How to Restrict Domain Users from Installing Software via Group Policy in Windows Server 2003


5 views

When domain users can install applications like Chrome despite not having local administrator privileges, this typically indicates one of three scenarios:

  • Insufficient Group Policy restrictions
  • Lax NTFS permissions on Program Files directories
  • The application uses per-user installation (storing files in AppData)

1. Modify Group Policy Object (GPO)

Create or edit a GPO that applies to the target Organizational Unit:

# Open Group Policy Management Console
gpmc.msc

# Navigate to:
Computer Configuration → Windows Settings → Security Settings → Software Restriction Policies

2. Configure Software Restriction Policies

Add these rules to prevent Chrome installation:

# Path rule to block Chrome installer
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" 
-Name "Paths" 
-Value "C:\Users\*\AppData\Local\Google\Chrome*,0" 
-PropertyType String

3. Adjust NTFS Permissions

Remove modify permissions from Program Files:

icacls "C:\Program Files" /deny "DOMAIN\Domain Users":(OI)(CI)(M)
icacls "C:\Program Files (x86)" /deny "DOMAIN\Domain Users":(OI)(CI)(M)

For more granular control (Windows Server 2003 R2 or later):

# PowerShell command to create AppLocker rule
New-AppLockerPolicy -RuleType Publisher -User "DOMAIN\Domain Users" 
-FilePath "*.exe" -Deny -Name "Block Chrome Installations"

After implementation:

  1. Run gpupdate /force on client machines
  2. Attempt Chrome installation from a test domain account
  3. Check Event Viewer for policy application logs

For applications that install in user profile directories (like Chrome's user-level install):

# Registry key to disable per-user installations
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer" 
-Name "DisableUserInstalls" -Value 1 -Type DWord

When managing a Windows domain environment, you might encounter situations where standard domain users can install applications like Chrome despite not having local administrator privileges. This typically occurs due to:

  • Insufficient Group Policy restrictions
  • Overly permissive user rights assignments
  • Missing software restriction policies

Here's how to lock this down through Group Policy on Windows Server 2003:

1. Open Group Policy Management Console (gpmc.msc)
2. Navigate to: Computer Configuration → Windows Settings → Security Settings → Software Restriction Policies
3. Right-click and select "New Software Restriction Policies"
4. Create a new hash rule for chrome_installer.exe

For administrators managing multiple machines, here's a PowerShell script to enforce this policy:

# Import GroupPolicy module
Import-Module GroupPolicy

# Create new GPO
$gpo = New-GPO -Name "SoftwareInstallationRestriction"

# Set software restriction policy
Set-GPRegistryValue -Name $gpo.Name -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" 
-ValueName "DefaultLevel" -Type DWord -Value 0x00010000

# Apply to specific OU
New-GPLink -Name $gpo.Name -Target "OU=Workstations,DC=domain,DC=com"

For environments without Group Policy infrastructure:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableInstallerDetection"=dword:00000001
"EnableSecureUIAPaths"=dword:00000001
"EnableLUA"=dword:00000001

After implementation, verify the restrictions by:

  1. Attempting to run Chrome installer as domain user
  2. Checking Event Viewer for related security events
  3. Validating policy application with gpresult /r

If policies don't apply as expected:

  • Run gpupdate /force on client machines
  • Check policy inheritance and precedence
  • Verify network connectivity to domain controllers
  • Ensure Windows XP clients have latest service packs