[gptalk] Re: Setting program access on TS using GP
- From: "Nelson, Jamie" <Jamie.Nelson@xxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Wed, 25 Jun 2008 13:23:18 -0500
Well I don't know about the best way, but it is not uncommon. With
loopback processing enabled, just redirect their start menu and desktop
to folders that only have the shortcuts you want them to see. You'll
also want to lock down the desktop/start menu so they can't make changes
(read-only NTFS permissions will usually suffice here), as well as
making sure you disable their access to the run command in the Start
Menu so they can't run anything from there either. Additionally, you
would not want to redirect folders for the server administrators, so you
might want to explicitly deny the "Apply Group Policy" right for them or
limit applicability of the GPO via Security Filtering to a specific
group that all non-admins of that server are a part of.
You also could take this another step further and redirect based on a
group name, so that different groups have different sets of icons. In
that case, you would not need to limit applicability of the GPO, because
folder redirection will only take place if the user is in one of the
groups you are redirecting folders for.
Sorry if I seem to be rambling. The point is that you have some options.
Let me know if I'm not making any sense. J
Jamie Nelson | Infrastructure Consultant | BI&T Operations | Devon
Energy | Work: 405.552.8054 | http://www.dvn.com <http://www.dvn.com/>
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Savanah Garrison
Sent: Wednesday, June 25, 2008 11:12 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Setting program access on TS using GP
I just want some programs to not be visible to some users on my TS. Is
GP the best way to accomplish that?
________________________________
From: Nelson, Jamie [mailto:Jamie.Nelson@xxxxxxx]
Sent: Wednesday, June 25, 2008 10:09 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Setting program access on TS using GP
Well, it depends on what your definition of "set access" is. If you want
to prevent them from being executed you could look at Software
Restriction Policy, but be careful in your approach. If those
applications are policy aware (meaning they look in the two "policy"
areas of the registry), the company that made them may already have ADM
templates to control some settings. Otherwise, you'll can take one of
two approaches:
1. create a custom ADM for any registry controlled settings and
"tattoo" them (meaning they won't undo themselves after a machine falls
out of scope). This is the classic way most of us are used to OR
2. Use the new Group Policy Preference (GPP) extensions to
populate the registry settings. This approach would be more similar to
the way a group policy setting behaves in that you can tell GPP to
remove the setting when a machine falls out of scope.
As far as Office is concerned, there are already Microsoft-provided ADM
templates that are part of the Resource Kits for each Office version,
which will allow you to control just about anything you can imagine. You
can download them from the Office downloads area.
Hope that helps a little.
Jamie Nelson | Infrastructure Consultant | BI&T Operations | Devon
Energy | Work: 405.552.8054 | http://www.dvn.com <http://www.dvn.com/>
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Savanah Garrison
Sent: Tuesday, June 24, 2008 7:48 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Setting program access on TS using GP
I need to set access to specific programs on my terminal server using
group policy. I understand that this IS possible, but that I need to
add custom ADM templates for each program? Where do I find those ADM
templates? I have some non-standard programs like timberline and argus
as well as the normal Office suite that I would like to lock down.
Thank you!
Savanah Garrison
IT Specialist
Trademark Property Company
817.639.2708
CONFIDENTIAL NOTICE: This electronic transmission and any documents or
other writings sent with it constitute confidential information intended
only for the named recipient. If you have received this communication
in error, do not read it. Please reply to the sender that you have
received the message in error, then delete the message. Any disclosure,
copying, distribution or the taking of any action concerning the
contents of this communication or any attachment(s) by anyone other than
the named recipient is strictly prohibited.
________________________________
Confidentiality Warning: This message and any attachments are intended
only for the use of the intended recipient(s), are confidential, and may
be privileged. If you are not the intended recipient, you are hereby
notified that any review, retransmission, conversion to hard copy,
copying, circulation or other use of all or any portion of this message
and any attachments is strictly prohibited. If you are not the intended
recipient, please notify the sender immediately by return e-mail, and
delete this message and any attachments from your system.
CONFIDENTIAL NOTICE: This electronic transmission and any documents or
other writings sent with it constitute confidential information intended
only for the named recipient. If you have received this communication
in error, do not read it. Please reply to the sender that you have
received the message in error, then delete the message. Any disclosure,
copying, distribution or the taking of any action concerning the
contents of this communication or any attachment(s) by anyone other than
the named recipient is strictly prohibited.
Other related posts:
