But first, we need to think, what is a program? It's any executable. As such, it's pretty hard to prevent installation of all programs (i.e., if the user has write access he can copy an executable to the hard drive).
You can, however, restrict installation of other types of executables. For example, you can control the installation of programs that use the Windows Installer. Settings abound in group policy. To find them, open the GPO for the desired OU or domain, or even for a local computer, and expand the User and Computer Administrative Template containers. In each, you'll find a subfolder called Windows ComponentsWindows Installer. Several settings can be applied. (Remember that these only affect programs installed using Windows Installer, if another installation program is used these settings do not apply.) Here are some settings that may fulfill your needs:
- "Always install with elevated privileges": if this setting is enabled, the program can be installed even if it requires the ability to write to the registry or file system where the user has no permissions. The installer will run under system privileges. To make this program work, you must configure it both in the computer and user administrative template settings. If it is not enabled, or not configured in both, the privileges of the user running the installation program will be used, and as you no doubt have experienced, the installation will fail.
- Please be aware that this setting can become a security risk, as sophisticated users can use it to obtain elevated, privileged access. (See Warnings in the Explain tab on the setting choice.)
- Finally, if you know exactly where the installation program needs to write, you could modify ACLs on these areas to allow the user account to write to them. However, note that this would allow them to write there at any time, while the other solution above only allows it when using the Windows Installer.
This was first published in October 2002