[gptalk] Re: Help Me! Prevent Users to install software on their computers.

  • From: MacLeonard <macleonard@xxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Tue, 13 Feb 2007 13:15:08 +1000

Hi DinhDuy,  and all

- I deploy Power Users rights to all users in my Domain.

- After deploying, everyone can setup software on their computer, so I want
to prevent this action. How can I do that?

Here's the best solution to this problem (flame sheilds up):

             1. Prevent your users from running as power users.

Giving a user power user rights on a desktop is akin to giving them
administrator privileges.

Here's how this kind of thing typically plays out:

1. You give your users Power User rights.
2. You want to lock down a specific aspect (such as installing software)
3. You invest large amounts of time/money obtaining a "solution" and
making it "work"
4. Your users find some (not very difficult) way around this "solution"
5. Repeat steps 3 and 4 ad infinitum.

Take the time to work out how enable your users to work as members of
the users group, and you'll save a significant amount of time in the
long run.

You *could* always enable software restriction policies make the
default policy "disallowed" and then enable access to *only* those
apps you need to run, but your users will likely work out that they
can get around this with admin rights in short order - and the process
is quite tedious and very very difficult.

Option 1 is undoubtedly the way to go on this.

MacLeonard Starkey
Email: winsec@xxxxxxxxx
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/

Other related posts: