May 14th, 2003, 10:04 PM
Software installation rights
I am a network admin at a manufacture comapny. I have users with W2k and WinXP OS, I often run into users adding little software games and dodas on their computer. I have looked in local security and user rights in the security admin plug in, but I can't seem to find the right setting to enforce the installation rights. can any one help me. Many thanks in advance.
May 15th, 2003, 12:40 AM
May 15th, 2003, 12:41 AM
Do you have a Server or is it a peer-to-peer environment? If you have a server, you can use Active Directory to restrict installations to admins. If you don't, there's a way to do it (I believe) through the group policy manager. I thought there was a way to do it through the Local Security Policies, but if you can't find it there, I'm probably mistaken.
May 15th, 2003, 02:09 AM
As avdven mentioned, if you are running in a domain environment (doesn't have to be AD) you can force them to use domain logons rather than local logons. Then delete the local accounts on each machine. Domain accounts cannot install software on local machines unless they have domain admin privileges.
An alternative is to demote their local user accounts to regular user accounts (for those who are Power Users or local Admins).
May 15th, 2003, 05:34 AM
As long as you are running a network, you can change the local Admin password on each machine (time consuming, I know), as well as change the rights of the user on each local machine. Just open up Computer Management by right-clicking and choosing Manage for My Computer. Next, right click on the local machine in the left pane and choose to Connect to Remote Computer. Of course, this is only feasible if you have a relatively small network. Qualm is right, if they are not local Admin on the box, then they will not be able to install software. The only thing is that this step alone may be circumvented since some of the users may have changed the local Admin password (if they know how to do so).
Opinions are like
holes - everybody\'s got\'em.
May 15th, 2003, 10:07 AM
There is a nice little security hole in 2000 and XP that will allow a user even if restricted to install 16bit apps through a command prompt. There is a registry key or a Group Policy option to disable this...Google it. You can also pull this off by choosing another install directory other than Program Files sometimes which is usually read only if locked down properly as long as the proggie doesn't dump anything to windows/system32, etc. Good ole Microsoft eh....Happy Locking Down.
"It is a shame that stupidity is not painful" - Anton LaVey
May 15th, 2003, 01:56 PM
May 21st, 2003, 06:17 PM
Thanks guys. Thank you for your answers.