Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows Server 2003Windows 2000Windows NTSmall Business ServerVirtual ServerExchange ServerIISHost Integration ServerISA ServerSMSWSUSMOMWindows Media ServerSecurityCertification
Related Topics
SQL ServerMS WindowsMS OfficePC HardwareMore Topics ...
Windows Server Forum / Windows 2000 / Security / August 2005

Tip: Looking for answers? Try searching our database.

Deny Software Installation to Students

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
B. Meincke - 27 May 2005 01:18 GMT
Could someone please help me find a way to deny members of a certain domain
group (students, in this case) from installing software on our domain's 2K/XP
clients? I understood that as limited users, this would not be possible, but
students still seem able to install such things as Winamp...etc. Ideally, I
would like to create a group policy on the server so that I don't have to
impliment changes over dozens of clients.

Thank you in advance for any insight in this manner.
Signature

BJM
ACE Assistant
Gary Allan High School

Reply to this Message
Steven L Umbach - 27 May 2005 01:48 GMT
You should consider the possibility that students may be local
administrators. You should check a couple of those computers to see. There
are easily available fee tools on the internet that allow any user who can
boot a computer from a floppy or cdrom to become local administrator by
resetting the password of the local administrator account to a password that
they know. Configuring cmos to not allow booting from anything other than
the system disk will help but you still would need to password protect the
cmos settings and make sure they can not open the computer case to reset the
cmos. Even after doing that there may be ways to discover the cmos password.

Having said that you can use Group Policy Restricted Groups to enforce local
administrator membership though be default that setting will be applied only
every 90 minutes though that period can be reduced  for computer
configuration. XP Pro will allow you to use Software Restriction Policies to
manage what software users can run and install and most XP Pro Group Policy
including Software Restriction Policies [computer configuration only I
believe though] can be managed in a Windows 2000 domain. Windows 2000 does
not include SRP. You need to rely on group membership, ntfs permissions, and
Group Policy Windows application settings available under user
configuration/administrative templates/ system to manage application use
though if a user can rename an application/executable they can bypass that
Group Policy settings. To start with add setup.exe, install.exe, and
msiexec.exe to the disallowed list. The links below should help get you
started.  --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;323525
http://support.microsoft.com/?kbid=310791
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
http://support.microsoft.com/default.aspx?scid=kb;en-us;203607
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/1
56780ef-eb36-4433-b3fe-1b1a15c18f6a.mspx

> Could someone please help me find a way to deny members of a certain
> domain
[quoted text clipped - 8 lines]
>
> Thank you in advance for any insight in this manner.
Reply to this Message
B. Meincke - 27 May 2005 18:02 GMT
Thank you for your response Steven. I can assure you that our students are
not admitting themselves to the local admin group or resetting its password!

And I will take a look at your suggested links. Thank you again for your help.
Signature

BJM
ACE Assistant
Gary Allan High School

Reply to this Message
Steven L Umbach - 27 May 2005 18:50 GMT
Sounds good that you must have some discipline and rules. Many admins from
schools have posted similar questions to yours and basically described an
out of control network where students could do whatever they want. Let us
know if you have any more questions.  You should find Software Restriction
Policies very effective once you learn how to tweak them. If you run into
problems look in the system/application log for pertinent info and keep in
mind that desktop shortcuts are considered executable content as far as SRP
are concerned. --- Steve

> Thank you for your response Steven. I can assure you that our students are
> not admitting themselves to the local admin group or resetting its
> password!
>
> And I will take a look at your suggested links. Thank you again for your
> help.
Reply to this Message
Cezar - 14 Aug 2005 01:07 GMT
Use  Software Restriction Policy...for users or/and machines...
With SRP you control all software in your network....
but...do it carrefoully

Signature

Regards,
Cezar H.

> Could someone please help me find a way to deny members of a certain domain
> group (students, in this case) from installing software on our domain's 2K/XP
[quoted text clipped - 4 lines]
>
> Thank you in advance for any insight in this manner.
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.