Install rights

[brandon6976]

Hey guys I'm just wondering. If anyone has gone through the process of locking down machines on a domain. I"m wanting ot make it so users don't have install rights and I'll send packages or install packs with pre-defined rights.

Just wondering how I lock down the workstation so they can't install stuff

[firefoxthebomb]

if they are logging into the domain, just do not give them admin rights on the domain and on the workstation, make them a simple user. Also do not allow them to be power users.

[pthomas]

Yeah, like firefoxthebomb said...

If they are local admin on the computer, they can also add other people as admins and all sorts of stuff you do not want to mess with.

If you make them power users, they can install nearly any piece of software except things that make mojor system changes like driver updates. But they can also remove software too.

The user level allows them to pretty much just use the computer and thats it.

You can take it a step further and not even set them up with a user account on the PC at all and then they can still use the PC but it'll be in a more restrictive state. Then their domain account will allow them to logon and use the computer but no system changes of any sort should happen.

I'd put people on at the user level, and if they need to use remote desktop, add them to that group, but always try to never let anyone be an admin unless there is good reason for it.

Too many admins = many, many problems!

Let us know if you need a further breakdown or rights,

Paul

[prathapml]

If you normally use Windows Installer based app-installs, then this is the closes you can get:

Prevent removeable media source for any install

KEY: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

DWORD: DisableMedia = 1

You can apply that from the .REG files.

As for others, just disable running of any file called "setup.exe", "install.exe" and so on. That can be done through group policies. But doing so manually on each work-station will take lot of time. How to do it automatically to all the machines using .ADM (administrative templates), though is something I'm not clear on. Not fool-proof methods these, but then nothing is!

But as firefoxthebomb said, the best thing to do is not give users administrative access. If they are in the restricted users group, they certainly can't install things. (of course they can still carry out installs that don't require access to registry_writing, and access to ProgramFiles or WINDOWS folder - but finding such an installer is very rare nowadays )