I have a project and don't know how to approach it. We have a special user that needs administrator rights but I don't want him to have access to download programs or software when he is logged on to the domain. I can give him local admin rights but when he logs on to the domain I want to override his permission so he is not able to download any programs. Is there a way to do this?
To my knowledge you can't do this with the functionality included within Group Policy. You also don't mention the version of Windows you're using on the client. If it's Windows XP, you could consider establishing a software restriction policy that eliminates Internet Explorer use, but he could still bring an FTP program in on, say, a USB key and install from that medium. You may need to investigate third-party software for this particular need.
Click here for questions and answers from all of our security experts.
More on this topic
- Network Access Control Learning Guide:
Learn how unauthorized users gain network access, how to block and secure untrusted endpoints, and get Windows-specific and universal access control policies and procedures.
- Checklist: Secure domain controller settings
Domain controllers are the backbone of your Active Directory, and they can also be complicated. This checklist covers the primary settings to secure.
- Fast Guide: Group Policy
Group Policy can be complicated. Make sure you understand how to implement it and how it affects security. This Fast Guide will help.
- Checklist: Top 5 Windows domain settings to audit
Microsoft has improved its default security settings, but older software might still have some dangerous default settings. In particular, keep an eye on your domain controller.
Dig Deeper on Windows legacy operating systems