Question and Answer: Stop Domain Users from Installing Files

Question:

I have Windows 2003 domain and some users have local admin rights. I would like to prevent these users from installing any software on their PCs.

Bobby Clem
Boulder, CO

Answer:

    In an ideal world we wouldn’t have users who were also local administrators, but we in the IT world often have perfect systems to work with.  In the past I’ve had programs which needed to be installed and run as a local administrator, but luckily I wasn’t able to lockdown accounts due to policy.
    One way that we lock out installing accounts in a domain is to use Group Policy to lockout programs like setup.exe and install.exe to run. As I said this isn’t a perfect solution, but it will eliminate some of the most common install files.

To enable and list the programs you don’t want run go to

User Configuration->Administrative Templates->System->Don’t allow
specified Windows applications in group policy editor.

——————————————————————————————–
If  you have any questions that you want Jim to answer, from business servers to home computers, drop him a line at me@jimguckin.com, and he’ll try to answer your question.  Check back every Monday for a new Question and Answer session, and check back Wednesday and Friday for other technical insights.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.