Hi,
Welcome to share your current situation if there are any updates.
Please feel free to let us know if you need further assistance.
Best Regards,
Vicky
Restrict Installation
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 70%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAG%3C/text%3E%3C/svg%3E)
Anup Ghonge
21
Reputation points
We have request if we can block the software installs on the member servers.
Currently all the multiple team are part of the local admin group on the member servers and being a local admin they get all rights on the server. We want even being a local admin on the server they should be prevented from running a windows installer from their ad account
We have gone through a GPO settings to Prevent MSI Installation on Servers, But it only block MSI, the installer with exe are allowed and all users who are part of Local admin are blocked including the LAPS account or Local account
If we can use the Power User local Group on server, will it prevent the installation on member server
If we can use Restrict ADD /REmove GPO on server, will it prevent installation on member server
Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups
3 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 28.999999999999996%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVW%3C/text%3E%3C/svg%3E)
Vicky Wang 2,741 Reputation points2021-05-31T07:59:10.503+00:00 -
Vicky Wang 2,741 Reputation points
2021-05-24T09:50:27.533+00:00 Hi,
Thank you for posting in our forum.
As Crypt32 said There is no bulletproof solution to prevent admins from installing unwanted software.
Hope this information can help you
Best wishes
Vicky
-
Vadims Podāns 9,266 Reputation points MVP2021-05-23T11:34:23.74+00:00 Currently all the multiple team are part of the local admin group on the member servers and being a local admin they get all rights on the server. We want even being a local admin on the server they should be prevented from running a windows installer from their ad account
you can't. Local admins always can violate restrictions and run whatever they want.
If we can use the Power User local Group on server, will it prevent the installation on member server
power users are easily escalated to local admins, see: The Power in Power Users.
there is no bulletproof solution to prevent admins from installing unwanted software. Either, you trust them or not. If the later, then you should not grant them admin permissions.
-
Anup Ghonge 21 Reputation points
2021-05-24T04:42:09.83+00:00 @Vadims Podāns Thanks for the reply
Instead of adding them to Local Administrator, If we add the user to Power User, will that help -
Vadims Podāns 9,266 Reputation points MVP
2021-05-24T05:45:18.58+00:00 Power Users are easily escalated to local admins, so no, this won't help.
Sign in to comment -