[JoanieG]

Hi everyone. I have a small business and am replacing the laptops used by my sales team and had read that Group Policy could be used to restrict them from installing software (As I have had a big problem with this in the past). I really don't want to screw this up either so I have some concerns about that too.

For example, will they be able to install updates to existing software that is installed when I give them the laptop? How about Windows Updates and such? Norton AntiVirus definitions?

Would this be able to be setup so that software installs cannot create a new path in Program Files or something, so that installs to existing paths would be ok? Someone had mentioned this but I havn't found a walk through or anything as to how to do this and am not 100% that this would work either.

I'm really open to ideas and suggestion. I can't use Standard accounts, as some of our software requires an Administrative account for some reason.

Thanks again for your help.

[cluberti]

One way to restrict software is to not allow them to be administrators on the machine. Without admin rights, most software packages will fail to install (without admin approval via the UAC dialog or installation via group policy or SCCM or some other software installation method) as the user really only has write access to most folders in their profile and most locations in their HKCU registry hive. Another is to use the Applocker feature of group or local policy to lock down which applications, scripts, etc. are allowed to be run by specific users or groups. There's a more in-depth overview of it here, as well as a checklist in-depth walkthrough of it here.

[JoanieG]

Thank you very much for your response and help. I looked at App Locker and that sounds really great, but it says that it is only in Windows 7 Enterprise and Windows 7 Ultimate and I have Windows 7 Professional, which should have all business features in my opinion. I checked myself and couldn't find it in Windows 7...

I have to have the users be Administrators to allow some of the software to run as well, and they would still be able to install software. I really don't want them to be able to install their own things, like Yahoo Messenger, or photo management software, or other personal things like that. It's really a shame about App Locker, it seems like it would be really perfect.

[Tripredacus]

JoanieG, on 20 July 2010 - 07:21 PM, said:

Thank you very much for your response and help. I looked at App Locker and that sounds really great, but it says that it is only in Windows 7 Enterprise and Windows 7 Ultimate and I have Windows 7 Professional, which should have all business features in my opinion. I checked myself and couldn't find it in Windows 7...

Are you sure? I have Windows 7 Pro and can see AppLocker. Here is how to get to it:
1. Control Panel
2. Administrative Tools
3. Local Security Policy
4. Application Control Policies

[JoanieG]

Tripredacus, on 21 July 2010 - 08:18 AM, said:

JoanieG, on 20 July 2010 - 07:21 PM, said:

Thank you very much for your response and help. I looked at App Locker and that sounds really great, but it says that it is only in Windows 7 Enterprise and Windows 7 Ultimate and I have Windows 7 Professional, which should have all business features in my opinion. I checked myself and couldn't find it in Windows 7...

Are you sure? I have Windows 7 Pro and can see AppLocker. Here is how to get to it:
1. Control Panel
2. Administrative Tools
3. Local Security Policy
4. Application Control Policies

Thank you very much. I did find it by using your instructions but when I click on "Which editions of Windows support AppLocker" it says:

"AppLocker is available in all editions of Windows Server 2008 R2 and in Windows 7 Ultimate and Windows 7 Enterprise. Windows 7 Professional can be used to create AppLocker rules. However, AppLocker rules cannot be enforced on computers running Windows 7 Professional. Organizations should use AppLocker for all computers that support it."

So it doesn't look like that is an option here. Which I find a little ridiculous to be honest since I am using the Professional version of the OS...

I don't understand why this has to be as hard as it is. In business it should be much easier to lock down employee computers... Am I wrong in thinking that? lol

Thanks Again.
Joanie G.

[cluberti]

JoanieG, on 22 July 2010 - 08:25 PM, said:

I don't understand why this has to be as hard as it is. In business it should be much easier to lock down employee computers... Am I wrong in thinking that? lol

It never is - it's really the holy grail of enterprise computing, and it's very difficult to do effectively. Also, while the edition is termed professional, it's meant for home office/small businesses who don't have volume licensing, and who would be less likely to be locking down Windows that way. Applocker+Group Policy is considered an enterprise feature, which comes with the Enterprise version of the OS meant for medium to large enterprises (and Ultimate, of course). It stinks, but that's how the editions are hashed out.

[JoanieG]

cluberti, on 22 July 2010 - 08:47 PM, said:

JoanieG, on 22 July 2010 - 08:25 PM, said:

I don't understand why this has to be as hard as it is. In business it should be much easier to lock down employee computers... Am I wrong in thinking that? lol

It never is - it's really the holy grail of enterprise computing, and it's very difficult to do effectively. Also, while the edition is termed professional, it's meant for home office/small businesses who don't have volume licensing, and who would be less likely to be locking down Windows that way. Applocker+Group Policy is considered an enterprise feature, which comes with the Enterprise version of the OS meant for medium to large enterprises (and Ultimate, of course). It stinks, but that's how the editions are hashed out.

I see. That's really very confusing that they would call it that then. So, how can I do this then? Is it still possible? I have Group Policy but I don't know if that works in Professional or if that doesn't work either. Is there another way to do this? I'm sorry that my question is so complex.

Thanks Again,
Joanie G

[cluberti]

Group policy works, but you won't be using applocker. You'll be limited to what UAC/LUA affords running as a non-admin user. The user will be able to install user-installable apps (like google chrome, or firefox), unless you use something 3rd party to restrict installations (or resort to software restriction policies in group policy, which is a heck of a lot more complicated... but easier to circumvent by smarter users... go figure).

[JoanieG]

cluberti, on 23 July 2010 - 08:37 PM, said:

Group policy works, but you won't be using applocker. You'll be limited to what UAC/LUA affords running as a non-admin user. The user will be able to install user-installable apps (like google chrome, or firefox), unless you use something 3rd party to restrict installations (or resort to software restriction policies in group policy, which is a heck of a lot more complicated... but easier to circumvent by smarter users... go figure).

Oh I see. Well, I really do appreciate all of the help and everything with this. Do you happen to know of a tutorial or something that would show me how to set up software restriction policies in group policy? Can this be setup with the current directories in Program Files being approved directories too so that they can't install things that would create a new directory? If I need to install a new program in the future, can I disable this then install the software and reenable it?

Thanks again for all of your help. I'm sorry that I don't have App Locker and that I keep asking questions. I'm sure you're getting tired of hearing from me. I really do appreciate all of the help though.

Thank you again,
Joanie G.

[Tripredacus]

JoanieG, on 27 July 2010 - 01:06 AM, said:

Thanks again for all of your help. I'm sorry that I don't have App Locker and that I keep asking questions. I'm sure you're getting tired of hearing from me. I really do appreciate all of the help though.

Its not a problem. At least now you know about it and when you have the opportunity to use it in the future, you will have a head start.

[mdonovin]

Tripredacus, on 27 July 2010 - 07:30 AM, said:

JoanieG, on 27 July 2010 - 01:06 AM, said:

Thanks again for all of your help. I'm sorry that I don't have App Locker and that I keep asking questions. I'm sure you're getting tired of hearing from me. I really do appreciate all of the help though.

Its not a problem. At least now you know about it and when you have the opportunity to use it in the future, you will have a head start.

Hi,

I am having the same issue as this thread describes so I figured I'd reopen it or whatever since it's the same issue. But does anyone know of a tutorial or walkthrough for restricting people from installing software just using Group Policy and not AppLocker? What would the ramifications of this be? I'm assuming things like Windows Update, or software updates would still work as the software was already previously installed?

This thread actually made me think about that, and that would be kind of bad.

Thanks

[cluberti]

When in doubt, look it up on Technet.