[gptalk] Re: Help Me! Prevent Users to install software on their computers.
- From: MacLeonard <macleonard@xxxxxxxxx>
- To: gptalk@xxxxxxxxxxxxx
- Date: Tue, 13 Feb 2007 13:15:08 +1000
Hi DinhDuy, and all
- I deploy Power Users rights to all users in my Domain.
- After deploying, everyone can setup software on their computer, so I want
to prevent this action. How can I do that?
Here's the best solution to this problem (flame sheilds up):
1. Prevent your users from running as power users.
Giving a user power user rights on a desktop is akin to giving them
administrator privileges.
Here's how this kind of thing typically plays out:
1. You give your users Power User rights.
2. You want to lock down a specific aspect (such as installing software)
3. You invest large amounts of time/money obtaining a "solution" and
making it "work"
4. Your users find some (not very difficult) way around this "solution"
5. Repeat steps 3 and 4 ad infinitum.
Take the time to work out how enable your users to work as members of
the users group, and you'll save a significant amount of time in the
long run.
You *could* always enable software restriction policies make the
default policy "disallowed" and then enable access to *only* those
apps you need to run, but your users will likely work out that they
can get around this with admin rights in short order - and the process
is quite tedious and very very difficult.
Option 1 is undoubtedly the way to go on this.
--
MacLeonard Starkey
CISSP, MCSA
Email: winsec@xxxxxxxxx
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at //www.freelists.org/archives/gptalk/
************************
Other related posts:
