The best way to do this is to use SMS to exclude this computer from discovery. Even if the GPO works in preventing the client from being installed, SMS will continually try to push the client every time discovery runs and will generate errors every time. Brian Cline, Business Systems Analyst Department of Information Technology G&P Trucking Company, Inc. 803.936.8595 Direct 803.739.1176 Fax From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Mesidor, Jean Sent: Friday, July 13, 2007 8:07 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Registry Key Hi Darren, When I push the SMS client, it creates a ccmsetup folder in" \system32\ccmsetup" to which it copies its installation files. If I can prevent this folder from being created through the GPO, I think I would be fine. Also, If I can use the GPO, to prevent the following registry key "HKLM\sytem\CurrentControlSet\Services\ccmsetup" from being created, that would even be better. Any idea how to accomplish that? Thanks for all your prompt responses. Jean ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Friday, July 13, 2007 12:28 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Registry Key As little as possible J. I am recovering SMS 1.0 and 1.2 administrator...it's a long hard road. I'm open to understanding exactly why denying permissions to a registry key to prevent an installation is not weird, but in all my years, it sounds weird to me! From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Mesidor, Jean Sent: Thursday, July 12, 2007 9:18 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Registry Key I don't know how familiar you are with sms, but I'll try your suggestion. Thanks, Jean ----- Original Message ----- From: gptalk-bounce@xxxxxxxxxxxxx <gptalk-bounce@xxxxxxxxxxxxx> To: gptalk@xxxxxxxxxxxxx <gptalk@xxxxxxxxxxxxx> Sent: Fri Jul 13 00:13:30 2007 Subject: [gptalk] Re: Registry Key How about just using Software Restriction policy to deny that setup exe from running? I think the way you've described to prevent an install sounds kinda screwy, to be honest. From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Mesidor, Jean Sent: Thursday, July 12, 2007 8:38 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Registry Key I am trying to prevent sms from installing on clients and the ways to do. That is by adding a ccmsetup key under hklm, but the permissions should be set that the installation gets access denied when pushing the client. I am using desktop standard to. Create that key and it works. The only problem is that it it inherits parent permissions. I can fix the permission, but once I reboot the test client it reverts back to administrators, crearor owner, system etc. I would greatly appreciate if you can help please. Thanks, Jean ----- Original Message ----- From: gptalk-bounce@xxxxxxxxxxxxx <gptalk-bounce@xxxxxxxxxxxxx> To: gptalk@xxxxxxxxxxxxx <gptalk@xxxxxxxxxxxxx> Sent: Thu Jul 12 23:31:29 2007 Subject: [gptalk] Re: Registry Key That's not possible AFAIK. You can't have no permissions on a key. In that case, it will always fall back to some default set of permissions. What are you really trying to accomplish? From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Mesidor, Jean Sent: Thursday, July 12, 2007 8:27 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Registry Key Darren, No matter which option I pick, the permissions still come down. What I am trying to do, if it is possible, is to even get rid of all permissions on the key I am adding. Thanks, Jean ----- Original Message ----- From: gptalk-bounce@xxxxxxxxxxxxx <gptalk-bounce@xxxxxxxxxxxxx> To: gptalk@xxxxxxxxxxxxx <gptalk@xxxxxxxxxxxxx> Sent: Thu Jul 12 18:58:32 2007 Subject: [gptalk] Re: Registry Key Well, the two main choices let you choose whether you want permissions from parent keys to propagate into your controlled key in addition to the permissions you specify in the policy. If you don't-that is, if you want to break inheritance completely with the parent keys, then you choose "do not allow permissions to be replaced". If you do, then you choose the first option and then within that, whether you want your permissions to be inherited downward or not. Hope that helps, Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Mesidor, Jean Sent: Thursday, July 12, 2007 2:53 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Registry Key Yes, which one to pick? ----- Original Message ----- From: gptalk-bounce@xxxxxxxxxxxxx <gptalk-bounce@xxxxxxxxxxxxx> To: gptalk@xxxxxxxxxxxxx <gptalk@xxxxxxxxxxxxx> Sent: Thu Jul 12 17:17:10 2007 Subject: [gptalk] Re: Registry Key So are you asking which one to choose? From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Mesidor, Jean Sent: Thursday, July 12, 2007 2:05 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Registry Key Darren, I am using the gpmc's built in security', however, the options I am getting are: Propogate inheritable permission Allow inheritable permissions Don't allow permission toi be replaced. This is where my dilemna is. Thanks, Jean ----- Original Message ----- From: gptalk-bounce@xxxxxxxxxxxxx <gptalk-bounce@xxxxxxxxxxxxx> To: gptalk@xxxxxxxxxxxxx <gptalk@xxxxxxxxxxxxx> Sent: Thu Jul 12 15:45:44 2007 Subject: [gptalk] Re: Registry Key Jean- There's a couple of ways to do that. You can use Group Policy's built-in registry security capability or you could use a combination of a startup script (assuming the key is under HKLM) and a utility like subinacl.exe to do it. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Mesidor, Jean Sent: Thursday, July 12, 2007 12:28 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Registry Key I am trying to create a registry key to a GPO to prevent SMS installation on some clients. I am using GPMC to do that, but I can't modify the security on the key.. How can I achieve that please? Thanks, Jean