|
Question : need help with using a group policy to prevent local admins from installing apps on the internet
|
|
Due to proprietary applications our users have to be Local Administrators on their PCs. We are using group policies for the first time and would like to prevent them from installing apps from the internet such as weatherbug, toolbars, etc
We do not want to manage an ever-growing hash list to prevent this. I located a post which provided the following work around
1) we restrict their write access only to removable media, temp folders, and their folder and subfolder under documents and settings. 2) Then, we set software restriction policy to disallow any executable content anywhere they have write access. So, whether they try to bring in a program on disk or download something off the internet, the only places that they can write to, they can't run executable content from, thus preventing them from running or installing anything that you don't set up for them
The first step is the problem for me
I can not locate a group policy option to specifically restrict what write access to those devices and folders. What am I doing wrong?
We only have a single domain with 2003 DC and about 100 users on XP Pro
Thanks for your help.
|
Answer : need help with using a group policy to prevent local admins from installing apps on the internet
|
|
Regardless of what you do, you are going to run into problems while allowing your users to be Local Admins.. Whatever restrictions you put in place can be circumvented by the users if they know what they are doing.. (ahem..:)
There are settings in Group Policy that will stop them from installing from media, such as:
User Config > Admin Templates > Windows Components > Windows Installer
But as far as using Security Permissions within GP, I think the only way to do this would be to do it manually at each users desktop for the specific folders and devices which you need to limit.. especially since you are using Local Profiles..
|
|
|
|
|
