on their own.

    in our environment we windows 2012 R2 Std. Domain controller and user machines are joined to domain.

    Domain users has admin rights on their machines.

    so is there any way to restrict users from Installing App/Software on their own.

    - Atul


    TheAtulA

    Thursday, September 22, 2016 12:24 PM

All replies

  • Sure - remove their admin rights. You can use Group Policy Restricted Groups for this.

    If my answer helped you, check out my blog: Deploy Happiness

    Thursday, September 22, 2016 12:40 PM
  • due to some  other testing purpose admin rights are must hence we can not remove the admin rights

    TheAtulA

    Thursday, September 22, 2016 12:42 PM
  • > Domain users has admin rights on their machines.
    > so is there any way to restrict users from Installing App/Software on
    > their own.
     
    Remove Admin rights. No other way...
     
    Thursday, September 22, 2016 12:42 PM
  • Am 22.09.2016 um 14:42 schrieb Martin Binder [MVP]:
    > Remove Admin rights. No other way...
     
    Additionally:
    Even as a user, they still can extract files, start applications from
    internet or use portable apps.
     
    -> implement a software whitelist with tools like Applocker.
     Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Thursday, September 22, 2016 1:19 PM
  • Applocker will not restrict me from installing Apps.

    If I remove admin rights then in that case is there any mechanism/GPO/Rule that allow users to run specific apps/scripts only -- Guess Applocker will help here ..

    Or 

    Any GPO that will prompt a message saying "you are not allowed to install this application - contact your IT for the same" if user trying to install apps.


    TheAtulA

    Friday, September 23, 2016 6:30 AM
  • Hi Atul,
    As the others said, we suggest you remove the admin rights from users, as far as I know, there is no way to stop an administrative account from doing whatever they want on the machine. Generally, it is not recommended to do that.
    if you successfully apply AppLocker or software restriction group policy, when user run installer file, a similar error as you said will be returned, like: "This program is blocked by group policy, contact your admin"
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 28, 2016 8:09 AM
    Moderator
  • Hi,
    I am checking how the issue going, if you still have any questions, please feel free to contact us.
    Appreciate for your feedback.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 03, 2016 7:48 AM
    Moderator
  • HI Wendy,

    I am not sure on whether it will display message like you mentioned if use Applocker or apply software restriction GPO


    TheAtulA

    Monday, October 03, 2016 4:51 PM
  • Hi,
    When AppLocker policy is applied successfully, you might see a similar warning as below, you could also test it firstly in a lab environment.


    You could see more details about AppLocker policy from:
    https://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx
    Best regards,
    Wendy

     

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 04, 2016 1:48 AM
    Moderator