[gptalk] Re: Registry Key

  • From: "Mesidor, Jean" <jean.mesidor@xxxxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Fri, 13 Jul 2007 14:50:14 -0400

Darren,
 
I have used the Software Restriction Policy.  I have a CCMSETUP folder
in the system32 folder which is where the install files will be stored.
I set it to "disallowed" and it is working. I will test more and share
my experience.
 
Thanks,
Jean

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Friday, July 13, 2007 10:14 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Registry Key



Right. To try and use GP file or registry permissions to hold off the
installation could be challenging. Essentially you would need to set a
Deny ACE for the security principal that is running the setup on the
parent folder or key where you're trying to prevent creation. That may
not be a very good idea in the case of system32 and the Services key
because it could break other things. I think Brian's idea of finding an
SMS way to stop this is best-but if you can't do that, I would seriously
look at using Software Restriction Policy to prevent execution of the
SMS client setup instead of trying to use permissions.

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Brian Cline
Sent: Friday, July 13, 2007 6:08 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Registry Key

 

Sounds like even more reason to work on a solution on the SMS side.
That's 2000 attempts and 2000+ errors each time SMS discovery runs.

 

Brian Cline, Business Systems Analyst
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct
803.739.1176 Fax

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Mesidor, Jean
Sent: Friday, July 13, 2007 8:58 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Registry Key

 

Brian,

 

That was my first thought, but it is not only just one computer. It is
about 2000 machines.

 

Thanks,

Jean

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Brian Cline
Sent: Friday, July 13, 2007 8:44 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Registry Key

The best way to do this is to use SMS to exclude this computer from
discovery. Even if the GPO works in preventing the client from being
installed, SMS will continually try to push the client every time
discovery runs and will generate errors every time.

 

Brian Cline, Business Systems Analyst
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct
803.739.1176 Fax

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Mesidor, Jean
Sent: Friday, July 13, 2007 8:07 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Registry Key

 

Hi Darren,

 

When I push the SMS client, it creates a ccmsetup folder in"
\system32\ccmsetup" to which it copies its installation files. If I can
prevent this folder from being created through the GPO, I think I would
be fine. Also, If I can use the GPO, to prevent the following registry
key "HKLM\sytem\CurrentControlSet\Services\ccmsetup" from being created,
that would even be better. Any idea how to accomplish that?

 

Thanks for all your prompt responses.

 

Jean

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Friday, July 13, 2007 12:28 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Registry Key

As little as possible J. I am recovering SMS 1.0 and 1.2
administrator...it's a long hard road.

 

I'm open to understanding exactly why denying permissions to a registry
key to prevent an installation is not weird, but in all my years, it
sounds weird to me!

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Mesidor, Jean
Sent: Thursday, July 12, 2007 9:18 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Registry Key

 

I don't know how familiar you are with sms, but I'll try your
suggestion.
Thanks,
Jean

----- Original Message -----
From: gptalk-bounce@xxxxxxxxxxxxx <gptalk-bounce@xxxxxxxxxxxxx>
To: gptalk@xxxxxxxxxxxxx <gptalk@xxxxxxxxxxxxx>
Sent: Fri Jul 13 00:13:30 2007
Subject: [gptalk] Re: Registry Key

How about just using Software Restriction policy to deny that setup exe
from running? I think the way you've described to prevent an install
sounds kinda screwy, to be honest.



From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Mesidor, Jean
Sent: Thursday, July 12, 2007 8:38 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Registry Key



I am trying to prevent sms from installing on clients and the ways to
do. That is by adding a ccmsetup key under hklm, but the permissions
should be set that the installation gets access denied when pushing the
client. I am using desktop standard to. Create that key and it works.
The only problem is that it it inherits parent permissions. I can fix
the permission, but once I reboot the test client it reverts back to
administrators, crearor owner, system etc. I would greatly appreciate if
you can help please.

Thanks,
Jean

----- Original Message -----
From: gptalk-bounce@xxxxxxxxxxxxx <gptalk-bounce@xxxxxxxxxxxxx>
To: gptalk@xxxxxxxxxxxxx <gptalk@xxxxxxxxxxxxx>
Sent: Thu Jul 12 23:31:29 2007
Subject: [gptalk] Re: Registry Key

That's not possible AFAIK. You can't have no permissions on a key. In
that case, it will always fall back to some default set of permissions.
What are you really trying to accomplish?



From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Mesidor, Jean
Sent: Thursday, July 12, 2007 8:27 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Registry Key



Darren,
No matter which option I pick, the permissions still come down. What I
am trying to do, if it is possible, is to even get rid of all
permissions on the key I am adding.

Thanks,
Jean

----- Original Message -----
From: gptalk-bounce@xxxxxxxxxxxxx <gptalk-bounce@xxxxxxxxxxxxx>
To: gptalk@xxxxxxxxxxxxx <gptalk@xxxxxxxxxxxxx>
Sent: Thu Jul 12 18:58:32 2007
Subject: [gptalk] Re: Registry Key

Well, the two main choices let you choose whether you want permissions
from parent keys to propagate into your controlled key in addition to
the permissions you specify in the policy. If you don't-that is, if you
want to break inheritance completely with the parent keys, then you
choose "do not allow permissions to be replaced". If you do, then you
choose the first option and then within that, whether you want your
permissions to be inherited downward or not.



Hope that helps,

Darren





From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Mesidor, Jean
Sent: Thursday, July 12, 2007 2:53 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Registry Key



Yes, which one to pick?

----- Original Message -----
From: gptalk-bounce@xxxxxxxxxxxxx <gptalk-bounce@xxxxxxxxxxxxx>
To: gptalk@xxxxxxxxxxxxx <gptalk@xxxxxxxxxxxxx>
Sent: Thu Jul 12 17:17:10 2007
Subject: [gptalk] Re: Registry Key

So are you asking which one to choose?



From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Mesidor, Jean
Sent: Thursday, July 12, 2007 2:05 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Registry Key



Darren,

I am using the gpmc's built in security', however, the options I am
getting are:
Propogate inheritable permission
Allow inheritable permissions
Don't allow permission toi be replaced.

This is where my dilemna is.

Thanks,
Jean

----- Original Message -----
From: gptalk-bounce@xxxxxxxxxxxxx <gptalk-bounce@xxxxxxxxxxxxx>
To: gptalk@xxxxxxxxxxxxx <gptalk@xxxxxxxxxxxxx>
Sent: Thu Jul 12 15:45:44 2007
Subject: [gptalk] Re: Registry Key

Jean-

There's a couple of ways to do that. You can use Group Policy's built-in
registry security capability or you could use a combination of a startup
script (assuming the key is under HKLM) and a utility like subinacl.exe
to do it.



Darren





From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Mesidor, Jean
Sent: Thursday, July 12, 2007 12:28 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Registry Key



I am trying to create a registry key to a GPO to prevent SMS
installation on some clients. I am using GPMC to do that, but I can't
modify the security on the key.. How can I achieve that please?



Thanks,

Jean

Other related posts: