Q

How can I prevent users from changing settings without affecting admins rights?

I need to prevent 20 computers from changing any desktop settings and from installing any Internet or intranet downloads without administrative rights. Where in local computer policy can I do this without it affecting administrators?
You cannot completely prevent a user from installing software if they have write capability on the computer. They can copy an executable file to the hard drive and that may be all the installation that is necessary. By default, users cannot install programs that require the installation of services. You can insure they cannot install software that use the Windows installer program. This can be done centrally with a group policy in a domain or OU.

However, you asked for local group policy information. So, for each machine, add the Group Policy snap-in to an MMC. Open the User Configuration, Administrative Templates node and go to the Windows components, Windows installer node. Select "always install with elevated privileges" and disable. (Note: This will prevent users from installing Windows installer-based applications that require administrator privileges. However, it will...

not prevent them from copying executable files to their hard drive and installing them.)

In this same node, select Prevent Removable Media, navigate to the Computer Configuration, Administrative templates node and select the Windows components, Windows installer node. Select "always install with elevated privileges" and disable. (Note: This will prevent users from installing Windows installer-based applications that require administrator privileges. However, it will not prevent them from copying executable files to their hard drive and installing them.)

Another setting to use in this same location is Prohibit Patching. (This will prevent adding patches that do not require elevated privileges. By default, users cannot install patches that require elevated privileges.) Use the Prohibit User Installs option to prevent user installs of products. There are some settings, and they will affect administrators.

This was first published in April 2004

Dig deeper on User passwords and network permissions

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close