[THIN] Re: Restricting users from applications
- From: Adam.Baum@xxxxxxxxxxxxxx
- To: thin@xxxxxxxxxxxxx
- Date: Mon, 7 Nov 2005 15:11:09 -0700
I pretty much do everything that you have mentioned. The hard part is that
the users need to have different access based depending on where they
connect from. If I connect from my desk at work, I get full access to
applications. If I connect from home, my access needs to be limitied.
The methods outlines below work based on user credentials. This method
won't work for my needs.
adam
"Bray, Donovan
(ESC)"
<BrayD@xxxxxxxxxx To
dnet.edu> thin@xxxxxxxxxxxxx
Sent by: cc
thin-bounce@freel Adam.Baum@xxxxxxxxxxxxxx
ists.org Subject
[THIN] Re: Restricting users from
applications
11/07/2005 03:05
PM
Please respond to
thin@xxxxxxxxxxxx
g
I use NTFS file permissions propagated by GPO to protect applications.
I also use login scripts to manipulate the users start menu and desktop
based on group membership.
So for a "protected" application the login script checks with ismember to
find out if the icons should be copied to the users profile, if not it
attempts to delete them.
Then using a Group Policy attached to the termserver OU -> computer ->
windows settings -> Security Settings -> File System, I create and replace
the permissions on the directory that holds the executables to prevent
access unless they are a member of that applications assigned "group"
(obviously the same one that ismember is checking).
I usually do it with entire folders, but in office's case since there are
so
many shared components, you might think about doing it just for the primary
executables.
The beauty of using GPO's is that I can change it at will, (don't have to
wait for a re-image), and it affects as many termserves as are in the OU
where you have the GPO linked without manually setting each one.
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf
Of Adam.Baum@xxxxxxxxxxxxxx
Sent: Monday, November 07, 2005 12:04 PM
To: thin@xxxxxxxxxxxxx
Cc: thin@xxxxxxxxxxxxx; thin-bounce@xxxxxxxxxxxxx
Subject: [THIN] Re: Restricting users from applications
Correct. I have to prevent the "restricted" apps from being accessed by
any
means (explorer navigation, embedded links, creating new files with .doc,
.xls and then clicking on them, etc). Basically, MS is now charging an
extra $100+ for every telecommuter to access Office via a terminal
session. That's ontop of the Windows CAL and the TS CAL. Doesn't matter
if the user has a legit copy of Office on his home PC and has Office on his
work PC.
adam
Jeff Pitsch
<jepitsch@xxxxxxx
om> To
Sent by: thin@xxxxxxxxxxxxx
thin-bounce@freel cc
ists.org
Subject
[THIN] Re: Restricting users from
11/07/2005 12:35 applications
PM
Please respond to
thin@xxxxxxxxxxxx
g
Unfortunately he wants to make sure that the user can't start the programs
even from another. At least that's how I understand it. for example, if
you have outlook open, you can't open a word attachment because word is
restricted if your coming in over the internet.
Jeff Pitsch
On 11/7/05, Walter, Chris <christopher.walter@xxxxxxx > wrote:
Setup a load evaluator based on IP range and deny them access if they are
using a specific IP range.
Chris
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto: thin-bounce@xxxxxxxxxxxxx] On
Behalf
Of Adam.Baum@xxxxxxxxxxxxxx
Sent: Monday, November 07, 2005 12:21 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Restricting users from applications
HI All,
As we move more and more into a thinclient solution here, I have been
asked
if there is a way to keep someone from accessing certain applications
when
telecommuting. Here some background info: While using a City supplied
pc
(mainly internal users), access to Microsoft applications are covered
under
our EA. When using the same servers from home, the access to apps are
not
covered under the EA. So..I need to find a way to prevent users coming
through MSAM from accessing Microsoft applications. Internally, we use
PNAgent/WI.
My intial thought was to not publish the apps through MSAM. Then I
thought
about embedded links. Even if the app isn't published, clicking on an
embedded document (or link to a .doc, xls, etc) will launch the app.
Is there a way to set publishing/access rules based on your connection
(MSAM vs PNagent)? Any other methods accomplishing this task?
adam
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://www.freelists.org/list/thin
************************************************
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://www.freelists.org/list/thin
************************************************
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode
use the below link:
http://www.freelists.org/list/thin
************************************************
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://www.freelists.org/list/thin
************************************************
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://www.freelists.org/list/thin
************************************************
- References:
- [THIN] Re: Restricting users from applications
- From: Bray, Donovan (ESC)
Other related posts:
- » [THIN] Restricting users from applications
- » [THIN] Re: Restricting users from applications
- » [THIN] Re: Restricting users from applications
- » [THIN] Re: Restricting users from applications
- » [THIN] Re: Restricting users from applications
- » [THIN] Re: Restricting users from applications
- » [THIN] Re: Restricting users from applications
- » [THIN] Re: Restricting users from applications
- » [THIN] Re: Restricting users from applications
- » [THIN] Re: Restricting users from applications
- » [THIN] Re: Restricting users from applications
- » [THIN] Re: Restricting users from applications
- » [THIN] Re: Restricting users from applications
- » [THIN] Re: Restricting users from applications
- » [THIN] Re: Restricting users from applications
- [THIN] Re: Restricting users from applications
- From: Bray, Donovan (ESC)