How do I go about preventing a group of users from installing any software locally on their PCs using an ADS group policy?
We are having loads of problems with users installing all sorts of shareware, games, etc. on their PCs and would like a way of blocking this. All the users have got local admin. permissions on the PCs (don't ask!), so at the moment they can do whatever they fancy. We need to be able to put them in a group to block this access and put the true administrators in another group allowing them to install legitimate software (by remote control if necessary). It would obviously be better to do this through ADS rather than having to go around changing all the local PCs. Thanks in advance for your suggestions!
As long as users have administrative privileges, they will be able to undo any controls that you put into place. It seems you have a people problem that can only be solved by addressing that aspect. I know of many companies that use both the stick and the carrot approach. The stick: a policy that bans unauthorized software installation and is enforced by strong punishment up to and including dismissal. And/or frequent reinstallation of the companies approved desktop image that only includes approved applications. The carrot: security awareness training and goals of reduced violations of policy rewarded by recognition and even improved employee benefits.
There are many technical controls that can be implemented, but two types of applications cannot be prevented. Many applications are simply executable files that can be copied to the disk. If users have the ability to write to the drive, they can install these programs. Many malicious programs arrive in e-mail attachments. If users do not have administrative privileges, some of the harm of these programs cannot be done.
This was first published in September 2004