francis_lou Posted November 4, 2004 Share Posted November 4, 2004 Would like to restrict users to install/uninstall software from Win 2000 Pro/ XP.How to enable it? I try to set all users to group "User", but it cause other problem that they can't run installed software smoothly(not authorized to read/write some folder/system folder). They even can't map a network printer to local printer port. (we still have a dos application to run) Any idea? Link to comment Share on other sites More sharing options...
rion Posted November 13, 2004 Share Posted November 13, 2004 If you have a domain you can control this with Group Policy Objects. Link to comment Share on other sites More sharing options...
Shotgun Posted November 14, 2004 Share Posted November 14, 2004 Yes. BUT from a Windows Server 2003 domain. It has a Software Policies section under Computer Configuration -> Administrative Templates. Windows 2000 servers does not have that section in GPO. I don't know if an admin template is available to let W2K domains implement it. If anyone has the info on where to get that, please post the url. Link to comment Share on other sites More sharing options...
FAT64 Posted November 14, 2004 Share Posted November 14, 2004 No, I can't find that either. Link to comment Share on other sites More sharing options...
Sn00f Posted November 17, 2004 Share Posted November 17, 2004 you can use registry entries like[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer];Enlève la commande Panneau de configuration et imprimantes dans Démarrer\Paramètres.;"NoSetFolders"=dword:00000001;Empêche Windows d'exécuter les programmes que vous spécifiez dans cette stratégie."DisallowRun"=dword:00000001;Empêche Windows d'exécuter les programmes que vous spécifiez dans la stratégie DisallowRun.[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun]"1"="telnet.exe""2"="Unwise.exe""3"="unins000.exe""4"="dialer.exe""5"="hypertrm.exe""6"="Uninstall.exe""7"="UninstFr.exe""8"="QuickTimeUpdater.exe""9"="vncviewer.exe""10"="uninst-javaws.exe""11"="spuninst.bat""12"="spuninst.exe""13"="ciadv.msc""14"="cleanmgr.exe""15"="cliconfg.exe""16"="clipbrd.exe""17"="ddeshare.exe""18"="dcomcnfg.exe""19"="drwtsn32.exe""20"="fsmgmt.msc""21"="ieshwiz.exe";utilitaire carte graphique"22"="igfxcfg.exe""23"="igfxcpl.cpl";configuration internet (IE)"24"="inetcpl.cpl";utilitaire de mise à jour console java"25"="jpicpl32.cpl";outil de synchronisation de fichier offline"26"="mobsync.exe";utilitaire de restautation de sauvegardes (comme ghost)"27"="ntbackup.exe";utilitaire d'administration des sources ODBC"28"="odbcad32.exe";Analyseur de performances"29"="perfmon.exe""30"="perfmon.msc";annuaire téléphonique"31"="rasphone.exe";éditeur système"32"="sysedit.exe";utilitaire de cryptage"33"="syskey.exe";permet de modifier les thèmes de windows"34"="themes.exe";Administration du serveur telnet"35"="tlntadmn.exe";Gestionnaire de vérification des pilotes"36"="verifier.exe";Assistant d'ajout/suppression de matériel"37"="hdwwiz.cpl";Modification des paramètres de la souris"38"="main.cpl";Paramétrage du contrôle de volume"39"="mmsys.cpl";Utilitaire d'administration des sources ODBC"40"="odbccp32.cpl";Administration des paramètres d'energie"41"="powercfg.cpl";Paramétrage des options de téléphonie"42"="telephon.cpl"[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\uninstall];Désactiver l'application Ajouter/Supprimer des programmes du menu démarrer"NoAddRemovePrograms"=dword:00000001;Cache la page 'Modification/Suppression des programmes'"NoRemovePage"=dword:00000001;Masque la page Ajouter des nouveaux programmes"NoAddPage"=dword:00000001;Masque la page Ajouter/supprimer des composants Windows"NoWindowsSetupPage"=dword:00000001;Masque l'option Ajouter un programme à partir d'un CDROM ou d'une disquette"NoAddFromCDorFloppy"=dword:00000001;Masque l'option Ajouter un programme à partir de Microsoft"NoAddFromInternet"=dword:00000001;Masque l'option Ajouter un programme à partir de votre réseau"NoAddFromNetwork"=dword:00000001;Supprime la section 'Ajouter des services' de la page Ajouter/supprimer des composants Windows"NoServices"=dword:00000001But this only disallow some visual entries, disallow some programs to run. If the user changes it's name and if he has some power rights, he will ba able to install software. Link to comment Share on other sites More sharing options...
Shotgun Posted November 18, 2004 Share Posted November 18, 2004 But this only disallow some visual entries, disallow some programs to run. If the user changes it's name and if he has some power rights, he will ba able to install software.Exactly. That's why Software policies in 2003 AD is so effective. It not only identifies a program by its INTERNAL name(the one the file got compiled), but also by a checksum of the program content. That way, no matter what name the file has in the disk, it won't get executed. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now