You set the ms-DS-MachineAccountQuota attribute to zero. Users in the Administrators or Domain Administrators groups, and those users who have delegated permissions on containers in Active Directory to create and delete computer accounts, are not restricted by this limitation so the users you delegated will be fine. Did it here years ago and never looked back.
http://support.microsoft.com/kb/243327 http://msdn2.microsoft.com/en-US/library/ms678639.aspx -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Liu, David Sent: Tuesday, February 27, 2007 6:21 PM To: Devin Ganger Cc: [email protected] Subject: RE: Prevent users/admin from installing softwares. So here's an interesting one based on the last comment: By default all users in AD shd be able to join up to 10 machines without any special privileges. How do you stop users from unjoin/rejoin machines, even in an environment where explicit delegated rights have been given to only a specific group of people to add/delete/move machine accts? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devin Ganger Sent: Friday, February 23, 2007 5:26 PM To: Gregory N Pendergast/AC/VCU; Rocky Cc: [email protected] Subject: RE: Prevent users/admin from installing softwares. Let's not forget how easy it is to circumvent the application of Group Policy: 1) Unjoin the computer from the domain, reboot, install your software, rejoin. 2) Reboot the computer and remove the network tap so GPOs aren't pulled down. Install your software. Put the network tap back in. -- Devin L. Ganger, Exchange MVP Email: [EMAIL PROTECTED] 3Sharp LLC Phone: 425.882.1032 14700 NE 95th Suite 210 Cell: 425.239.2575 Redmond, WA 98052 Fax: 425.702.8455 (e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gregory N Pendergast/AC/VCU Sent: Thursday, February 22, 2007 1:53 PM To: Rocky Cc: [email protected] Subject: Re: Prevent users/admin from installing softwares. To my knowledge, there's no built-in way to directly prevent the administrator from installing software. However, you can use Software Restriction Policies (Group Policy Editor > Computer Configuration > Windows Settings > Security > Software Restriction Policies) to limit software execution so that software only runs from a set of predefined paths. By limiting the paths from which software can execute, you may be able to severely-limit an Administrator's ability to install software. However, there are obvious problems with this: 1) If you're setting this in Local Group Policy (as opposed to Domain-level), the Local Administrator can easily remove the Software Restriction Policies 2) The obvious "hack" is to copy your installation file to a path where software is permitted to execute, then to install said software to a permitted location. Whether this is an acceptable risk depends on the cleverness of your administrators and the sensitivity of your systems. Beyond this, I don't personally know of a solution that doesn't involve 3rd party software. Good luck, Greg Pendergast [EMAIL PROTECTED] wrote: ----- To: [email protected] From: Rocky <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] Date: 02/22/2007 07:51AM Subject: Prevent users/admin from installing softwares. Hey Guys, Is there a way to restrict everyone including adminisrator rights from installing softwares in xp pro? It should be done on registry or gpedit? we don't want to use 3rd party softwares like winguard. Thanks a lot!
