Category: At least Windows 2000
Always install with elevated privileges
This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system. If you enable this policy setting privileges are extended to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop) assigned to the computer (installed automatically) or made available in Add or Remove Programs in Control Panel. This profile setting lets users install programs that require access to directories that the user might not have permission to view or change including directories on highly restricted computers. If you disable or do not configure this policy setting the system applies the current user’s permissions when it installs programs that a system administrator does not distribute or offer. Note: This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective you must enable it in both folders. Caution: Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this policy setting is not guaranteed to be secure.
Always install with elevated privileges
This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system. If you enable this policy setting privileges are extended to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop) assigned to the computer (installed automatically) or made available in Add or Remove Programs in Control Panel. This profile setting lets users install programs that require access to directories that the user might not have permission to view or change including directories on highly restricted computers. If you disable or do not configure this policy setting the system applies the current user’s permissions when it installs programs that a system administrator does not distribute or offer. Note: This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective you must enable it in both folders. Caution: Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this policy setting is not guaranteed to be secure.
Allow users to patch elevated products
This policy setting allows users to patch elevated products. If you enable this policy setting all users are permitted to install patches even when the installation program is running with elevated system privileges. Patches are updates or upgrades that replace only those program files that have changed. Because patches can easily be vehicles for malicious programs some installations prohibit their use. If you disable or do not configure this policy setting by default only system administrators can apply patches during installations with elevated privileges such as installations offered on the desktop or displayed in Add or Remove Programs. This policy setting does not affect installations that run in the user’s security context. By default users can install patches to programs that run in their own security context. Also see the “Prohibit patching” policy setting.
Allow users to use media source while elevated
This policy setting allows users to install programs from removable media during privileged installations. If you enable this policy setting all users are permitted to install programs from removable media such as floppy disks and CD-ROMs even when the installation program is running with elevated system privileges. This policy setting does not affect installations that run in the user’s security context. By default users can install from removable media when the installation runs in their own security context. If you disable or do not configure this policy setting by default users can install programs from removable media only when the installation runs in the user’s security context. During privileged installations such as those offered on the desktop or displayed in Add or Remove Programs only system administrators can install from removable media. Also see the “Prevent removable media source for any install” policy setting.
Allow users to browse for source while elevated
This policy setting allows users to search for installation files during privileged installations. If you enable this policy setting the Browse button in the “Use feature from” dialog box is enabled. As a result users can search for installation files even when the installation program is running with elevated system privileges. Because the installation is running with elevated system privileges users can browse through directories that their own permissions would not allow. This policy setting does not affect installations that run in the user’s security context. Also see the “Remove browse dialog box for new source” policy setting. If you disable or do not configure this policy setting by default only system administrators can browse during installations with elevated privileges such as installations offered on the desktop or displayed in Add or Remove Programs.
Disk Management Extension
This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. If this policy setting is not configured the setting of the “Restrict users to the explicitly permitted list of snap-ins” setting determines whether this snap-in is permitted or prohibited. — If the policy setting “Restrict users to the explicitly permitted list of snap-ins” is enabled users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in enable this policy setting. If this policy setting is not configured or disabled this snap-in is prohibited. — If the policy setting “Restrict users to the explicitly permitted list of snap-ins” is disabled or not configured users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in disable this policy setting. If this policy setting is not configured or enabled the snap-in is permitted. When a snap-in is prohibited it does not appear in the Add/Remove Snap-in window in MMC. Also when a user opens a console file that includes a prohibited snap-in the console file opens but the prohibited snap-in does not appear.
WMI Control
This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. If this policy setting is not configured the setting of the “Restrict users to the explicitly permitted list of snap-ins” setting determines whether this snap-in is permitted or prohibited. — If the policy setting “Restrict users to the explicitly permitted list of snap-ins” is enabled users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in enable this policy setting. If this policy setting is not configured or disabled this snap-in is prohibited. — If the policy setting “Restrict users to the explicitly permitted list of snap-ins” is disabled or not configured users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in disable this policy setting. If this policy setting is not configured or enabled the snap-in is permitted. When a snap-in is prohibited it does not appear in the Add/Remove Snap-in window in MMC. Also when a user opens a console file that includes a prohibited snap-in the console file opens but the prohibited snap-in does not appear.
Wireless Monitor
This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. If this policy setting is not configured the setting of the “Restrict users to the explicitly permitted list of snap-ins” setting determines whether this snap-in is permitted or prohibited. — If the policy setting “Restrict users to the explicitly permitted list of snap-ins” is enabled users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in enable this policy setting. If this policy setting is not configured or disabled this snap-in is prohibited. — If the policy setting “Restrict users to the explicitly permitted list of snap-ins” is disabled or not configured users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in disable this policy setting. If this policy setting is not configured or enabled the snap-in is permitted. When a snap-in is prohibited it does not appear in the Add/Remove Snap-in window in MMC. Also when a user opens a console file that includes a prohibited snap-in the console file opens but the prohibited snap-in does not appear.
Remote Desktop Services Configuration
This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. If this policy setting is not configured the setting of the “Restrict users to the explicitly permitted list of snap-ins” setting determines whether this snap-in is permitted or prohibited. — If the policy setting “Restrict users to the explicitly permitted list of snap-ins” is enabled users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in enable this policy setting. If this policy setting is not configured or disabled this snap-in is prohibited. — If the policy setting “Restrict users to the explicitly permitted list of snap-ins” is disabled or not configured users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in disable this policy setting. If this policy setting is not configured or enabled the snap-in is permitted. When a snap-in is prohibited it does not appear in the Add/Remove Snap-in window in MMC. Also when a user opens a console file that includes a prohibited snap-in the console file opens but the prohibited snap-in does not appear.
Security Configuration and Analysis
This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. If this policy setting is not configured the setting of the “Restrict users to the explicitly permitted list of snap-ins” setting determines whether this snap-in is permitted or prohibited. — If the policy setting “Restrict users to the explicitly permitted list of snap-ins” is enabled users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in enable this policy setting. If this policy setting is not configured or disabled this snap-in is prohibited. — If the policy setting “Restrict users to the explicitly permitted list of snap-ins” is disabled or not configured users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in disable this policy setting. If this policy setting is not configured or enabled the snap-in is permitted. When a snap-in is prohibited it does not appear in the Add/Remove Snap-in window in MMC. Also when a user opens a console file that includes a prohibited snap-in the console file opens but the prohibited snap-in does not appear.