Hi,
Welcome to share your current situation if there are any updates.
Please feel free to let us know if you need further assistance.
Best Regards,
Vicky
Restrict Installation
We have request if we can block the software installs on the member servers.
Currently all the multiple team are part of the local admin group on the member servers and being a local admin they get all rights on the server. We want even being a local admin on the server they should be prevented from running a windows installer from their ad account
We have gone through a GPO settings to Prevent MSI Installation on Servers, But it only block MSI, the installer with exe are allowed and all users who are part of Local admin are blocked including the LAPS account or Local account
If we can use the Power User local Group on server, will it prevent the installation on member server
If we can use Restrict ADD /REmove GPO on server, will it prevent installation on member server
3 answers
Sort by: Newest
-
Vicky Wang 2,646 Reputation points
2021-05-31T07:59:10.503+00:00 -
Vicky Wang 2,646 Reputation points
2021-05-24T09:50:27.533+00:00 Hi,
Thank you for posting in our forum.
As Crypt32 said There is no bulletproof solution to prevent admins from installing unwanted software.
Hope this information can help you
Best wishes
Vicky
-
Vadims Podāns 9,111 Reputation points MVP
2021-05-23T11:34:23.74+00:00 Currently all the multiple team are part of the local admin group on the member servers and being a local admin they get all rights on the server. We want even being a local admin on the server they should be prevented from running a windows installer from their ad account
you can't. Local admins always can violate restrictions and run whatever they want.
If we can use the Power User local Group on server, will it prevent the installation on member server
power users are easily escalated to local admins, see: The Power in Power Users.
there is no bulletproof solution to prevent admins from installing unwanted software. Either, you trust them or not. If the later, then you should not grant them admin permissions.