Pre Question statement: Most, if not every single one, of the users at all of my clients are local admins on their computers.
I want to see if I can limit the ability of the end users to install software. I know this can be done a myriad of ways, the easiest and most common is to dump all of the users out of the “Local Admin” group on their computers and put them in a power user type role.
But, say we don’t do that.. Say we want to keep those users as local admins… My job gets a little tougher.
I know I can restrict software installation via GPO using things like AppLocker and editing the security levels in Software Restriction Policies.
I’ve never done that before so I’m not 100% sure it’s going to work as I am planning. Some of the questions I have…
1) If I use Software Restriction Policies, should I use Computer or User based policies?
2) Is AppLocker worth setting up? I’ve never used it.
3) Should I create an OU specific GPO for software restrictions or use the default domain policy, I’m still a little hazy as to whether or not OU overrides default domain…
Again, and as always, any help or guidance would be greatly appreciated!