Stop Users installing software on clients but need admin rights

Hello

Can someone tell me what I need to do in GP to stop users being able to
install software on their desktop clients but give them local admin rights?

Thanks

Daren

--
Ashdown Digital Systems - www.ashdown.info
Proud to Serve

Assuming this is XP Pro as far as I know that's an Oxymoron.

You could Through Group Policy Not allow Downloads, Disabled CD Rom Disable
USB's Disable Run Line and a host of other devices.
but it wouldn't prevent them from installing a program.

Your best bet is to attack WHY they need to be Admin on the PC
Example Specific Program like QuickBooks

For Quickbooks without Admin Account I found this.
From http://www.quickbooksgroup.com/webx/forums/install/385
-----------------------------------

These changes will allow regular users to run and use QuickBooks 2006.
Updating will not work unless you are an administrator, but it will abort
relatively gracefully with a message along the lines of "Only administrators
are allowed to update QuickBooks." I'm not quite sure how I feel about this
development. I can't verify this yet, but it seems that this is not a matter
of file or registry permissions, or of windows installer policies, but
rather a direct check of group membership tokens. In which case we'll
probably just have to learn to live with it.

Here's the deal:

Registry permission changes
---------------------------

The Users group must be granted "Set Value" and "Create Subkey" on:

HKLM\Software\Classes\QuickBooks.CoLocator.1
HKLM\Software\Classes\CLSID\{E53C85D6-E6D9-4BCF-A632-72062A99AA7F}
HKLM\Software\Classes\.qpg
HKLM\Software\Intuit

The Users group must be granted "Full Control" on:

HKLM\Software\Intuit\QuickBooks

File permission changes
-----------------------

The Users group must be granted "Modify" (write + delete) permissions on:
C:\Program Files\Intuit\QuickBooks

As for updates, unless I or someone else can come up with a new workaround,
I see no reason to leave the "Allow users to patch priveleged software"
policy enabled in group policy anymore. It's an unecessary security risk if
you aren't using it.

Along the same lines, I can't think of a good reason to leave automatic
updates enabled for QuickBooks unless the computer is only used by
administrators. For that matter, you probably might as well move or delete
the link to "QuickBooks Update Agent" (qbupdate.exe) in the All Users'
profile startup menu. It won't do regular users any good since all it can do
is annoy them about updates that they can't install. It also floods my proxy
server log files, but that might just be a personal annoyance ;)

As always, use this at your own risk. It has not been thoroughly tested with
2006 yet, but I have not encountered any problems with it after about 6
months in 2005. It is not sanctioned or supported by Intuit (*ahem* anyone
out there listening?).

If anything weird happens after trying this:
a) Don't blame me, I warned you. :P
b) Post what happened and what feature you were using or trying to access
when it happened. It's probably fixable, and I have a vested interested in
making this thing work bug-free since I use it on my own network.

Edit again: Almost forgot - if you're running an x64 edition of Windows XP
or Server 2003, some of these files and registry paths are slightly off. For
example, Quickbooks is probably installed in C:\Program Files (x86)\...
instead of C:\Program Files\. In the registry, you'll probably have to look
under HKLM\Software\Wow6432Node instead of HKLM\Software\, and
HKLM\Software\Classes\Wow6432Node instead of HKLM\Software\Classes.
HKLM\Software\Classes is synonymous with HKCR. If you're administering x64
versions of Windows, you've probably already figured that out, but hey -
never hurts to mention it.
-----------------------
Russ

--

Russell Grover
SBITS.Biz
Microsoft Certified Small Business Specialist.
MCP, MCPS, MCNPS, (MCP-SBS)
support @ SBITS.Biz
Remote SBS2003 Support
http://www.SBITS.Biz


"Daren" <Daren@discussions.microsoft.com> wrote in message
news:D6F80872-A53D-4C68-AD7D-A9C494A85190@microsoft.com...
> Hello
>
> Can someone tell me what I need to do in GP to stop users being able to
> install software on their desktop clients but give them local admin
> rights?
>
> Thanks
>
> Daren
>
> --
> Ashdown Digital Systems - www.ashdown.info
> Proud to Serve

Daren wrote:
> Hello
>
> Can someone tell me what I need to do in GP to stop users being able
> to install software on their desktop clients but give them local
> admin rights?
>
> Thanks
>
> Daren

There is no such thing as a limited administrator.

Microsoft even has a Tool for locking down a pc for limited Administrator
use.


Microsoft Shared Computer Toolkit for Windows XP

http://www.microsoft.com/windowsxp/s...s/default.mspx

However I do not believe it would work in a Domain Enviroment..
And Would only Recommend it in a Peer 2 Peer inviroment.

You'd have to do a lot of testing

Russ

--

Russell Grover
SBITS.Biz
Microsoft Certified Small Business Specialist.
MCP, MCPS, MCNPS, (MCP-SBS)
support @ SBITS.Biz
Remote SBS2003 Support
http://www.SBITS.Biz


"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmail.aty ahoo.com> wrote in message
news:esKiVeXlHHA.3928@TK2MSFTNGP02.phx.gbl...
> Daren wrote:
>> Hello
>>
>> Can someone tell me what I need to do in GP to stop users being able
>> to install software on their desktop clients but give them local
>> admin rights?
>>
>> Thanks
>>
>> Daren
>
> There is no such thing as a limited administrator.
>

Russ Grover (SBITS.Biz) wrote:
> Microsoft even has a Tool for locking down a pc for limited
> Administrator use.
>
>
> Microsoft Shared Computer Toolkit for Windows XP
>
> http://www.microsoft.com/windowsxp/s...s/default.mspx
>
> However I do not believe it would work in a Domain Enviroment..

Nope.

> And Would only Recommend it in a Peer 2 Peer inviroment.
>
> You'd have to do a lot of testing
>
> Russ

The short (& best) answer is, don't make users administrators at all (or
Power Users).
>
>
> "Lanwench [MVP - Exchange]"
> <lanwench@heybuddy.donotsendme.unsolicitedmail.aty ahoo.com> wrote in
> message news:esKiVeXlHHA.3928@TK2MSFTNGP02.phx.gbl...
>> Daren wrote:
>>> Hello
>>>
>>> Can someone tell me what I need to do in GP to stop users being able
>>> to install software on their desktop clients but give them local
>>> admin rights?
>>>
>>> Thanks
>>>
>>> Daren
>>
>> There is no such thing as a limited administrator.

Well ya that's for sure... ;)

I just wish he'd reply on WHY they need to be administrators?

--

Russell Grover
SBITS.Biz
Microsoft Certified Small Business Specialist.
MCP, MCPS, MCNPS, (MCP-SBS)
support @ SBITS.Biz
Remote SBS2003 Support
http://www.SBITS.Biz


"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmail.aty ahoo.com> wrote in message
news:uti%23qO8lHHA.4568@TK2MSFTNGP02.phx.gbl...
> Russ Grover (SBITS.Biz) wrote:
>> Microsoft even has a Tool for locking down a pc for limited
>> Administrator use.
>>
>>
>> Microsoft Shared Computer Toolkit for Windows XP
>>
>> http://www.microsoft.com/windowsxp/s...s/default.mspx
>>
>> However I do not believe it would work in a Domain Enviroment..
>
> Nope.
>
>> And Would only Recommend it in a Peer 2 Peer inviroment.
>>
>> You'd have to do a lot of testing
>>
>> Russ
>
> The short (& best) answer is, don't make users administrators at all (or
> Power Users).
>>
>>
>> "Lanwench [MVP - Exchange]"
>> <lanwench@heybuddy.donotsendme.unsolicitedmail.aty ahoo.com> wrote in
>> message news:esKiVeXlHHA.3928@TK2MSFTNGP02.phx.gbl...
>>> Daren wrote:
>>>> Hello
>>>>
>>>> Can someone tell me what I need to do in GP to stop users being able
>>>> to install software on their desktop clients but give them local
>>>> admin rights?
>>>>
>>>> Thanks
>>>>
>>>> Daren
>>>
>>> There is no such thing as a limited administrator.
>
>
>