[gptalk] Re: Help Me! Prevent Users to install software on their computers.

  • From: "Nelson, Jamie R Contr 72 CS/SCBNF" <Jamie.Nelson.ctr@xxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 13 Feb 2007 08:38:39 -0600

Do you really trust your users to do that? Especially when it comes to
configuring permissions? Would it not be easier for you to have a file
server (or an XP box acting as one) that you yourself manage?

I don't recommend it personally, but if you must give Users this
ability, you should be able to do so by granting them the "Create
permanent shared objects" right in Local Security Policy. You can do
this in a GPO by drilling down to:

Computer Configuration > Windows Settings > Security Settings > Local
Policies > User Rights Assignment

Keep in mind that if you're dealing with NTFS you must have a minimum of
Read permissions to share a folder.

//signed//
Jamie R Nelson
Systems Engineer
Ingenium Corporation
72 CS/SCBNF
405.739.2811 (DSN 339)

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of DinhDuy
Sent: Tuesday, February 13, 2007 6:45 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Help Me! Prevent Users to install software on
their computers.

Yes, I've just deployed my users with the users group but I have a
question.
How can I enable Sharing and Security function for my users? With the
users
group, user can't use sharing and security in context menu and printer
sharing as well.


-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On
Behalf Of MacLeonard
Sent: Tuesday, February 13, 2007 10:15 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Help Me! Prevent Users to install software on
their
computers.

Hi DinhDuy,  and all

> - I deploy Power Users rights to all users in my Domain.
>
> - After deploying, everyone can setup software on their computer, so I
want
> to prevent this action. How can I do that?

Here's the best solution to this problem (flame sheilds up):

              1. Prevent your users from running as power users.

Giving a user power user rights on a desktop is akin to giving them
administrator privileges.

Here's how this kind of thing typically plays out:

1. You give your users Power User rights.
2. You want to lock down a specific aspect (such as installing software)
3. You invest large amounts of time/money obtaining a "solution" and
making it "work"
4. Your users find some (not very difficult) way around this "solution"
5. Repeat steps 3 and 4 ad infinitum.

Take the time to work out how enable your users to work as members of
the users group, and you'll save a significant amount of time in the
long run.

You *could* always enable software restriction policies make the
default policy "disallowed" and then enable access to *only* those
apps you need to run, but your users will likely work out that they
can get around this with admin rights in short order - and the process
is quite tedious and very very difficult.

Option 1 is undoubtedly the way to go on this.

-- 
MacLeonard Starkey
CISSP, MCSA
Email: winsec@xxxxxxxxx
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************

***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
by logging into the freelists.org Web interface. Archives for the list
are available at http://www.freelists.org/archives/gptalk/
************************
***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: