Recently we removed all users from local Administrators group except domain administrators and Helpdesk group. But some applications require local administrator privilage. Our intention is to restrict all users from installing any new applications (exe & msi). We are distributing all applications using SCCM. Shall anyone help us how to achive this - users should be in local administrators group and they should not be able to install any applications-. We are in windows 2003 functional level Ghanks in advance LMS

Hello, short answer, you can't. An administrator of a machine can do what she/he will. The best way is, to find the really needed permissions for that applciation with Process Monitor and then set them via GPO: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx We do this for all our applications since years, before with filemon and regmon. Of course this is additional work but the only way to not make your users local admin.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Thanks Meinolf I will try to find those applications, thereafter how can I set them through GPO. I never used to it Regards LMS

hi there, i guess that you can, somewhere on GPO you can find install software or allow install software something like this, you will find administrator is a member of this policy you can remove him. Samer F. Mustafa Sr. Microsoft Platform System Engineer sf_mustafa@hotmail.com

Hi Sorry, I failed to find one like this. Windows installer is there, but our intention is to restirct all msi & exe installation.

hi there, i guess that you can, somewhere on GPO you can find install software or allow install software something like this, you will find administrator is a member of this policy you can remove him. Samer F. Mustafa Sr. Microsoft Platform System Engineer sf_mustafa@hotmail.com Hello, if a user is local administrator she/he can still, if they have the knowledge, take over the needed permissions. Whatever you configure with GPOs can be undone from a local admin.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Hi Meinolf Please explain me how to achieve this through GPO Regards LMS

Hi Meinolf Please explain me how to achieve this through GPO Regards LMS Hello, sorry, but achive what? As said before use the mentioned Process Monitor to find the reuqired permissions in the file sysytem and registry for the applications to run and configure the folders/files/registry keys with GPO, Computer configuration, Windows settings, Security settings, "file system" or "registry". Here you can add the needed permissions for the applications.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.