+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 28 of 28
Windows Thread, Restrict software installation in Technical; Originally Posted by beeswax ...it says (or said) that it wasn't recommended for use with a large network... beeswax Can ...
  1. #16
    eejit's Avatar
    Join Date
    Jun 2005
    Location
    Ireland
    Posts
    606
    Thank Post
    52
    Thanked 12 Times in 12 Posts
    Rep Power
    23

    Re: Restrict software installation

    Quote Originally Posted by beeswax
    ...it says (or said) that it wasn't recommended for use with a large network...
    beeswax
    Can you remember if it said why?

  2. #17
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Restrict software installation

    I was going to suggest Ranger (which can spot and kill any dialog box enabling you to defeat different installers), but I'm sure I'll be shot down by the raw AD & GPO crowd (don't get me wrong, I'm raw AD & GPO myself!) but here's a thought.

    You could do the same thing using AutoIt. It's possible to write an AutoIt script which sits on the system waiting for certain windows to appear and killing them automatically. I use the technique for automating nasty software installations which pop up dialogs mid-install. AutoIt is clever enough not to hog the CPU. The only tricky bit would be constructing the mechanism to distribute a central list of 'windows to kill'. If anyone is interested in this idea (or can see a reason why it wouldn't work), post here to let me know. Maybe I'll write the script...

  3. #18
    secman's Avatar
    Join Date
    Nov 2005
    Location
    Romford, Essex
    Posts
    107
    Thank Post
    0
    Thanked 2 Times in 2 Posts
    Rep Power
    19

    Re: Restrict software installation

    Thanks Dos_Box, it is as we thought. However, how easy is it to set up AD/GPO to replicate what Winsuite does....that is the thing. We don't want to miss a setting and let the little darlings loose.

    On the subject of the MS Shared Computer Toolkit, we have looked at it briefly as well. The problem with locking down the C: drive is that you loose all MS Updates, AV updates etc everytime you restart the PC. One suggestion is to put your AV software on a further partition and not to restrict that, but that sort of defeats the object.

    Anyone know if good ol' MS are planning a version for networks?

    Thanks

  4. #19

    Dos_Box's Avatar
    Join Date
    Jun 2005
    Location
    Preston, Lancashire
    Posts
    9,262
    Thank Post
    668
    Thanked 2,254 Times in 1,036 Posts
    Blog Entries
    23
    Rep Power
    670

    Re: Restrict software installation

    It is very easy. You just need to create a policy, call it DENY INSTALLATIONS to experiemnt on. I shall post later (when I have more time) and tell you the relevent sections of GPO's to look in, or if someone is not to busy they could start you off now with a suggestion or two.

  5. #20

    Join Date
    Oct 2005
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Restrict software installation

    If you go to the user's software restrictions as described above set some path rules like these:

    d:\ Path Disallowed
    e:\ Path Disallowed
    h:\ Path Disallowed
    l:\ Path Disallowed
    p:\ Path Disallowed
    v:\ Path Disallowed

    This allows users to access data etc from the blocked locations but EXEs can't be run. It works well for us. We do it at an OU level so we can be flexible for different levels of user.

  6. #21

    Join Date
    Dec 2005
    Posts
    19
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Restrict software installation

    Hi

    I've tried the solution mentioned above by adding some 'new path rules' but they do not seem to be working as the little blighters are still able to run doom and quake from their pen drives.

    I looked at the other options available but unfortunately we use so much software it would take forever to populate the list of allowed software.

    Any further assistance on this problem would be much appreciated.

  7. #22

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,592
    Thank Post
    109
    Thanked 770 Times in 598 Posts
    Rep Power
    183

    Re: Restrict software installation

    Disable access to pen drives, stating the reasons - anyone with work on a USB drive can give it to a teacher/technician who will copy the work to a share for collection by the pupil. Explain why this has had to be done - abuse of school resources!

  8. #23
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,995
    Thank Post
    120
    Thanked 286 Times in 263 Posts
    Rep Power
    108

    Re: Restrict software installation

    ^^ Thats what we do no removable drive access for students. Its more trouble than its worth to let them bring god knows what in. If they need to send something in they can email or bring it to me.

  9. #24

    Join Date
    Dec 2005
    Posts
    19
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Restrict software installation

    Thanks for the suggestions, I have given a report to the schools leadership team regarding this matter and suggested the disabling of pen drives, not sure they will be too keen on that though :cry:

    I've just been told by a colleague that there is a program available that will take care of this, I'll keep you all informed if I find out what it is.

  10. #25
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,995
    Thank Post
    120
    Thanked 286 Times in 263 Posts
    Rep Power
    108

    Re: Restrict software installation

    Just disallow access to non network drives. You can still restrict c: and run your normal programs as well.

  11. #26
    eejit's Avatar
    Join Date
    Jun 2005
    Location
    Ireland
    Posts
    606
    Thank Post
    52
    Thanked 12 Times in 12 Posts
    Rep Power
    23

    Re: Restrict software installation

    Quote Originally Posted by artram
    If you go to the user's software restrictions as described above set some path rules like these:

    d:\ Path Disallowed
    e:\ Path Disallowed
    h:\ Path Disallowed
    l:\ Path Disallowed
    p:\ Path Disallowed
    v:\ Path Disallowed

    This allows users to access data etc from the blocked locations but EXEs can't be run. It works well for us. We do it at an OU level so we can be flexible for different levels of user.
    This is the biggest mistakes in group policies as far as I'm concerned. You can't block exe's for subfolders. So for the examples above you would have to disallow
    d:\*.exe
    d:\*\*.exe
    d:\*\*\*.exe
    d:\*\*\*\*.exe
    etc., for all the other drives too, and for any other extension that you'd like as well. Nightmare

  12. #27

    Join Date
    Feb 2006
    Posts
    1,187
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Re: Restrict software installation

    Quote Originally Posted by eejit
    This is the biggest mistakes in group policies as far as I'm concerned. You can't block exe's for subfolders. So for the examples above you would have to disallow
    d:\*.exe
    d:\*\*.exe
    d:\*\*\*.exe
    d:\*\*\*\*.exe
    etc., for all the other drives too, and for any other extension that you'd like as well. Nightmare
    There are two methods of application blocking. Software restriction policies as mentioned above or Run/Don't Run specified Windows Applications in the Admin Templates section of the User part of the GPO.

    This second method is reliant on filenames only and so changes in directory paths don't matter. It works well if your students are 'GUI centric'

    It's also more forgiving when it comes to dependent exes for major programs such as in Microsoft Office.

    The one flaw appears to have to be programs which have spaces in the filename.

  13. #28

    Join Date
    Feb 2006
    Posts
    1,187
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Re: Restrict software installation

    Quote Originally Posted by eejit
    This is the biggest mistakes in group policies as far as I'm concerned. You can't block exe's for subfolders. So for the examples above you would have to disallow
    d:\*.exe
    d:\*\*.exe
    d:\*\*\*.exe
    d:\*\*\*\*.exe
    etc., for all the other drives too, and for any other extension that you'd like as well. Nightmare
    Actually looking at TechNet again if it's possible to specify a path as just *.vbs then you may be able to use d:*.exe which should cope with subfolders.



SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Similar Threads

  1. Restrict Logon
    By DSapseid in forum Wireless Networks
    Replies: 7
    Last Post: 28th March 2007, 11:30 AM
  2. Replies: 15
    Last Post: 1st December 2006, 03:13 PM
  3. Software Installation Policies - random issue
    By CM786 in forum Wireless Networks
    Replies: 4
    Last Post: 2nd October 2006, 03:12 PM
  4. Restrict filetypes
    By Gatt in forum How do you do....it?
    Replies: 21
    Last Post: 22nd September 2006, 12:28 PM
  5. Replies: 3
    Last Post: 8th September 2006, 08:49 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •