Ask the Expert

How can I prevent users from changing settings without affecting admins rights?

I need to prevent 20 computers from changing any desktop settings and from installing any Internet or intranet downloads without administrative rights. Where in local computer policy can I do this without it affecting administrators?
You cannot completely prevent a user from installing software if they have write capability on the computer. They can copy an executable file to the hard drive and that may be all the installation that is necessary. By default, users cannot install programs that require the installation of services. You can insure they cannot install software that use the Windows installer program. This can be done centrally with a group policy in a domain or OU.

However, you asked for local group policy information. So, for each machine, add the Group Policy snap-in to an MMC. Open the User Configuration, Administrative Templates node and go to the Windows components, Windows installer node. Select "always install with elevated privileges" and disable. (Note: This will prevent users from installing Windows installer-based applications that require administrator privileges. However, it will not prevent them from copying executable files to their hard drive and installing them.)

In this same node, select Prevent Removable Media, navigate to the Computer Configuration, Administrative templates node and select the Windows components, Windows installer node. Select "always install with elevated privileges" and disable. (Note: This will prevent users from installing Windows installer-based applications that require administrator privileges. However, it will not prevent them from copying executable files to their hard drive and installing them.)

Another setting to use in this same location is Prohibit Patching. (This will prevent adding patches that do not require elevated privileges. By default, users cannot install patches that require elevated privileges.) Use the Prohibit User Installs option to prevent user installs of products. There are some settings, and they will affect administrators.

This was first published in April 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: