# Disable users ability to install ANY software on RDS 2008 R2



## icp_nz (Apr 5, 2011)

Hi is anyone able to assist with this?

I've tried enabling 'Disable Windows Installer' and 'Prohibit User Installs' in GPE > Computer Config > Admin Templates > Windows Components > Windows Installer ..... and no luck, can still easily download and install e.g. Chrome and Firefox

Anyone know a quick and easy way to deny users from installing anything on the RDS without specific permission? Trying to reduce the crap being installed by users not realising it's actually going on a server not their local machine


----------



## Gwoo1981 (Jun 4, 2015)

Are they admins on this server? Any case heres a great article that will help 
http://m.windowsecurity.com/article...wn-Windows-Server-2008-Terminal-Services.html


----------



## icp_nz (Apr 5, 2011)

Hello, no of course they are not admins. They are users. And they are able to install anything they like for their own profile - which I don't want

Do you know how to disable ANY installs (not just ones that use Windows Installer) for all users that aren't admins?


----------



## Gwoo1981 (Jun 4, 2015)

Make sure they are in the Users group. Go to computer management, rt click computer from start select manage, expand local users and groups. Select Groups, this will show different groups that have different permissions. There should be a users group which will give them almost no permissions including the ability to install software


----------



## Corday (Mar 3, 2010)

In the group policy editor>Disable windows installer
Make sure it's required. Setting should be Always install with elevated privileges.


----------



## icp_nz (Apr 5, 2011)

As previously mentioned the 'Disable Windows Installer' is currently set to 'Always' which means that Windows Installer is disabled, but other install methods and upgrade methods will still work


----------



## Corday (Mar 3, 2010)

See this: https://social.technet.microsoft.co...access-to-the-control-panel?forum=winserverTS
and this: How to prevent users from installing software :: Security :: Admin Tips :: Windows 2003 :: Windows Server 2008/2003/2000/XP/NT Administrator Knowledge Base :: KBase Tips :: WindowsNetworking.com


----------



## icp_nz (Apr 5, 2011)

Corday said:


> See this: https://social.technet.microsoft.co...access-to-the-control-panel?forum=winserverTS
> and this: How to prevent users from installing software :: Security :: Admin Tips :: Windows 2003 :: Windows Server 2008/2003/2000/XP/NT Administrator Knowledge Base :: KBase Tips :: WindowsNetworking.com


Hello, I have read the above articles and neither are of any assistance. One just says disable CP via GPM which stops MSI files from being run - no good for other installer packages/files/updates

The other is no help at all

Is there a definitive answer for this? Surely it can't be that hard to just disable ALL software/application/updates for regular terminal/remote server USERS? :huh::huh::huh:


----------



## Corday (Mar 3, 2010)

I talked to a buddy and he said since you've disabled the Windows Installer, rather than going to extensive trouble for other downloads, if the number of employees is relatively small, just orally set the policy and with management backing add it to the Policy Manual with proper penalties for disobeying.


----------



## icp_nz (Apr 5, 2011)

Corday said:


> I talked to a buddy and he said since you've disabled the Windows Installer, rather than going to extensive trouble for other downloads, if the number of employees is relatively small, just orally set the policy and with management backing add it to the Policy Manual with proper penalties for disobeying.


I've got 500+ staff to relay this to so a verbal notification and written reminder of the policy will not suffice unfortunately!

I need to be able to physically stop the users from being able to install ANYTHING when logged onto our terminal server

Surely there's a simply GPO or something that will do this???? :facepalm::facepalm:


----------



## Gwoo1981 (Jun 4, 2015)

The same issue you are experiencing has been resolved here https://www.petri.com/forums/forum/...ces/7434-group-policy-only-on-terminal-server

Apparently the trick is to create a new OU then move your terminal server into that OU and apply policies... Hope that helps


----------

