How to prevent "Only" selected users from installing software in a Network

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
W

webuxer

New Member
Oct 21, 2020
3
0
1
Hello,

I would like to implement a way to block only certain users from installing software on their client pcs in a network using Windows Server 2016. What should I do to accomplish this? I really want to implement this on the server level, is it via Group Policy? I have seen a few videos online but they are a little confusing. I would like for the users that want to install software to receive a message asking for admin credentials to proceed with the installation. Can this be done? Thanks in advance for the help.
 
J

j_h_o

Active Member
Apr 21, 2015
644
180
43
California, US
Are you using Active Directory?

Your users should not be logging in with local admin rights. If they're standalone workstations, ensure these users are logging in as members only of the Users group, not Administrators group. Log out and log back in for this to take effect.

Start > Administrative Tools > Computer Management > Local Users/Groups. On each machine, set the user account being used so that it's only in the Users group.

If you're using Active Directory, ensure that they're just Domain Users, and not a member (!!) of the Domain Admins group. You can also use Software Restriction Policies or App Locker to further restrict what types of binaries can be executed on the endpoints, irrespective of their privileges - so you can restrict so users can only execute binaries signed by particular code signing certificates, or with certain SHAs, etc.
 
  • Like
Reactions: webuxer
J

j_h_o

Active Member
Apr 21, 2015
644
180
43
California, US
  1. Make sure they're all domain users. With UAC enabled (by default on all workstations) they'll be prompted for credentials if they're installing apps. If you're not seeing this, post detailed steps you're following and what you're doing when it doesn't behave as you expect.
  2. If you want more fine grained control and ensure only approved binaries can be executed (Whatsapp, Dropbox, etc. all install into %APPDATA% which doesn't require Admin rights) you can use AppLocker.
    docs.microsoft.com

    AppLocker - Windows Security

    This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies.
    docs.microsoft.com
 
You must log in or register to reply here.
Top Bottom