locked
Prevent Standard User from installing program in AppData RRS feed

  • Question

  • Hi,

    In general, "Standard User" cannot install program on Windows 7. However, it is possible for "Standard User" to install programs (for example, Google Chrome) in AppData.

    Is there any way to prevent "Standard User" from installing program in AppData?

    Thursday, August 18, 2016 9:45 AM

Answers

  • Hi Apple Cheung,

    Standard user will not have permissions to install most nowadays software - admin credentials will be needed for that, mostly due to the fact, that the app will want to install to the program files folder, to which by default users don't have write permissions. Some apps also need to write some registry keys to HKLM to which users won't be able to write either.

    As you said , now there are some apps like dropbox or chrome, that will install itself directly to the user profile if you don't have admin priviliges. to block them, you'd need to find out specific apps that do that and blacklist them by the file name. Or use a whitelist software restriction policy, that way it'll only run what you allow.

    https://community.spiceworks.com/how_to/57422-deploying-a-whitelist-software-restriction-policy-to-prevent-cryptolocker-and-more

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Hope it will be helpful to you


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 19, 2016 5:49 AM
  • Hi Apple Cheung,

    Thank you for your clarification. Glad to hear that you have solved the issue. If you feel the suggestion could be helpful to you, please "mark it as answer" to help other community members who have same questions and find the helpful reply quickly.

    If any further help needed, please feel free to post back.

    Best regards,

    Carl Fan


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Friday, August 19, 2016 10:56 AM

All replies

  • Hi Apple Cheung,

    Standard user will not have permissions to install most nowadays software - admin credentials will be needed for that, mostly due to the fact, that the app will want to install to the program files folder, to which by default users don't have write permissions. Some apps also need to write some registry keys to HKLM to which users won't be able to write either.

    As you said , now there are some apps like dropbox or chrome, that will install itself directly to the user profile if you don't have admin priviliges. to block them, you'd need to find out specific apps that do that and blacklist them by the file name. Or use a whitelist software restriction policy, that way it'll only run what you allow.

    https://community.spiceworks.com/how_to/57422-deploying-a-whitelist-software-restriction-policy-to-prevent-cryptolocker-and-more

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Hope it will be helpful to you


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 19, 2016 5:49 AM
  • Hi Carl,

    I added Software Restriction Policy to our GPO as mentioned in the document and add the below paths to the Whitelist:

    C:\Program Files

    C:\Program Files (x86)

    It seems working properly and as expected. I think it not only prevents user from running unauthorized software but also minimize the chance of virus infections. Very useful for us. Thanks a lot.

    • Marked as answer by Apple Cheung Friday, August 19, 2016 9:19 AM
    • Unmarked as answer by Apple Cheung Monday, August 22, 2016 3:01 AM
    Friday, August 19, 2016 9:19 AM
  • Hi Apple Cheung,

    Thank you for your clarification. Glad to hear that you have solved the issue. If you feel the suggestion could be helpful to you, please "mark it as answer" to help other community members who have same questions and find the helpful reply quickly.

    If any further help needed, please feel free to post back.

    Best regards,

    Carl Fan


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Friday, August 19, 2016 10:56 AM