none
block people from installing programs

    Question

  • hi,

    i'm currently running server 2008 R2 as a domain and file server with a win7 forest and maybe one xp pc

    today i'm looking for a way to block people from installing new programs it can be either they are 100% blocked from doing this or they can only update the programs

    i was hoping to do this with the GPO and only do it through users, so that when domain admins login they can easerly do updates and install things

    is this possible ?


    Monday, November 09, 2015 9:52 PM

Answers

  • Hi,

    Are these users granted local administrator rights? As long as the users don't have administrative rights they shouldn't be able to install any software.

    By default, Domain users are members of the Users local group which by default don't have the privilege to install anything. If you don’t want them to install any software, just don’t grant them the local administrator rights. Domain admins by default, are part of local administrator group, so they should be able to do updates and install things.


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, November 10, 2015 8:54 AM
    Moderator
  • thanks for the info may i add that the accounts haven't been created yet

    these users will be domain accounts controlled by a GPO

    so what account type will i set there accounts as ?

    may  i also add that i would like to put these user accounts into a group and then set use the group to control there file permissions and do it so that in the GPO i only have to add the group rather then user by user

    If you just create an Active Directory account for your users, you do not need to add it to any group to restrict permissions on a Windows 7 workstation, they will not be able to install any software on those machines unless they are members of local administrators group on the machine.

    You could also use AppLocker to block running of applications / installations.

    Wednesday, November 11, 2015 5:07 AM

All replies

  • Hi,

    Are these users granted local administrator rights? As long as the users don't have administrative rights they shouldn't be able to install any software.

    By default, Domain users are members of the Users local group which by default don't have the privilege to install anything. If you don’t want them to install any software, just don’t grant them the local administrator rights. Domain admins by default, are part of local administrator group, so they should be able to do updates and install things.


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, November 10, 2015 8:54 AM
    Moderator
  • If the users have local admin permissions, it is not possible to block applications' installation. You should remove local admin permissions and configure updates to be done by Group Policies (Software Installation is available in Active Directory by default or SCCM - paid product).

    My LinkedIn profile

    Tuesday, November 10, 2015 8:58 AM
  • Hi

     You can use Software Restriction group Policies,

    Check for details,

    https://technet.microsoft.com/en-us/library/hh125926(v=ws.10).aspx

    Note:By default domain user don't have right to install s/w unless and until they are added to local administrator group on their workstation or special permission is given to install the same.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Tuesday, November 10, 2015 8:58 AM
  • thanks for the info may i add that the accounts haven't been created yet

    these users will be domain accounts controlled by a GPO

    so what account type will i set there accounts as ?

    may  i also add that i would like to put these user accounts into a group and then set use the group to control there file permissions and do it so that in the GPO i only have to add the group rather then user by user

    Tuesday, November 10, 2015 7:18 PM
  • thanks for the info may i add that the accounts haven't been created yet

    these users will be domain accounts controlled by a GPO

    so what account type will i set there accounts as ?

    may  i also add that i would like to put these user accounts into a group and then set use the group to control there file permissions and do it so that in the GPO i only have to add the group rather then user by user

    If you just create an Active Directory account for your users, you do not need to add it to any group to restrict permissions on a Windows 7 workstation, they will not be able to install any software on those machines unless they are members of local administrators group on the machine.

    You could also use AppLocker to block running of applications / installations.

    Wednesday, November 11, 2015 5:07 AM
  • thanks for the info

    the reason why i would like to add them to groups is so that the account can be controlled easier by the GPO and the file permissions (only have to add the group rather than adding every user one by one)

    Wednesday, November 11, 2015 4:57 PM
  • For that, sure.
    Wednesday, November 11, 2015 8:28 PM
  • i know that this question might or is a bit off subject

    but how do you add people to groups cause I've doing this before with no success 

    Thursday, November 12, 2015 7:15 AM
  • I suggest you take a course on Windows Active Directory or start reading some books.
    Thursday, November 12, 2015 3:03 PM
  • may I just add that I'm only a student

    may I ask is there a place on the Microsoft website or the TechNet were I an find courses destined for this ?

    • Edited by glennmckenna Thursday, November 12, 2015 9:07 PM
    Thursday, November 12, 2015 9:06 PM
  • You can start here

     Microsoft TechNet Virtual Labs

    https://technet.microsoft.com/en-us/virtuallabs/bb467605.aspx?f=255&MSPPError=-2147217396

    Microsoft Virtual Academy

    https://mva.microsoft.com/


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Thursday, November 12, 2015 9:17 PM