+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 24
Learning Network Manager Thread, Stopping local laptop users installing software in Technical; Is there a way? I've been having a play with the Local GPO's on the staff laptops and i want ...
  1. #1

    Little-Miss's Avatar
    Join Date
    Oct 2007
    Location
    London
    Posts
    5,522
    Thank Post
    2,374
    Thanked 745 Times in 456 Posts
    Blog Entries
    2
    Rep Power
    542

    Stopping local laptop users installing software

    Is there a way?

    I've been having a play with the Local GPO's on the staff laptops and i want to stop them being able to install software. At the moment i get a box up warning the user that things wont install properly if they dont have the right user rights. I selected the user and it started to install. What did i miss..

  2. #2
    t_h
    t_h is offline
    t_h's Avatar
    Join Date
    Aug 2009
    Location
    Manchester
    Posts
    131
    Thank Post
    7
    Thanked 20 Times in 18 Posts
    Rep Power
    14
    You need to deny the account they log in with local administrator rights. Are the laptops joined to a domain? and are you using Windows XP?

  3. #3

    Little-Miss's Avatar
    Join Date
    Oct 2007
    Location
    London
    Posts
    5,522
    Thank Post
    2,374
    Thanked 745 Times in 456 Posts
    Blog Entries
    2
    Rep Power
    542
    it is windows XP and they do have a domain account...i've set the user up as restricted.

  4. #4
    azrael78's Avatar
    Join Date
    Sep 2007
    Location
    Devon
    Posts
    383
    Thank Post
    47
    Thanked 37 Times in 33 Posts
    Rep Power
    20
    The most effective way is to ensure that no user (except domain admins) have admin rights on the laptop itself.

    This way, only software that is written for 'users' will ever install - and even then, it would have to install inside the users' local profile or any other area of the hard disk to which they can write.

    You could use local GPOs to do this as well - but the problem is that if you lock it down too much, the local administrator also gets hit by it.

    We got around this in the very early days of XP on our site by using NT4's Poledit locally with the updated .ADM files.

    This meant all users could be locked down tight, except the local admin account.

    While that would be horrible to do these days - this was before we even had a Win 2000 Server, let alone 2003/2008.

    Years and years and years ago.

    Az

  5. #5

    Little-Miss's Avatar
    Join Date
    Oct 2007
    Location
    London
    Posts
    5,522
    Thank Post
    2,374
    Thanked 745 Times in 456 Posts
    Blog Entries
    2
    Rep Power
    542
    Quote Originally Posted by azrael78 View Post
    You could use local GPOs to do this as well - but the problem is that if you lock it down too much, the local administrator also gets hit by it.
    Yup, found that out myself

  6. #6

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,154
    Thank Post
    114
    Thanked 527 Times in 450 Posts
    Blog Entries
    2
    Rep Power
    123
    Why does it matter? Typically, it's because you want to stop people messing up the laptop and then you have to waste time fixing it.

    It may be better to take another approach but you will need management agreement. You then basically let staff do what they want but with the proviso that if the machine stops working (for any reason - misuse, misfortune etc) then you will wipe and reinstall. If you've got an image for the machine it's pretty quick to do that.

    If you go down this route then you need to make sure you've got an easy way for users to backup their data. For example, you might give them an icon which they click when plugged into the network that uses something like robocopy to sync with a network share

    If you try and lock down the machine you will get some people asking "why?" If the answer is "so you can't break it" then you're opening yourself up to nightmares when the machine breaks (and it's not the user's fault) - they'll then say "you must fix it" because you told them it was unbreakable.

    There's a whole mass of software which is legal and justifiable even if you're taking the view that the computer can only be used for work; if you don't let staff install it themselves then you're going to have to do it for them which just makes more unnecessary work for you - something that you really want to avoid :-)

  7. Thanks to srochford from:

    Little-Miss (22nd September 2009)

  8. #7

    Little-Miss's Avatar
    Join Date
    Oct 2007
    Location
    London
    Posts
    5,522
    Thank Post
    2,374
    Thanked 745 Times in 456 Posts
    Blog Entries
    2
    Rep Power
    542
    very good point...

    My head did agree that they shouldnt be able to install programs.

    Before i joined the school the laptops were open to abuse and so now the staff are suffering...basically they'd take them home, let their kids use them...kids install whatever they liked and i end up with the machine thats full of viruses and refuses to do anything...

    They are going to be imaged, have a domain logon and i was giving them a local logon one for use when at home. I then couldnt decide how to allow them to drag their work from the local to the domain so was just going to map them a drive...
    Last edited by Little-Miss; 22nd September 2009 at 09:36 PM.

  9. #8

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56
    The other point is having staff install stuff like lime-wire etc and downloading shed loads of stuff inc. the associated viruses and then bringing them all into the School's network. Where do we stand on software that is unlicensed as well as downloaded and illegal music.

  10. Thanks to HodgeHi from:

    Little-Miss (22nd September 2009)

  11. #9


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    most of the stuff that staff want will install in "c:\program files" so if you either make sure that they are not a 'power user' or 'administrator' then they should not have permission to write there. or just take away the permissions to write on that directory, but making them standard users is a cleaner way of doing it.

  12. #10

    Join Date
    Sep 2009
    Posts
    1
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Have you thought about MS SteadyState?

    Install it in the local admin account and if i remember correctly you can manage all the other local user accounts and set options to deny installing programs for each of these accounts.

  13. Thanks to carni from:

    Little-Miss (22nd September 2009)

  14. #11

    Little-Miss's Avatar
    Join Date
    Oct 2007
    Location
    London
    Posts
    5,522
    Thank Post
    2,374
    Thanked 745 Times in 456 Posts
    Blog Entries
    2
    Rep Power
    542
    I did have a quick look at steadystate...and wasnt sure if it was right for what i needed. Will look properly.

    Welcome by the way!

  15. #12

    bossman's Avatar
    Join Date
    Nov 2005
    Location
    England
    Posts
    3,905
    Thank Post
    1,186
    Thanked 1,057 Times in 749 Posts
    Rep Power
    328
    We don't allow access to the network (apart from internet access) from teachers laptops as people have openly discussed before it is an accident waiting to happen.

    They are standalone units which we give admin access to and the teachers can do what they wish with them within the confines of normal use which covers installation of anything they wish and when they fill it full of virus they bring it to us and we re-image it takes 5 mins and hey presto back up and running.

    They can get internet access from within the school but that is all nothing else.
    So far it works really well and we don't get that many problems.

  16. #13

    Little-Miss's Avatar
    Join Date
    Oct 2007
    Location
    London
    Posts
    5,522
    Thank Post
    2,374
    Thanked 745 Times in 456 Posts
    Blog Entries
    2
    Rep Power
    542
    Argh, this is one of my downfalls in IT....there are so many ways to do one thing and i cant make decisions!!!

  17. #14

    witch's Avatar
    Join Date
    Nov 2005
    Location
    Dorset
    Posts
    11,118
    Thank Post
    1,371
    Thanked 2,375 Times in 1,672 Posts
    Rep Power
    703
    We've just changed over from bossman's scenario to a synched system whereby they look like they are on the network whether they are or not - basically because our system denied them access to their own C drive if they were on the network and they got cross because they couldnt access their stuff. We never mapped them a drive as they could install goodness knows what on their machines and I didnt want it on my server.
    What they dont know, yet, is that they now cant install any programs!! Or change the desktop. This way they remember it is a school machine and not their own personal one, and it keeps rubbish and viruses off my server...
    The simple answer is put them on the network and lock 'em down, or keep them off it and let them do what they like

  18. Thanks to witch from:

    Little-Miss (23rd September 2009)

  19. #15
    deKay's Avatar
    Join Date
    Sep 2006
    Location
    Narrrfok
    Posts
    66
    Thank Post
    6
    Thanked 11 Times in 7 Posts
    Rep Power
    18
    Have you looked into whether your virus killer can stop this?

    We use Symantec Endpoint Protection, and it is configured such that EXEs can't be run from any removable drive, and users are not local admins. It doesn't stop everything, but it helps.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 5
    Last Post: 10th February 2009, 05:33 PM
  2. SIMS and local Power Users
    By HodgeHi in forum MIS Systems
    Replies: 15
    Last Post: 10th June 2008, 05:06 PM
  3. Users as local admins for logon script?
    By actech in forum Windows
    Replies: 12
    Last Post: 14th May 2008, 08:04 PM
  4. Replies: 4
    Last Post: 15th August 2007, 05:36 PM
  5. Add local users to xp home remotely
    By adamyoung in forum Windows
    Replies: 4
    Last Post: 28th June 2007, 10:56 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •