A scenario. You have to group of employees, identified in AD as Agents and Engineers. Can I set up controls so that: Agents cannot install software Engineers CAN install software
Thank you in Advance Jame
Asked
Active
Viewed 30 times
1 Answers
0
You can use AppLocker policies to allow users to run, or prevent users from running, typical Windows Installer files, based on group membership. However, catching .exe files takes a significant amount of planning and auditing, and long-term maintenance as you will need to set AppLocker to only allow selected .exe files to run.
You can prevent users from installing software on a system-wide level by not granting administrative rights on the client computer. The proper way to grant some users the ability to make administrative changes on client computers is to create a dedicated administrative account for them, and then control access via that account. Granting regular user accounts administrative rights is a security risk, and should be avoided; likewise you should not be granting these accounts Domain Admin rights, just because it's easiest.
The easiest way to accomplish that is by creating a group for the Engineer's administrative accounts, then create a GPO to add the Admin Engineers group to the local Administrators group on the client computers.
RobbieCrash
- 1,131
- 7
- 25