ManageEngine x Forrester | Workforce Identity Platforms Landscape Report

Active Directory Policies

GPO to detect application installations and prompt for Elevation

In an enterprise environment, controlling software installation is vital to maintain system integrity, security, and compliance. Group Policy in Windows provides a powerful way to manage this. One effective approach is to create a Group Policy Object (GPO) that detects application installations and prompts for administrative elevation. This ensures that only authorized applications are installed on the network’s computers. This detailed guide is designed to help system administrators configure such a GPO.

Understanding Application Installation Control

Application installation control is crucial for preventing unauthorized software that could introduce security vulnerabilities, consume system resources, or violate compliance policies. Prompting for administrative elevation for software installation helps ensure that only approved software is installed on a system.


  • Administrative Rights: Ensure you have administrative privileges in your Active Directory (AD) environment.
  • Group Policy Management Console (GPMC): This tool must be installed and accessible.
  • Understanding of User Account Control (UAC): Familiarity with UAC settings in Windows is beneficial.

Step-by-Step Instructions

Step 1: Access the Group Policy Management Console

Open GPMC by searching for “Group Policy Management” in the Start menu or by executing gpmc.msc.

Step 2: Create or Edit a Group Policy Object
  • To create a new GPO, right-click on the domain or an Organizational Unit (OU) and select “Create a GPO in this domain, and Link it here…”.
  • To modify an existing GPO, locate it under the appropriate domain or OU, right-click on it, and select “Edit”.
Step 3: Navigate to UAC Settings

In the Group Policy Management Editor, go to: Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesSecurity Options.

Step 4: Configure UAC Policy for Elevation Prompt
  • Find and open the policy “User Account Control: Detect application installations and prompt for elevation”.
  • Set this policy to “Enabled”.
  • Enabling this policy will ensure that any standard user attempting to install an application will trigger a UAC prompt requiring administrator credentials.
Step 5: Apply and Enforce the GPO
  • Click “OK” or “Apply” to save the changes.
  • Link the GPO to the relevant OU(s).
  • The policy will be applied at the next Group Policy refresh cycle. You can expedite this by running gpupdate /force on the client machines.

Advanced Configuration and Use Cases

  1. Restricted Environments: In environments like laboratories or secure facilities, where software installation needs strict control, this policy is essential.
  2. Maintaining Compliance: For organizations subject to regulatory compliance, controlling software installations is often a requirement. This policy helps maintain compliance with such regulations.
  3. Layered Security Approach: Combine this policy with other software restriction policies to create a comprehensive defense against unauthorized software.

Security Considerations

  • Balancing Security and Usability: Ensure the policy does not overly hinder legitimate operational needs. Provide a clear process for users to request software installation.
  • Monitoring and Logging: Implement logging of elevation prompts to monitor attempts of unauthorized software installation.
  • Regular Policy Reviews: Periodically review the effectiveness of the policy and adjust it based on feedback and changing organizational needs.


  • Policy Not Applying: If the GPO does not appear to be taking effect, use tools like Resultant Set of Policy (RSoP) or gpresult to diagnose and troubleshoot.
  • Operational Issues: In cases where the policy hinders essential software installation, consider creating a process for pre-approved software or adjusting the policy settings.


Configuring a GPO to prompt for administrative elevation during application installations is an effective strategy to enhance network security and control in a Windows environment. By following the steps outlined in this guide, system administrators can ensure that only authorized software is installed, thereby protecting the integrity and security of the network.

Related posts
Active Directory Policies

Block windows app installation with elevated privileges using GPO

Active Directory Policies

GPO to prevent regular users from changing MSI installation options

Active Directory Policies

GPO to prevent autoplay on non-volume devices

Active Directory Policies

Prevent remote logon for local accounts with blank password - GPO


There are over 8,500 people who are getting towards perfection in Active Directory, IT Management & Cyber security through our insights from Identitude.

Wanna be a part of our bimonthly curation of IAM knowledge?

  • -Select-
  • By clicking 'Become an insider', you agree to processing of personal data according to the Privacy Policy.