General discussion


Active Directory software restrictions


I run a network for a CPA firm and am trying to figure out how to limit software installations and use. Due to some local software we use I have to give everyone local admin rights on their PCs. This seems to be the problem. when I created a test software resriction GP trying to stop IM use of Yahoo it allows any user with local admin rights even when I set the policy at the domain level. I tried loggin on as a user without local admin rights and the policy worked correctly. I am trying to use the GP policy that states "don'e allow the following windows programs to run at the domain level GP. I have two I need to do it at that level? It seems local admin rights over runs the domain GP?


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by Lameei In reply to Active Directory software ...

Hi Rob
I dont know exactly you you need the local admin or domain admin to run the local prog.But if you need the local admin I think there is no chance.

Collapse -

by curlergirl In reply to Active Directory software ...

If you're setting the policy at the "Default Domain Policy" level, then you should not have to set any other group policies for individual OU's. UNLESS you have checked the "Block policy inheritance" box on the Group Policy tab of the properties of the OU. Probably what you are running into is a local admin rights issue. Because the users have local admin rights, they can install programs locally, and so blocking the use of IM software is going to be difficult. A couple of things you might look at:

1. Is there any way you can run your special app without local admin rights? For example, maybe you can find out what areas of the HKLM registry hive the users need to control and just give them rights for that area of the registry. Sometimes this works, and sometimes it doesn't, but I have had some success going this route in the past.

2. Look at the possibility of blocking IM ports and/or IP addresses through a router or proxy server rather than trying to block running the program at the local workstation level.

Hope this helps!

Collapse -

by CG IT In reply to Active Directory software ...

group policy is applied local, site, domain, OU in that order. unless there is no override, or the block policy inheritence, the OU GP will be applied and take precedence over local, site,domain OUs.

for GP software, it's a GP for users or computers.

Collapse -

by CG IT In reply to

thats provided that they are logging into the domain. Users who log on locally to the machine don't get site, domain, OU GP. If users are logging in locally, then set the GP on the local machine.

Related Discussions

Related Forums