3

I need to block my domain users from installing unauthorized software to their profiles such as Google Chrome, Google Talk, etc... As the application installs to their profile I am having trouble finding a good way of preventing them from installing it. I have searched around and haven't found any elegant solutions yet. Thanks!

Rob Moir
  • 31,664
  • 6
  • 58
  • 86
Garrett Dumas
  • 267
  • 2
  • 9
  • 3
    Google Talk I understand. Google Chrome... that's just mean. – Joel Coel Sep 11 '13 at 19:10
  • @JoelCoel I use chrome on a regular basis. On managed single-purpose machines however, it's a no no, introduces too many incompatibilities that result in service calls. – MDMoore313 Sep 11 '13 at 19:31
  • 1
    @MDMoore313 I think your "whole portable apps fiasco" thing should be a new question, so I've rolled back your edit. This was a specific question and it had a specific answer that met its needs. – Rob Moir Sep 12 '13 at 08:19

1 Answers1

9

Very easy!

Enable "Software Restriction Policy" in Group Policy - make sure you customize as needed if you have binaries in non-standard locations (Program Files, Windows dir etc is automatically included).

Edit: For clarity to future readers, one point brought up in comments is that you should run Software Execution Policy in a whitelist mode. This means blocking every single executable file, except those you allow. A reminder here is to include important directories that normal users can't write to (Program Files, Windows directory etc).

pauska
  • 19,532
  • 4
  • 55
  • 75
  • 1
    +1. The OP should make sure to use whitelisting rather than blacklisting. – Harry Johnston Aug 06 '12 at 21:23
  • This doesn't actually *work*, it doesn't block the install, only the *execution* of chrome.exe. Thus, a user will install chrome but when they go to run it, they will get an SRP error message. Which is then bad for the helpdesk b/c chrome likes to become the default browser and point all internet shortcuts on the machine to it. Chrome is the new bane of my existence, yet I use it on a daily basis. – MDMoore313 Sep 11 '13 at 18:01
  • 1
    @MDMoore313, You can add chromesetup.exe to the blacklist to block the install. Works unless you have unusually savvy users. Also if on windows 7 you can look into doing a whitelist which would give you even more control over your environment. – NPS Sep 11 '13 at 18:59
  • 2
    @MDMoore313 Please don't edit the OP unless you're sure that the suggested solution doesn't work. Software Execution Policy still works like intended, as long as you run it as a whitelist instead of blocking certain executables. It's really the only way to do this, unless you have thousands of executables you want to unblock in weird paths. This is exactly why I said that you should whitelist Program Files, Windows directory etc. – pauska Sep 12 '13 at 07:58