Pre Question statement: Most, if not every single one, of the users at all of my clients are local admins on their computers.
I want to see if I can limit the ability of the end users to install software. I know this can be done a myriad of ways, the easiest and most common is to dump all of the users out of the “Local Admin” group on their computers and put them in a power user type role.
But, say we don’t do that.. Say we want to keep those users as local admins… My job gets a little tougher.
I know I can restrict software installation via GPO using things like AppLocker and editing the security levels in Software Restriction Policies.
I’ve never done that before so I’m not 100% sure it’s going to work as I am planning. Some of the questions I have…
1) If I use Software Restriction Policies, should I use Computer or User based policies?
2) Is AppLocker worth setting up? I’ve never used it.
3) Should I create an OU specific GPO for software restrictions or use the default domain policy, I’m still a little hazy as to whether or not OU overrides default domain…
Again, and as always, any help or guidance would be greatly appreciated!
You must be logged in to reply to this topic.
Create a free account today to participate in forum conversations, comment on posts and more.