[gptalk] Re: Registry Key

• From: "Brian Cline" <bcline@xxxxxxxxxxx>
• To: <gptalk@xxxxxxxxxxxxx>
• Date: Fri, 13 Jul 2007 08:44:13 -0400

The best way to do this is to use SMS to exclude this computer from
discovery. Even if the GPO works in preventing the client from being
installed, SMS will continually try to push the client every time
discovery runs and will generate errors every time.
 
Brian Cline, Business Systems Analyst
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct
803.739.1176 Fax
 
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Mesidor, Jean
Sent: Friday, July 13, 2007 8:07 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Registry Key
 
Hi Darren,
 
When I push the SMS client, it creates a ccmsetup folder in"
\system32\ccmsetup" to which it copies its installation files. If I can
prevent this folder from being created through the GPO, I think I would
be fine. Also, If I can use the GPO, to prevent the following registry
key "HKLM\sytem\CurrentControlSet\Services\ccmsetup" from being created,
that would even be better. Any idea how to accomplish that?
 
Thanks for all your prompt responses.
 
Jean
 
________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Friday, July 13, 2007 12:28 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Registry Key
As little as possible J. I am recovering SMS 1.0 and 1.2
administrator...it's a long hard road.
 
I'm open to understanding exactly why denying permissions to a registry
key to prevent an installation is not weird, but in all my years, it
sounds weird to me!
 
 
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Mesidor, Jean
Sent: Thursday, July 12, 2007 9:18 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Registry Key
 
I don't know how familiar you are with sms, but I'll try your
suggestion.
Thanks,
Jean

----- Original Message -----
From: gptalk-bounce@xxxxxxxxxxxxx <gptalk-bounce@xxxxxxxxxxxxx>
To: gptalk@xxxxxxxxxxxxx <gptalk@xxxxxxxxxxxxx>
Sent: Fri Jul 13 00:13:30 2007
Subject: [gptalk] Re: Registry Key

How about just using Software Restriction policy to deny that setup exe
from running? I think the way you've described to prevent an install
sounds kinda screwy, to be honest.



From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Mesidor, Jean
Sent: Thursday, July 12, 2007 8:38 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Registry Key



I am trying to prevent sms from installing on clients and the ways to
do. That is by adding a ccmsetup key under hklm, but the permissions
should be set that the installation gets access denied when pushing the
client. I am using desktop standard to. Create that key and it works.
The only problem is that it it inherits parent permissions. I can fix
the permission, but once I reboot the test client it reverts back to
administrators, crearor owner, system etc. I would greatly appreciate if
you can help please.

Thanks,
Jean

----- Original Message -----
From: gptalk-bounce@xxxxxxxxxxxxx <gptalk-bounce@xxxxxxxxxxxxx>
To: gptalk@xxxxxxxxxxxxx <gptalk@xxxxxxxxxxxxx>
Sent: Thu Jul 12 23:31:29 2007
Subject: [gptalk] Re: Registry Key

That's not possible AFAIK. You can't have no permissions on a key. In
that case, it will always fall back to some default set of permissions.
What are you really trying to accomplish?



From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Mesidor, Jean
Sent: Thursday, July 12, 2007 8:27 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Registry Key



Darren,
No matter which option I pick, the permissions still come down. What I
am trying to do, if it is possible, is to even get rid of all
permissions on the key I am adding.

Thanks,
Jean

----- Original Message -----
From: gptalk-bounce@xxxxxxxxxxxxx <gptalk-bounce@xxxxxxxxxxxxx>
To: gptalk@xxxxxxxxxxxxx <gptalk@xxxxxxxxxxxxx>
Sent: Thu Jul 12 18:58:32 2007
Subject: [gptalk] Re: Registry Key

Well, the two main choices let you choose whether you want permissions
from parent keys to propagate into your controlled key in addition to
the permissions you specify in the policy. If you don't-that is, if you
want to break inheritance completely with the parent keys, then you
choose "do not allow permissions to be replaced". If you do, then you
choose the first option and then within that, whether you want your
permissions to be inherited downward or not.



Hope that helps,

Darren





From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Mesidor, Jean
Sent: Thursday, July 12, 2007 2:53 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Registry Key



Yes, which one to pick?

----- Original Message -----
From: gptalk-bounce@xxxxxxxxxxxxx <gptalk-bounce@xxxxxxxxxxxxx>
To: gptalk@xxxxxxxxxxxxx <gptalk@xxxxxxxxxxxxx>
Sent: Thu Jul 12 17:17:10 2007
Subject: [gptalk] Re: Registry Key

So are you asking which one to choose?



From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Mesidor, Jean
Sent: Thursday, July 12, 2007 2:05 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Registry Key



Darren,

I am using the gpmc's built in security', however, the options I am
getting are:
Propogate inheritable permission
Allow inheritable permissions
Don't allow permission toi be replaced.

This is where my dilemna is.

Thanks,
Jean

----- Original Message -----
From: gptalk-bounce@xxxxxxxxxxxxx <gptalk-bounce@xxxxxxxxxxxxx>
To: gptalk@xxxxxxxxxxxxx <gptalk@xxxxxxxxxxxxx>
Sent: Thu Jul 12 15:45:44 2007
Subject: [gptalk] Re: Registry Key

Jean-

There's a couple of ways to do that. You can use Group Policy's built-in
registry security capability or you could use a combination of a startup
script (assuming the key is under HKLM) and a utility like subinacl.exe
to do it.



Darren





From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Mesidor, Jean
Sent: Thursday, July 12, 2007 12:28 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Registry Key



I am trying to create a registry key to a GPO to prevent SMS
installation on some clients. I am using GPMC to do that, but I can't
modify the security on the key.. How can I achieve that please?



Thanks,

Jean

• Follow-Ups:
  • [gptalk] Re: Registry Key
    • From: Mesidor, Jean

• References:
  • [gptalk] Re: Registry Key
    • From: Mesidor, Jean
  • [gptalk] Re: Registry Key
    • From: Darren Mar-Elia
  • [gptalk] Re: Registry Key
    • From: Mesidor, Jean

Other related posts:

• » [gptalk] Registry Key
• » [gptalk] Re: Registry Key
• » [gptalk] Re: Registry Key
• » [gptalk] Re: Registry Key
• » [gptalk] Re: Registry Key
• » [gptalk] Re: Registry Key
• » [gptalk] Re: Registry Key
• » [gptalk] Re: Registry Key
• » [gptalk] Re: Registry Key
• » [gptalk] Re: Registry Key
• » [gptalk] Re: Registry Key
• » [gptalk] Re: Registry Key
• » [gptalk] Re: Registry Key
• » [gptalk] Re: Registry Key
• » [gptalk] Re: Registry Key
• » [gptalk] Re: Registry Key
• » [gptalk] Re: Registry Key
• » [gptalk] Re: Registry Key

1. Home
2. gptalk
3. Archive
4. 07-2007

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---