Domain – Stop Domain Users from Installing Software

active-directorydomainuser-management

This is my last shot to figure this out. If I can even figure it out.

Is there any way to stop a user from installing programs on their computer? We'll be running Server 2016. I've tried denying them local admin rights (which I did successfully). But, to no avail. I've also tried forcing the programs to run as elevated privilege, once again, to no avail.

How do I do this? Is it even possible?

I'd really appreciate all the help I can get.

Best Answer

Assuming you are going to use a domain and use GPOs, then the recommended (albeit a PITA, but since you are starting from scratch it would be much easier to accomplish) path is Software Restriction Policies. This also has the added benefit of preventing malware/ransomware effectively.

https://technet.microsoft.com/en-us/library/hh831534(v=ws.11).aspx

Software Restriction Policies (SRP) is Group Policy-based feature that identifies software programs running on computers in a domain, and controls the ability of those programs to run. Software restriction policies are part of the Microsoft security and management strategy to assist enterprises in increasing the reliability, integrity, and manageability of their computers.

You can also use software restriction policies to create a highly restricted configuration for computers, in which you allow only specifically identified applications to run. Software restriction policies are integrated with Microsoft Active Directory and Group Policy. You can also create software restriction policies on stand-alone computers. Software restriction policies are trust policies, which are regulations set by an administrator to restrict scripts and other code that is not fully trusted from running.

Best Answer

Related Solutions

Windows – Problems installing Windows service via Group Policy in a domain

Windows 2008 Domain users can’t logon even though Default Group Policy allows local logon

Related Topic