Customer requirements are as follows: Requires a machine to allow domain users to modify the network configuration, but does not allow the installation and uninstallation of software. How is it implemented?
= = = Solution Ideas
Implementing "Do not allow software installation and uninstallation" through Group Policy
A normal account cannot modify the network configuration in a domain, add a domain user to the local Administrators group, or add it to the network Configuration Operators group if you do not want to make it a local administrator, and members of this group can modify the This way the user needs PowerUser permissions at the same time, if not, the permissions are not enough
Client's domain user has poweruser permissions by default
= = = Group Policy configuration
1) Create a new organizational unit and put the PC in the organizational unit
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/84/07/wKiom1eDkR-wl2Q7AAB_IkGbGM4203.png "title=" capture. PNG "alt=" Wkiom1edkr-wl2q7aab_ikgbgm4203.png "/>
2) cmd command line input gpmc.msc Open the Group Policy Management Console, create a new GPO, and edit
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/84/07/wKiom1eDkbiQvBDNAADHQoXXpgc939.png "title=" capture. PNG "alt=" Wkiom1edkbiqvbdnaadhqoxxpgc939.png "/>
3. Click Manage Templates ... Find Windows Installer under Windows components
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/84/06/wKioL1eDkrrzg4BVAACjHsOQGgc049.png "title=" capture. PNG "alt=" Wkiol1edkrrzg4bvaacjhsoqggc049.png "/>650) this.width=650; src=" http://s5.51cto.com/wyfs02/M01/84/07 /wkiom1edk1eguen0aag0uwcishw698.png "title=" capture. PNG "alt=" Wkiom1edk1eguen0aag0uwcishw698.png "/>
4) "Turn off Windows Installer enabled", the arrows refer to the section select Always, gpupdate/force refresh policy
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/84/06/wKioL1eDk7_AckDrAADHiSSRkHU950.png "title=" capture. PNG "alt=" Wkiol1edk7_ackdraadhissrkhu950.png "/>
= = = Test Group Policy effect
The following error occurred while installing the software, the uninstall action prompts to prohibit this uninstall, the policy deployment succeeds
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/84/06/wKioL1eDmCajFXOKAAYAacSueUc307.png "title=" capture. PNG "alt=" Wkiol1edmcajfxokaayaacsueuc307.png "/>
= = = gives users local Administrator rights (workaround 1)
The following error occurs when you want to configure the network without granting permissions
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/84/06/wKioL1eDmX6whl68AACdN_piF-Y714.png "title=" capture. PNG "alt=" Wkiol1edmx6whl68aacdn_pif-y714.png "/>
1) First Test gives the user local Administrator privileges
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/84/07/wKiom1eDmS_wm9k9AACslYtY9c8212.png "title=" capture. PNG "alt=" Wkiom1edms_wm9k9aacslyty9c8212.png "/>
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/84/07/wKiom1eDmdPgkUcPAADMdm-tVfs108.png "title=" capture. PNG "alt=" Wkiom1edmdpgkucpaadmdm-tvfs108.png "/>
= = = gives users network Configuration operators permissions (workaround 2)
1) Add this permission after removing the administrators permission that you just added, and the description says what this permission does!
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/84/06/wKioL1eDmunzXLnTAAE0M1UCoCI961.png "title=" capture. PNG "alt=" Wkiol1edmunzxlntaae0m1ucoci961.png "/>
2) Enter user name password, no permission will prompt
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/84/07/wKiom1eDmzrxmVnNAAFKeOZnWHU907.png "title=" capture. PNG "alt=" Wkiom1edmzrxmvnnaafkeoznwhu907.png "/>
3) Remember, if you add the network Configuration operators permissions, do not add PowerUser permissions, also can not access, will prompt no permissions!
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/84/07/wKiom1eDnkCgQkEXAADp7ecmmi8448.png "title=" capture. PNG "alt=" Wkiom1ednkcgqkexaadp7ecmmi8448.png "/>
Every time I solve the problem, I will take the time to write a blog post, without reservation to share this interesting experience to everyone, hope to help more people!
This article from "Sameold" blog, declined reprint!
A computer allows domain users to modify the network configuration, but does not allow software to be installed and uninstalled