question

AnupGhonge-7146 avatar image
0 Votes"
AnupGhonge-7146 asked VickyWang-MFST answered

Restrict Installation

We have request if we can block the software installs on the member servers.


Currently all the multiple team are part of the local admin group on the member servers and being a local admin they get all rights on the server. We want even being a local admin on the server they should be prevented from running a windows installer from their ad account

We have gone through a GPO settings to Prevent MSI Installation on Servers, But it only block MSI, the installer with exe are allowed and all users who are part of Local admin are blocked including the LAPS account or Local account


If we can use the Power User local Group on server, will it prevent the installation on member server
If we can use Restrict ADD /REmove GPO on server, will it prevent installation on member server

windows-serverwindows-server-2016windows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crypt32 avatar image
0 Votes"
Crypt32 answered Crypt32 commented

Currently all the multiple team are part of the local admin group on the member servers and being a local admin they get all rights on the server. We want even being a local admin on the server they should be prevented from running a windows installer from their ad account

you can't. Local admins always can violate restrictions and run whatever they want.

If we can use the Power User local Group on server, will it prevent the installation on member server

power users are easily escalated to local admins, see: The Power in Power Users.

there is no bulletproof solution to prevent admins from installing unwanted software. Either, you trust them or not. If the later, then you should not grant them admin permissions.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.


@Crypt32 Thanks for the reply
Instead of adding them to Local Administrator, If we add the user to Power User, will that help

0 Votes 0 ·

Power Users are easily escalated to local admins, so no, this won't help.

0 Votes 0 ·
VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered

Hi,

Thank you for posting in our forum.

As Crypt32 said There is no bulletproof solution to prevent admins from installing unwanted software.

Hope this information can help you

Best wishes

Vicky

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered

Hi,
Welcome to share your current situation if there are any updates.
Please feel free to let us know if you need further assistance.
Best Regards,
Vicky

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.