As a domain administrator, you may want to restrict the permissions that domain users have on their local machines. In these cases, it can be difficult to manage installation and updates for software that you want to allow users to run. When dezrez deploy an update, end users may not be able to fully install them due to these account restrictions.
You may have to link the GPO to multiple Organisational Units (OUs) in order to achieve this.
IMPORTANT: This guide covers making changes to a Group Policy Object (GPO) – If you use the domain default GPO, all machines and users in the domain will be affected.
The first step is to use the Software Restriction Policy in your domain to allow MSIs to run, provided they are signed with the dezrez software publishing certificate. Also change the Windows Installer setting to allow approved MSIs to be run in elevated mode.
Path Rule: Disallow *.MSI Certificate Rule: Dezrez Services Ltd. Certificate – Unrestricted.
NOTE: If you do not want this setting to apply to local administrators, select “Software Restriction Policy” in the tree view, and select the “Enforcement” option. Change the setting “Apply software restriction policies to the following users” to “All users except local administrators”.
The Windows Installer Service must be run in an elevated state. This GPO change must be applied to both User and Computer objects in order to be effective. You may have to link the GPO to multiple Organisational Units (OUs) in order to achieve this.
Some folders, registry keys require certain permissions in order for the software to function. Take a look below at the specific areas and their exceptions:
Folder Access (Full Control required)
Folder Access (Read Execute required)
Registry Access (Read Write required)
Talk to us today to get started.