Setting software installation restrictions in the Local Users group
I have a question regarding the software installation restrictions of users. Can't the administrator set the user as a "Restricted User" in the User and Password settings under Control Panel and be done with it? Or is there more to it than that?
Yep, you got it, there's more to software installation. Restricted Users are members of the Local Users group. If they are local users, they can be given this designation either by membership in the User's group (the default) via Administrative ToolsComputer Management, or via Control PanelUsers and PasswordsProperties. If these accounts are domain accounts, their default designation is as a member of Domain Users, which by default is a member of the Local Users group.
So, users are restricted users by default. This means that they can't install programs that require elevated privileges -- i.e. programs that require the installation of a service, or programs that use the Windows Installer or other installation programs that have been configured to block program installation by an ordinary user account.
It also prevents them from installing applications that require changes to system folders and registry keys for which they do not have permission. However, this does not prevent them from using installation programs that do not require these features, or from simply copying executable programs to folders. The explanatory paragraph in the Control Panel applet is misleading to say the least.
This was first published in September 2002