Hi,
You can prevent domain users from adding computers to domain by editing
"Default Domain Controller" policy.
Under Computer Configuration -> Windows Settings -> Security Settings ->
Local Policies -> User Rights Assignment. Here look for policy named "Add
workstation to domain". Double click on the policy and replace the default
group (I believe "Authenticated Users" group is used by default) with
another group that will only hold users that should have permission to add
computers to domain.
Miha
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Liu, David
Sent: Wednesday, February 28, 2007 3:21 AM
To: Devin Ganger
Cc: focus-ms@securityfocus.com
Subject: RE: Prevent users/admin from installing softwares.
So here's an interesting one based on the last comment:
By default all users in AD shd be able to join up to 10 machines without any
special privileges. How do you stop users from unjoin/rejoin machines, even
in an environment where explicit delegated rights have been given to only a
specific group of people to add/delete/move machine accts?
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Devin Ganger
Sent: Friday, February 23, 2007 5:26 PM
To: Gregory N Pendergast/AC/VCU; Rocky
Cc: focus-ms@securityfocus.com
Subject: RE: Prevent users/admin from installing softwares.
Let's not forget how easy it is to circumvent the application of Group
Policy:
1) Unjoin the computer from the domain, reboot, install your software,
rejoin.
2) Reboot the computer and remove the network tap so GPOs aren't pulled
down. Install your software. Put the network tap back in.
--
Devin L. Ganger, Exchange MVP Email: deving@3sharp.com
3Sharp LLC Phone: 425.882.1032
14700 NE 95th Suite 210 Cell: 425.239.2575
Redmond, WA 98052 Fax: 425.702.8455
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Gregory N Pendergast/AC/VCU
Sent: Thursday, February 22, 2007 1:53 PM
To: Rocky
Cc: focus-ms@securityfocus.com
Subject: Re: Prevent users/admin from installing softwares.
To my knowledge, there's no built-in way to directly prevent the
administrator from installing software. However, you can use Software
Restriction Policies (Group Policy Editor > Computer Configuration > Windows
Settings > Security > Software Restriction Policies) to limit software
execution so that software only runs from a set of predefined paths. By
limiting the paths from which software can execute, you may be able to
severely-limit an Administrator's ability to install software.
However, there are obvious problems with this:
1) If you're setting this in Local Group Policy (as opposed to
Domain-level), the Local Administrator can easily remove the Software
Restriction Policies
2) The obvious "hack" is to copy your installation file to a path where
software is permitted to execute, then to install said software to a
permitted location. Whether this is an acceptable risk depends on the
cleverness of your administrators and the sensitivity of your systems.
Beyond this, I don't personally know of a solution that doesn't involve 3rd
party software.
Good luck,
Greg Pendergast
-----listbounce@securityfocus.com wrote: -----
To: focus-ms@securityfocus.com
From: Rocky <pixscreenpoint@gmail.com>
Sent by: listbounce@securityfocus.com
Date: 02/22/2007 07:51AM
Subject: Prevent users/admin from installing softwares.
Hey Guys,
Is there a way to restrict everyone including adminisrator rights from
installing softwares in xp pro? It should be done on registry or gpedit?
we don't want to use 3rd party softwares like winguard.
Thanks a lot!
smime.p7s
Description: S/MIME cryptographic signature
