Problem solve Get help with specific problems with your technologies, process and projects.

Stopping local software installation on PCs using an ADS group policy

How do I go about preventing a group of users from installing any software locally on their PCs using an ADS group...


We are having loads of problems with users installing all sorts of shareware, games, etc. on their PCs and would like a way of blocking this. All the users have got local admin. permissions on the PCs (don't ask!), so at the moment they can do whatever they fancy. We need to be able to put them in a group to block this access and put the true administrators in another group allowing them to install legitimate software (by remote control if necessary). It would obviously be better to do this through ADS rather than having to go around changing all the local PCs. Thanks in advance for your suggestions!

As long as users have administrative privileges, they will be able to undo any controls that you put into place. It seems you have a people problem that can only be solved by addressing that aspect. I know of many companies that use both the stick and the carrot approach. The stick: a policy that bans unauthorized software installation and is enforced by strong punishment up to and including dismissal. And/or frequent reinstallation of the companies approved desktop image that only includes approved applications. The carrot: security awareness training and goals of reduced violations of policy rewarded by recognition and even improved employee benefits.

There are many technical controls that can be implemented, but two types of applications cannot be prevented. Many applications are simply executable files that can be copied to the disk. If users have the ability to write to the drive, they can install these programs. Many malicious programs arrive in e-mail attachments. If users do not have administrative privileges, some of the harm of these programs cannot be done.

This was last published in September 2004

Dig Deeper on Windows legacy operating systems

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.