Guest Luca Rossi Posted September 9, 2008 Posted September 9, 2008 Hi to all, i 've a qestion regarding the software installation policy. We have a Windows Server 2003 Active Directory domain, and XP Pro clients. On the clients the users owner of the pc is inserted in the local admin group, this because we have some procedures that does not work as normal user o power user.... Can we prevent this type of users to install software ? Or can we enable only a specific domain admin account (or group) to install software ? Thanks in advance Regards Luca
Guest Meinolf Weber Posted September 9, 2008 Posted September 9, 2008 Re: GPO Software Restriction Hello Luca, If the user is local admin she/he can do anything on the local machine. Better try to figure out with process monitor what additional rights are needed to run the software as normal user, so there is no need to be local admin. But keep in mind, there will be a lot of software that you can run/install without being local admin. http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > Hi to all, i 've a qestion regarding the software installation policy. > > We have a Windows Server 2003 Active Directory domain, and XP Pro > clients. > On the clients the users owner of the pc is inserted in the local > admin > group, this because we have some procedures that does not work as > normal > user o power user.... > Can we prevent this type of users to install software ? Or can we > enable > only a specific domain admin account (or group) to install software ? > Thanks in advance > Regards > Luca
Guest Dusko Savatovic Posted September 9, 2008 Posted September 9, 2008 Re: GPO Software Restriction Windows Server 2003 and later do have software restriction policy but it is very difficult to implement. When your local user is local admin, then there is no way to stop this person from installing software and reconfiguring his/her computer. I have no problem with users being local admins, but you must have some policies enforced in your company. This is, however, responsibility of the higher management and you must win their sponsorship when it comes to security procedures. In plain words, it's like traffic control. You can speed and violate traffic rules, but when you are caught, you will pay. "Luca Rossi" <sistemi@alervarese.it> wrote in message news:OMQmLqlEJHA.4488@TK2MSFTNGP04.phx.gbl... > Hi to all, i 've a qestion regarding the software installation policy. > > We have a Windows Server 2003 Active Directory domain, and XP Pro clients. > On the clients the users owner of the pc is inserted in the local admin > group, this because we have some procedures that does not work as normal > user o power user.... > Can we prevent this type of users to install software ? Or can we enable > only a specific domain admin account (or group) to install software ? > > Thanks in advance > Regards > Luca
Recommended Posts