Prevent Local Admins from Installing Programs

This guide provides step-by-step instructions to prevent a local administrator on a domain-joined computer from installing programs via the Control Panel.

Method 1: Group Policy - Prohibit Access to Control Panel

1. Open Group Policy Management Console (GPMC):

   On a Domain Controller, open the Group Policy Management Console (gpmc.msc).

2. Create or Edit a Group Policy Object (GPO):

   Right-click on the desired Organizational Unit (OU) where the policy will be applied and select "Create a GPO in this domain, and Link it here".
   Name the new GPO, then right-click on it and select "Edit".
               

3. Navigate to Control Panel Settings:

   User Configuration -> Administrative Templates -> Control Panel

4. Enable Prohibit Access to Control Panel and PC settings:

   Find and double-click on "Prohibit access to Control Panel and PC settings".
   Set it to Enabled.
               

Method 2: Software Restriction Policies or AppLocker

Using Software Restriction Policies

1. Open Group Policy Management Console (GPMC):

   On a Domain Controller, open the Group Policy Management Console (gpmc.msc).

2. Create or Edit a Group Policy Object (GPO):

   Right-click on the desired Organizational Unit (OU) where the policy will be applied and select "Create a GPO in this domain, and Link it here".
   Name the new GPO, then right-click on it and select "Edit".
               

3. Navigate to Software Restriction Policies:

   Computer Configuration -> Windows Settings -> Security Settings -> Software Restriction Policies

4. Set Additional Rules:

   Right-click on "Additional Rules", select "New Path Rule".
   Enter the paths to common installation executables, such as C:\Windows\System32\msiexec.exe, C:\Windows\System32\control.exe, and set the security level to Disallowed.
   Additionally, you can create rules for specific application installers by specifying their paths.
               

Using AppLocker (for Windows 10 Enterprise or Education)

1. Open Group Policy Management Console (GPMC):

   On a Domain Controller, open the Group Policy Management Console (gpmc.msc).

2. Create or Edit a Group Policy Object (GPO):

   Right-click on the desired Organizational Unit (OU) where the policy will be applied and select "Create a GPO in this domain, and Link it here".
   Name the new GPO, then right-click on it and select "Edit".
               

3. Navigate to AppLocker:

   Computer Configuration -> Windows Settings -> Security Settings -> Application Control Policies -> AppLocker

4. Create Rules:

   Right-click on "Executable Rules" and select "Create New Rule".
   Follow the wizard to create rules that disallow installation executables like setup.exe, install.exe, etc.
   Be sure to specify exceptions for necessary system processes and applications.
               

Method 3: Restrict Access to Installation Locations

1. Restrict Write Access to Program Files:

   Navigate to C:\Program Files and C:\Program Files (x86).
   Right-click on these folders, select "Properties", go to the "Security" tab.
   Edit permissions to deny write access to non-administrative users or specific groups.
               

2. Restrict Access to Registry Keys:

   Open regedit and navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall.
   Adjust permissions to restrict write access to this registry key to prevent unapproved uninstallations.
               

Considerations

• Domain Administrators: These policies can be overridden by domain administrators or users with equivalent permissions.
• Testing: Before deploying these policies widely, test them on a few machines to ensure they do not interfere with necessary operations.