Windows 10: Prevent Users Who join to domain from installing new programs using GPO

I have been applying the Microsoft installer and it prevent only the MSI programs.But exe programs does not prevent.I also tried the prohibit user installs. it does not make sense.I want to prevent the users from installing both of MSI and EXE.

:)

 

"Restart Now" button not working in Windows 10 (Domain Joined Users)

Hello All,

Ever since we have been using Windows 10, the "RestartNow" button in Windows Update does not work for Domain Joined Users.





I can't find anything in my GPO that would not allow this, and it works on Windows 7, just not 10.

This happens on all our Windows 10 domain joined machines, regardless of the build, user, or if it was a Windows 7 upgrade, fresh installation, etc.

Please help mt find this GPO object that is preventing this!

Thanks Much,

 

Server 2003 GPO questions

Hello,
I am working on a GPO in Microsoft Server 2003 for the majority of domain users here at my work and I am having difficulties achieving the results I need.

Details:
I would like to disable all programs on the domain user account except a select few. I have accomplished this through enabling "Only allow specific Windows applications to run" or something of that like in the GPO. I then added the programs I want the domain user to be able to run and it automatically excludes the rest. This worked beautifully however, I do want them to have access to a few installer files on our network drive but when I attempt to open the installer packages, I get a restriction error. More precisely, I get the same error that comes up when I try to open any other applications that are not included in the "Only allow specific Windows applications to run" field. I have scoured the GPO for about a day now and enabled every option I could think of that may allow these installations to run but I have not succeeded in finding it. Anyone have any advice?
Notes:
I have added the account I am monitoring through the GPO as an administrator on each local machine with my domain specified in the domain field.

I am also wondering if there is a setting which allows an admin to bypass the GPO while logged in as the domain user that is governed by said GPO by some form of authentication?

Let me know if any other information is needed. I will provide it as promptly as possible.

Thanks in advance for the help! *Toast :toast:

 

After implementing KB5020276 March,16 I'm still not able to re-join the PC to the domain

Hello,

I've proceeded step by step with all instructions regarding KB5020276:

1. Install March,16 updates on all Domain Controller
   
2. Install March,16 updates on the test workstation
   
3. Set up new GPO setting as per documentation - settings taken by all DCs
   
4. Ensured that NetJoinLegacyAccountReuse was not set in the registry
   

But still, I'm getting the error that accounts re-use is blocked by the security policy

I've also checked NetSetup.log file and the output is quite strange:

IsLegacyAccountReuseSetInRegistry: RegQueryValueEx for 'NetJoinLegacyAccountReuse' returned Status: 0x2.

IsLegacyAccountReuseSetInRegistry returning: 'FALSE''.

NetpDsValidateComputerReuseAttempt: returning NtStatus: 0, NetStatus: 0

NetpDsValidateComputerReuseAttempt: fReuseAllowed: FALSE, NetStatus 0x0

NetpModifyComputerObjectInDs: Account exists and re-use is blocked by policy. Error: 0xaac

I've tested the behavior in 3 cases:

1. Use a non-admin account with delegated permissions to join the PC and modify computer objects in AD assigned directly in GPO as a Trusted Computer Account Owner
   
2. User non-admin account which is a member of the group which is added as Trusted Computer Account Owner in GPO
   
3. Domain Admin Member
   

In all 3 cases, I'm getting the error that the account cannot be re-used

After all, I've checked the alternative path - with NetJoinLegacyAccountReuse - only with this field set to 1 in the registry was I able to perform domain re-join using delegated account and Domain Admin account

Do you know what can be missing or wrongly configured in the KB5020276 March,16 implementations? I've checked everything several times and I fail every time.