none
Denying access to PC RRS feed

  • Question

  • Hi,

    I have AD on server 2008 and PCs with Windows 7, 8.1 and 10.

    A person boots PCs from USB, resets administrator's password, adds user to administrators groups (local on PC) and installs software.

    Is there a way to deny doing this by GPO or other means? 

    Is there a way to disallow boot in safe mode?

    Some computers are laptops and have to be used not being connected to our network. Also USB ports have to operate.

    Thank you in advance.

    Wednesday, November 2, 2016 2:54 PM

Answers

All replies

  • Yes, software restriction policies. 

    https://technet.microsoft.com/en-us/library/hh831534(v=ws.11).aspx


    Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, November 3, 2016 12:36 AM
    Moderator
  • Hi,

    In addition, these articles may also help you.

    Block users from installing or running programs in Windows 10/8/7

    http://www.thewindowsclub.com/how-to-prevent-users-from-installing-programs-in-windows-7

    Please Note: Since the websites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.

    how to stop users from installing new programs in Windows 7

    http://answers.microsoft.com/en-us/windows/forum/windows_7-security/how-to-stop-users-from-installing-new-programs-in/59cfe502-dc5c-4bd4-85fe-a7e5f89fe1e0

    Best Regards,

    Tao


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 3, 2016 9:10 AM
    Moderator
  • That would be a BIOS setting,security.In BIOS,user account is limited with a password,other security areas

    depend on BIOS software.Also,windows boot options are in Msconfig..

    Friday, November 4, 2016 12:46 AM
  • You have to get into BIOS, set to boot only from HDD drive, remove other option, CD, USB, etc. then set a password for your BIOS. GPO is loaded after system boot, so this doesn't make sense to create a GP for this if exist one or other system settings. The only way is to forbid booting from other medium than HDD.

    ###################################################

    Please click Mark As Answer if my post helped.


    • Edited by ugabrielu Sunday, November 6, 2016 7:17 AM
    Sunday, November 6, 2016 7:01 AM