[THIN] Re: Procedure for restricting program access by users in terminal server 2003

  • From: "Kevin R. Fjelsted" <kfjelsted@xxxxxxxxxxxxxx>
  • To: <thin@xxxxxxxxxxxxx>
  • Date: Mon, 6 Jun 2005 09:39:00 -0500

I set the default SRP to Deny all scope anyone which contains all the users.
Actually  I then want to permit the support group which is a subset of anyone 
to run the program.
When I set allow for this group I still get a deny on the program for all 
including support.
-Kevin


-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On
Behalf Of Jeff Pitsch
Sent: Monday, May 09, 2005 6:31 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Procedure for restricting program access by users in
terminal server 2003


There is an entire heirarchy within SRP.  As with most permissions,
applying deny overrides everything (except in the case of the default
rule).  What is your default SRP setting:  Allow all or deny all?  If
Allow all, just set one GPO for everyone but the group of users you
want to have run the program and set those users to deny.  That's all
you have to do.

Jeff Pitsch


On 5/9/05, Kevin R. Fjelsted <kfjelsted@xxxxxxxxxxxxxx> wrote:
> I am trying to get a simple case working.
> I have a hash rule set to  in a GPO for software restriction.
> Then I have a second GPO with scope of one security group.
> I have the same hash rule set to allow.
> I have also set the second GPO to precedence.
> I am still getting deny with the security group.
> However if I completely remove the deny rule from the first GPO and set the 
> rule in the second to deny then I get a deny within that security group.
> What am I overlooking regarding precedence?
> -Kevin Fjelsted
> 
> deny
> 
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On
> Behalf Of Edward VanDewars
> Sent: Saturday, May 07, 2005 12:31 PM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Procedure for restricting program access by users in
> terminal server 2003
> 
> Look at Software Restriction Policies:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;324036
> 
> SRP works at the OU level via a GPO but it will do what you want and I
> think it is awesome in "default deny" mode where you specify only what
> you want to run.  Just be sure to test your rule set before deploying
> it.
> 
> On 5/7/05, Kevin R. Fjelsted <kfjelsted@xxxxxxxxxxxxxx> wrote:
> >
> >
> > I am interested in documentation and other resources that will describe
> > procedures for restricting program access by user under windows 2003.
> > The scenario is that we have performed a lockdown under group policy for the
> > terminal server within a domain.
> > Now we have created security groups that various groupings of users are then
> > added as members.
> > We want to permit or deny access to installed programs based on whether a
> > particular user is a member of a particular security group.
> > Version of active directory is windows 2003 enhanced and we are running
> > terminal server 2003.
> > Please advise and post to the list for all to view.
> > Thanks.
> > -Kevin Fjelsted
> >
> ********************************************************
> This Weeks Sponsor: ThinPrint GmbH
> Now available: The new version .print Engine 6.2 with SSL encryption
> and certificate management.
> http://www.thinprint.com
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ThinWiki community - Excellent SBC Search Capabilities!
> http://www.thinwiki.com
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
> ********************************************************
> This Weeks Sponsor: ThinPrint GmbH
> Now available: The new version .print Engine 6.2 with SSL encryption
> and certificate management.
> http://www.thinprint.com
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ThinWiki community - Excellent SBC Search Capabilities!
> http://www.thinwiki.com
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
>
********************************************************
This Weeks Sponsor: ThinPrint GmbH
Now available: The new version .print Engine 6.2 with SSL encryption 
and certificate management.
http://www.thinprint.com
********************************************************** 
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
ThinWiki community - Excellent SBC Search Capabilities!
http://www.thinwiki.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This Weeks Sponsor: ThinPrint GmbH
Now available: The new version .print Engine 6.2 with SSL encryption
and certificate management.
http://www.thinprint.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
ThinWiki community - Excellent SBC Search Capabilities!
http://www.thinwiki.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm

Other related posts:

  1. Home
  2. thin
  3. Archive
  4. 06-2005