+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 24 of 24
Learning Network Manager Thread, Stopping local laptop users installing software in Technical; I've used a whole range of methods, both user and machine based.. First off, I've created a workstation OU and ...
  1. #16
    Mr.Ben's Avatar
    Join Date
    Jan 2008
    Location
    A Pirate Ship
    Posts
    942
    Thank Post
    182
    Thanked 157 Times in 126 Posts
    Blog Entries
    2
    Rep Power
    65
    I've used a whole range of methods, both user and machine based..

    First off, I've created a workstation OU and moved all the computers into it

    Then GPO's for users:

    User Configuration\Adm Templates\Windows Components\Windows Installer\Prenvent Removable Media Source for Install: Enabled

    User Configuration\Adm Templates\System\Don't run specified Windows Applications:Enabled

    Add Install.exe, Setup.exe, Install.bat, Setup.bat - I do realise this only takes a rename to circumvent, but how many staff will do that?

    Then GPO's for the workstation:

    Computer Configuration\Adm Templates\Windows Components\Windows Installer\Disable Windows Installer: Enabled, For non-managed apps only.

    Then I removed security rights to the local machine by downgrading the user accounts

    I have used File Screening (for exe's , bat's and msi's) on my Server to stop install from there, enabled our filtering proxy to refuse staff the ability to download program files]

    Finally on staff laptops there are two partitions (C: and M. The C:\ drive is completely hidden and the staff My Documents are redirected to their Network Folder and copied using Offline Files. the M drive is for personal use for their music etc.

    Finally, write an AUP for the software, if you have the backing of SMT this will be easy. Remember the School owns the computers - and remind Staff of this at every opportunity - Put a legal text in between Ctrl-Alt-Delete and the login screen:

    The reg keys for that are in HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon

    Some of the changes here mean that the domain administrator can't install programs if they are not done through GPO. I'm fine with this and use the Local administrator (as GPO's shouldn't affect this account).

  2. Thanks to Mr.Ben from:

    Little-Miss (23rd September 2009)

  3. #17

    witch's Avatar
    Join Date
    Nov 2005
    Location
    Dorset
    Posts
    11,272
    Thank Post
    1,375
    Thanked 2,378 Times in 1,674 Posts
    Rep Power
    703
    Quote Originally Posted by Mr.Ben View Post
    Some of the changes here mean that the domain administrator can't install programs if they are not done through GPO. I'm fine with this and use the Local administrator (as GPO's shouldn't affect this account).
    Which ones? I am looking to stop the children installing off a memory stick and it looks like one of your fixes will work- but will it stop install by admin?

  4. #18

    Little-Miss's Avatar
    Join Date
    Oct 2007
    Location
    London
    Posts
    5,547
    Thank Post
    2,377
    Thanked 750 Times in 459 Posts
    Blog Entries
    2
    Rep Power
    543
    thanks for the detailed post Mr. Ben!!

  5. #19
    Mr.Ben's Avatar
    Join Date
    Jan 2008
    Location
    A Pirate Ship
    Posts
    942
    Thank Post
    182
    Thanked 157 Times in 126 Posts
    Blog Entries
    2
    Rep Power
    65
    Quote Originally Posted by witch View Post
    Which ones? I am looking to stop the children installing off a memory stick and it looks like one of your fixes will work- but will it stop install by admin?

    The computer configuration policy will disable windows installer if you login as the domain admin, it applies to the machine when a domain user (of any sort) is logged in. I must say that's an assumption as all the other workstation gpo's apply - time to go and see if I can do it!

  6. #20
    Mr.Ben's Avatar
    Join Date
    Jan 2008
    Location
    A Pirate Ship
    Posts
    942
    Thank Post
    182
    Thanked 157 Times in 126 Posts
    Blog Entries
    2
    Rep Power
    65
    [QUOTE=Mr.Ben;386388]

    Then I removed security rights to the local machine by downgrading the user accounts

    QUOTE]

    That needs a little more explaination, basically the domain users have no rights over the C:\ drive. As the staff profiles are cached on the machines this continues even when off the network.

    If a particularly nasty piece of software needs these rights, you can give them back via gpo:

    ComputerConfiguration\Windows Settings\Security Settings\File System

    You'll need to give security rights over the folder within program files (and you have to browse to the folder, so it has to be installed).

  7. #21


    Join Date
    Sep 2008
    Posts
    1,767
    Thank Post
    323
    Thanked 259 Times in 212 Posts
    Rep Power
    120
    I've used Witch's method of get them on the network and use the network restrictions or leave them as stand alone and let the teachers do what they want. Just take an image first and when there is any problems, just reimage. Or of course just do a reinstall as stated by other members.

    Just make sure that the teachers know they need to do their own backups if they are stand alone so you dont get any stick. Works for us.

  8. Thanks to penfold from:

    Little-Miss (23rd September 2009)

  9. #22

    Little-Miss's Avatar
    Join Date
    Oct 2007
    Location
    London
    Posts
    5,547
    Thank Post
    2,377
    Thanked 750 Times in 459 Posts
    Blog Entries
    2
    Rep Power
    543
    I've actually come to that conclusion Penfold. I'm just making more work for myself and they're not children. So im gonna give them the benefit of the doubt this once and see if they ruin it for themselves.

    I'm going to just give them their domain and add a local with no restrictions. I've used edugeeks laptop policy and im just going to put in there that they are not to install software and that are responsible for their own backups...obviously i need to make sure the head is ok with this but i cant see that he wont be.

    But still a very helpful post Mr Ben

  10. Thanks to Little-Miss from:

    Mr.Ben (23rd September 2009)

  11. #23

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,859
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    Quote Originally Posted by Little-Miss View Post
    I've actually come to that conclusion Penfold. I'm just making more work for myself


    Cover your back by making it clear that it's their responsibility and that if it breaks, it'll go back to how it was issued, no questions asked. Take a clean image and restore that when things go wrong.

    It's just simpler

  12. Thanks to powdarrmonkey from:

    Little-Miss (23rd September 2009)

  13. #24

    Little-Miss's Avatar
    Join Date
    Oct 2007
    Location
    London
    Posts
    5,547
    Thank Post
    2,377
    Thanked 750 Times in 459 Posts
    Blog Entries
    2
    Rep Power
    543
    Thanks Monkey!

SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Similar Threads

  1. Replies: 5
    Last Post: 10th February 2009, 05:33 PM
  2. SIMS and local Power Users
    By HodgeHi in forum MIS Systems
    Replies: 15
    Last Post: 10th June 2008, 05:06 PM
  3. Users as local admins for logon script?
    By actech in forum Windows
    Replies: 12
    Last Post: 14th May 2008, 08:04 PM
  4. Replies: 4
    Last Post: 15th August 2007, 05:36 PM
  5. Add local users to xp home remotely
    By adamyoung in forum Windows
    Replies: 4
    Last Post: 28th June 2007, 10:56 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •