RE: Prevent users/admin from installing softwares.

 You set the ms-DS-MachineAccountQuota attribute to zero.
Users in the
Administrators or Domain Administrators groups, and those
users who have
delegated permissions on containers in Active Directory to
create and
delete computer accounts, are not restricted by this
limitation so the
users you delegated will be fine. Did it here years ago and
never looked
back.

http://support
.microsoft.com/kb/243327

http://msdn2.microsoft.com/en-US/library/ms678639.aspx




-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com]
On Behalf Of Liu, David
Sent: Tuesday, February 27, 2007 6:21 PM
To: Devin Ganger
Cc: focus-mssecurityfocus.com
Subject: RE: Prevent users/admin from installing softwares.

So here's an interesting one based on the last comment: 

By default all users in AD shd be able to join up to 10
machines without
any special privileges. How do you stop users from
unjoin/rejoin
machines, even in an environment where explicit delegated
rights have
been given to only a specific group of people to
add/delete/move machine
accts?


-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com]
On Behalf Of Devin Ganger
Sent: Friday, February 23, 2007 5:26 PM
To: Gregory N Pendergast/AC/VCU; Rocky
Cc: focus-mssecurityfocus.com
Subject: RE: Prevent users/admin from installing softwares.

Let's not forget how easy it is to circumvent the
application of Group
Policy:

1) Unjoin the computer from the domain, reboot, install your
software,
rejoin.
2) Reboot the computer and remove the network tap so GPOs
aren't pulled
down. Install your software. Put the network tap back in.

--
Devin L. Ganger, Exchange MVP      Email: deving3sharp.com
3Sharp LLC                         Phone: 425.882.1032
14700 NE 95th Suite 210             Cell: 425.239.2575
Redmond, WA  98052                   Fax: 425.702.8455
(e)Mail Insecurity: http://blogs.3sh
arp.com/blog/deving/


-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com]
On Behalf Of Gregory N Pendergast/AC/VCU
Sent: Thursday, February 22, 2007 1:53 PM
To: Rocky
Cc: focus-mssecurityfocus.com
Subject: Re: Prevent users/admin from installing softwares.


To my knowledge, there's no built-in way to directly prevent
the
administrator from installing software. However, you can use
Software
Restriction Policies (Group Policy Editor > Computer
Configuration >
Windows Settings > Security > Software Restriction
Policies)  to limit
software execution so that software only runs from a set of
predefined
paths.  By limiting the paths from which software can
execute, you may
be able to severely-limit an Administrator's ability to
install
software.
However, there are obvious problems with this:

1) If you're setting this in Local Group Policy (as opposed
to
Domain-level), the Local Administrator can easily remove the
Software
Restriction Policies
2) The obvious "hack" is to copy your installation
file to a path where
software is permitted to execute, then to install said
software to a
permitted location. Whether this is an acceptable risk
depends on the
cleverness of your administrators and the sensitivity of
your systems.

Beyond this, I don't personally know of a solution that
doesn't involve
3rd party software.

Good luck,
Greg Pendergast

-----listbouncesecurityfocus.com wrote: -----


To: focus-mssecurityfocus.com
From: Rocky <pixscreenpointgmail.com>
Sent by: listbouncesecurityfocus.com
Date: 02/22/2007 07:51AM
Subject: Prevent users/admin from installing softwares.

Hey Guys,

Is there a way to restrict everyone including adminisrator
rights from
installing softwares in xp pro? It should be done on
registry or gpedit?

we don't want to use 3rd party softwares like winguard.

Thanks a lot!