[THIN] Re: Users installing programs
- From: "Joel Stolk" <JStolk@xxxxxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Thu, 9 Sep 2004 09:27:49 -0500
That sounds like a big administrative hassle to me. We used to manage
NTFS read-only permissions on \Program Files and \Windows folders on the
servers, but with as many server and apps as we have, it was a big PITA.
We now use hidden drives and the GPO settings I mentioned before, and
the registry security. We have a ton of other GPO restrictions, about
12 pages worth printed out. Our users complained at first, but we have
almost eliminated end user generated help desk calls.
The best thing to do would be to set up a server in the lab see what
combination works best for you. Test different approaches and see what
you can break. There will always be some way to mess up a terminal
server, but you can eliminate about 99% of the problems.
-Joel
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Abshire
Sent: Thursday, September 09, 2004 9:12 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Users installing programs
My colleague wants to set read only permissions on the root and try to
go back and allow what needs write access on the servers. I have told
him doing so will be a huge mistake because there are so many files in
different places that finding them all would be a nightmare. I wanted
to share this with everyone so I am not alone when I approach my boss
and colleague with more emphasis on using a more logical approach. Any
input will be greatly appreciated.
-----Original Message-----
From: Joel Stolk [mailto:JStolk@xxxxxxxxxxxxxxxx]
Sent: Thursday, September 09, 2004 9:04 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Users installing programs
It will run for admins if you enable the policy setting to do so.
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Abshire
Sent: Thursday, September 09, 2004 8:55 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Users installing programs
Good point.
-----Original Message-----
From: Frank Monroe [mailto:Frank.Monroe@xxxxxxxxxxx]
Sent: Thursday, September 09, 2004 8:37 AM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: Users installing programs
Keep in mind, Windows Installer doesn't run in a terminal server
session, so if stuff is being installed, its not via windows installer
anyway.
-----Original Message-----
From: Jim Abshire [mailto:Jim.Abshire@xxxxxxxxxxx]
Sent: Thursday, September 09, 2004 9:30 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Users installing programs
Thanks Joel but I checked and that policy is already in place,
enabled. I'm thinking about looking into the HKLM read only and the Full
Security mode that a couple of people have requested. My concerns are
other programs such as Office and Adobe will not work.
-----Original Message-----
From: Joel Stolk [mailto:JStolk@xxxxxxxxxxxxxxxx]
Sent: Wednesday, September 08, 2004 4:59 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Users installing programs
The locations are:
Computer Settings/Windows Components/Windows Installer/Policy
Setting/Prohibit User Installs
User Settings/Windows Components/Internet Explorer/Browser
menus/Disable Save this program to disk
These come from the out of box ADM templates that come with the
GPMC with SP1 from Microsoft.
If you need the GPMC go to
http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4
B35-9272-DD3CBFC81887&displaylang=en
-Joel
________________________________
From: thin-bounce@xxxxxxxxxxxxx
[mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Abshire
Sent: Wednesday, September 08, 2004 4:46 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Users installing programs
I have searched the GPO but cannot find either of these
policies, is there a specific .adm I need to load?
-----Original Message-----
From: Joel Stolk [mailto:JStolk@xxxxxxxxxxxxxxxx]
Sent: Wednesday, September 08, 2004 4:43 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Users installing programs
One quick tip I can think of is to change the permissions in the
registry on the HKLM\Software key to read only for the users. A lot of
program installs will fail and/or not execute if they cannot write
information to this key. Also, a GPO or local policy to Prohibit User
Installs (under Computer Configuration) could help. Additionally, use a
GPO or local policy to not allow downloads from Internet Explorer.
-Joel
________________________________
From: thin-bounce@xxxxxxxxxxxxx
[mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Abshire
Sent: Wednesday, September 08, 2004 2:54 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Users installing programs
I have a question, I work for a property management company and
we provide Internet via Citrix to students. I have tried desperately to
lock down the servers but they seem to still be able to install Internet
based programs, (e.g. AOL instant messenger, Poker Party, etc) to name a
few. Is there a way to lock the server down tight so this cannot
continue without prohibiting the users to run necessary programs such as
Office?
Jim Abshire
Network Administrator
Dinerstein Management
713-570-0373
++++++CONFIDENTIALITY NOTICE++++++
The information in this email may be confidential and/or
privileged. This email is intended to be reviewed by only the individual
or organization named above. If you are not the intended recipient or an
authorized representative of the intended recipient, you are hereby
notified that any review, dissemination or copying of this email and its
attachments, if any, or the information contained herein is prohibited.
If you have received this email in error, please immediately notify the
sender by return email and delete this email from your system.
++++++CONFIDENTIALITY NOTICE++++++
The information in this email may be confidential and/or
privileged. This email is intended to be reviewed by only the individual
or organization named above. If you are not the intended recipient or an
authorized representative of the intended recipient, you are hereby
notified that any review, dissemination or copying of this email and its
attachments, if any, or the information contained herein is prohibited.
If you have received this email in error, please immediately notify the
sender by return email and delete this email from your system.
++++++CONFIDENTIALITY NOTICE++++++
The information in this email may be confidential and/or privileged.
This email is intended to be reviewed by only the individual or
organization named above. If you are not the intended recipient or an
authorized representative of the intended recipient, you are hereby
notified that any review, dissemination or copying of this email and its
attachments, if any, or the information contained herein is prohibited.
If you have received this email in error, please immediately notify the
sender by return email and delete this email from your system.
Other related posts:
