[THIN] Re: Rolling out/Packaging IE Plugins

  • From: "Mack, Rick" <Rick.Mack@xxxxxxxxxxxxxx>
  • To: <thin@xxxxxxxxxxxxx>
  • Date: Fri, 30 Apr 2004 21:19:46 +1000

Hi,
 
You can allow or disallow activex controls in a group policy. The only gotcha 
is that any activex controls not on the default list will have to be manually 
added to the group policy.
 
It's not big deal though once you get the classid  of the activex control. It's 
normally visible in the properties of the control as senn in 
%systemroot%\downloaded program files.
 
regards,
 
Rick
 
Ulrich Mack
Volante Systems
 
 
________________________________

From: thin-bounce@xxxxxxxxxxxxx on behalf of Chris Lynch
Sent: Fri 30/04/2004 5:53 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Rolling out/Packaging IE Plugins



I do agree with your comments.  However, I have a client that would like to
automate this process as much as possible.  BUT, this isn't for a MF
environment.  It's for their locked down desktops.  The users obviously
don't have the necessary rights to install ActiveX controls.  They want
their users to send in a request for the ActiveX control.  If approved, they
would distribute it to their clients.

I'm sure that someone out there has attempted this before, right?

Chris

> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Braebaum, Neil
> Sent: Thursday, April 29, 2004 1:28 AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Rolling out/Packaging IE Plugins
>
> Well as for the imaging thing, surely it's something you
> could do before the sysprep and the image?
>
> I suppose there may be mileage in trying to automate it - but
> it would likely need some runtime parameters, too.
>
> It's always going to be a bespoke thing, though, because it's
> likely that each ActiveX control / plugin for LOB apps tends
> to be quite specific. So anyone likely who has solved it,
> will have only likely solved it for what they've got to do, I
> don't think there's necessarily any general / generic
> solution, as it's nearly always a slightly variable feast.
>
> As for runtime - you're going to have the same issues as you
> have for a normal user accessing active content / plugins
> during a session, aren't you.
>
> For me it's not much of an overhead - it's a couple of
> minutes during build time of a server.
>
> The only time I need to make any changes, if for cert changes
> - in which case it's the login script, or should anything
> change regarding the control SID.
>
> Neil
>
> > -----Original Message-----
> > From: thin-bounce@xxxxxxxxxxxxx
> > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chris Lynch
> > Sent: 28 April 2004 20:00
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] Re: Rolling out/Packaging IE Plugins
> >
> > Both.
> >
> > > -----Original Message-----
> > > From: thin-bounce@xxxxxxxxxxxxx
> > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Braebaum, Neil
> > > Sent: Wednesday, April 28, 2004 8:54 AM
> > > To: thin@xxxxxxxxxxxxx
> > > Subject: [THIN] Re: Rolling out/Packaging IE Plugins
> > >
> > > When you say "package" or automate - do you mean from a imaging a
> > > server perspective (so automating the build process).
> > >
> > > Or merely something for runtime?
> > >
> > > Neil
> > >
> > > > -----Original Message-----
> > > > From: thin-bounce@xxxxxxxxxxxxx
> > [mailto:thin-bounce@xxxxxxxxxxxxx]
> > > > On Behalf Of Chris Lynch
> > > > Sent: 28 April 2004 16:50
> > > > To: thin@xxxxxxxxxxxxx
> > > > Subject: [THIN] Re: Rolling out/Packaging IE Plugins
> > > >
> > > > That's a pretty good process.  But, how would you go about
> > > automating
> > > > the process?  I would image that you could create a
> package (using
> > > > Wise Installer, or even InstallShield)?  Has anyone
> > attempted this
> > > > with success?
> > > >
> > > > > -----Original Message-----
> > > > > From: thin-bounce@xxxxxxxxxxxxx
> > [mailto:thin-bounce@xxxxxxxxxxxxx]
> > > > > On Behalf Of Braebaum, Neil
> > > > > Sent: Wednesday, April 28, 2004 7:21 AM
> > > > > To: thin@xxxxxxxxxxxxx
> > > > > Subject: [THIN] Re: Rolling out/Packaging IE Plugins
> > > > >
> > > > > I've done this with ActiveX and Java plugins for some
> > > years, for my
> > > > > terminal server / Citrix users.
> > > > >
> > > > > Bearing in mind I use mandatory profiles, and quite
> locked down
> > > > > servers
> > > > > - so all local drives hidden, and protected by DACLs such
> > > that users
> > > > > cannot write to any of the local server drives, and users
> > > are only
> > > > > normal users, therefore have no permissions to be
> able to update
> > > > > central parts of the registry...
> > > > >
> > > > > What I did was:-
> > > > >
> > > > > 1. Edited the values in
> > > > > HKLM\Software\Microsoft\Windows\CurrentVersion\Internet
> > > > > Settings\ActiveXCache *and*
> > > > > HKLM\Software\Microsoft\Windows\CurrentVersion\Internet
> > > > > Settings\ActiveX Cache\0 to contain
> > > "H:\WINDOWS\Downloaded Program
> > > > > Files"
> > > > >
> > > > > 2. Whilst logged in as admin, subst'd h: to point to
> the admin's
> > > > > (local) profile directory. And under there, created a
> directory
> > > > > "WINDOWS\Downloaded Program Files" (this will make more sense
> > > > > later...)
> > > > >
> > > > > 3. Ran the IE app that uses the ActiveX control. This
> > > will download
> > > > > the ActiveX control files to the directory above, created
> > > the class
> > > > > keys in HKCR.
> > > > >
> > > > > 4. Saved these ActiveX control files to %systemroot%\system32
> > > > > (again, this will make more sense later).
> > > > >
> > > > > So by this point, the ActiveX control has been
> registered and is
> > > > > installed on the machine.
> > > > >
> > > > > 5. Create a login script that pre-installs the digital
> > > certificate
> > > > > that the ActiveX control is signed with, into the users' HKCU.
> > > > >
> > > > > 6. Have the login script copy the ActiveX control files from
> > > > > %systemroot%\system32 to the users h:\WINDOWS\Downloaded
> > > > Program Files
> > > > > directory (otherwise, I think (it's been a
> > > > > while) the system probably thought this was required
> again (the
> > > > > download of the control) and would probably think it had
> > > to do the
> > > > > whole HKCR rigmarole again).
> > > > >
> > > > > The Java applet is signed with the same certificate,
> so step 5
> > > > > covers this. The Java classes get dragged to somewhere under
> > > > > %systemroot%\java (if my memory serves me) and once
> > there there,
> > > > > it's a done deal.
> > > > >
> > > > > I seem to remember having to correct some of the paths in
> > > > > HKCR\CLSID\<control ID> under InprocServer32 for the
> > > controls used.
> > > > >
> > > > > Bearing in mind much of the above is coloured by
> having fairly
> > > > > tightly locked servers (in terms of filesystem, registry and
> > > > > mandatory profiles), and also, will be heavily
> affected by the
> > > > > specifics of the individual controls used by my line of
> > business
> > > > > application.
> > > > >
> > > > > As no doubt you will have gathered, regmon and filemon
> > > were pretty
> > > > > essential in me working all that out.
> > > > >
> > > > > As it stands the ActiveX and Java use by the app is
> seamless for
> > > > > these users - because it's all pre-empted. It also
> means I have
> > > > > control - they cannot download other ActiveX or Java
> because of
> > > > > security settings, and their level of access and permissions.
> > > > >
> > > > > If the ActiveX control (or Java) gets modified, and / or
> > > > signed with a
> > > > > new(er) / different digital certificate, then I *may*
> > > need to do the
> > > > > admin running of the app stage again - or simply
> amend the login
> > > > > script details with the adding of the digital cert to
> > each users
> > > > > (transient - mandatory profiles) HKCU).
> > > > >
> > > > > <phew...> That's how I do it, anyways.
> > > > >
> > > > > Neil
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: thin-bounce@xxxxxxxxxxxxx
> > > > [mailto:thin-bounce@xxxxxxxxxxxxx]
> > > > > > On Behalf Of Monahan, Thomas
> > > > > > Sent: 28 April 2004 13:06
> > > > > > To: 'thin@xxxxxxxxxxxxx'
> > > > > > Subject: [THIN] Re: Rolling out/Packaging IE Plugins
> > > > > >
> > > > > > I was talking more in the general terms, but at the moment
> > > > > I have an
> > > > > > activeX control that needs to be rolled out to
> > multiple servers.
> > > > > >
> > > > > > Any ideas?
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From:     Braebaum, Neil
> > [SMTP:Neil.Braebaum@xxxxxxxxxxxxxxxxx]
> > > > > > > Sent:     28 April 2004 09:39
> > > > > > > To:       thin@xxxxxxxxxxxxx
> > > > > > > Subject:  [THIN] Re: Rolling out/Packaging IE Plugins
> > > > > > >
> > > > > > > What sort of plugin?
> > > > > > >
> > > > > > > Neil
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: thin-bounce@xxxxxxxxxxxxx
> > > > > > > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of
> > > > Monahan, Thomas
> > > > > > > > Sent: 27 April 2004 17:55
> > > > > > > > To: thin@xxxxxxxxxxxxx
> > > > > > > > Subject: [THIN] Rolling out/Packaging IE Plugins
> > > > > > > >
> > > > > > > > Hi,
> > > > > > > >
> > > > > > > > How do you all roll out IE plugins onto your servers? I
> > > > > just tried
> > > > > > > > to package one there but its failing to install. I was
> > > > > wondering
> > > > > > > > how you guys to it?
>
> ***********************************************
> This e-mail and its attachments are confidential and are
> intended for the above named recipient only. If this has come
> to you in error, please notify the sender immediately and
> delete this e-mail from your system.
> You must take no action based on this, nor must you copy or
> disclose it or any part of its contents to any person or organisation.
> Statements and opinions contained in this email may not
> necessarily represent those of Littlewoods.
> Please note that e-mail communications may be monitored.
> The registered office of Littlewoods Limited and its
> subsidiaries is 100 Old Hall Street, Liverpool, L70 1AB.
> Registered number of Littlewoods Limited is 262152.
> ************************************************
>
> ********************************************************
> This week's sponsor - Emergent Online
> Emergent delivers end-to-end solutions for private and public
> sector clients. From centralized application management,
> business continuity, outsourcing, to application development,
> security, and messaging solutions.
> http://www.go-eol.com/index.asp
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or set Digest or
> Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
>


********************************************************
This week's sponsor - Emergent Online
Emergent delivers end-to-end solutions for private and public sector clients. 
From centralized application management, business continuity, outsourcing, to 
application development, security, and messaging solutions.
http://www.go-eol.com/index.asp
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm



-- No attachments (even text) are allowed --
-- Type: application/ms-tnef
-- File: winmail.dat


********************************************************
This week's sponsor - Emergent Online
Emergent delivers end-to-end solutions for private and public sector clients. 
From centralized application management, business continuity, outsourcing, to 
application development, security, and messaging solutions.
http://www.go-eol.com/index.asp
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm

Other related posts: