How to restrict local Administrators from installing any software
Recently we removed all users from local Administrators group except domain administrators and Helpdesk group. But some applications require local administrator privilage. Our intention is to restrict all users from installing any new applications (exe &
msi). We are distributing all applications using SCCM. Shall anyone help us how to achive this - users should be in local administrators group and they should not be able to install any applications-. We are in windows 2003 functional level
Ghanks in advance
LMS
June 26th, 2010 10:10am
Hello,
short answer, you can't. An administrator of a machine can do what she/he will. The best way is, to find the really needed permissions for that applciation with Process Monitor and then set them via GPO:
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
We do this for all our applications since years, before with filemon and regmon. Of course this is additional work but the only way to not make your users local admin.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
June 26th, 2010 2:47pm
Thanks Meinolf
I will try to find those applications, thereafter how can I set them through GPO. I never used to it
Regards
LMS
June 26th, 2010 3:10pm
hi there,
i guess that you can,
somewhere on GPO you can find install software or allow install software something like this, you will find administrator is a member of this policy you can remove him.
Samer F. Mustafa Sr. Microsoft Platform System Engineer sf_mustafa@hotmail.com
Free Windows Admin Tool Kit Click here and download it now
June 27th, 2010 10:33am
Hi
Sorry, I failed to find one like this. Windows installer is there, but our intention is to restirct all msi & exe installation.
June 27th, 2010 11:39am
hi there,
i guess that you can,
somewhere on GPO you can find install software or allow install software something like this, you will find administrator is a member of this policy you can remove him.
Samer F. Mustafa Sr. Microsoft Platform System Engineer sf_mustafa@hotmail.com
Hello,
if a user is local administrator she/he can still, if they have the knowledge, take over the needed permissions. Whatever you configure with GPOs can be undone from a local admin.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
June 27th, 2010 1:12pm
Hi Meinolf
Please explain me how to achieve this through GPO
Regards
LMS
June 27th, 2010 2:42pm
Hi Meinolf
Please explain me how to achieve this through GPO
Regards
LMS
Hello,
sorry, but achive what?
As said before use the mentioned Process Monitor to find the reuqired permissions in the file sysytem and registry for the applications to run and configure the folders/files/registry keys with GPO, Computer configuration, Windows settings, Security
settings, "file system" or "registry". Here you can add the needed permissions for the applications.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
June 27th, 2010 4:32pm