Re: Controlling user access to applications (Newbie question)
You should really read the KB article on how to use Software
Restriction policies, or better stil, here's a TechNet article
which explains all the steps in detail:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstr
plcy.mspx
But I can give you the broad picture:
* put your TS computer account in a separate OU, let's call it
TS_OU
* do not put your user accounts in this TS_OU
* create a security group, let's call it ProjectUsers
* add all users who are allowed to use MS Project to this group
* create a TS-specific GPO, link it to the TS_OU
* configure the Software Restictions policies in this GPO, under
User Configuration, set the default value to "Unrestricted" and
then create an exception for MSProject and set it to "Disallowed"
* configure loopback processing with the Replace option in this
GPO, under Computer Configuration - Administrative Templates -
System - Group Policy
* in the security filtering of the GPO, add the ProjectUsers
security group, and check "Deny" for the right to Read and Apply
this GPO.
The effect of the above is that the policy will only apply to users
when they connect to the TS, not when they logon to their
workstation (that's done with loopback processing), and the
security filtering makes sure that the policy (and thus the
Software Restriction) doesn't apply to members of the ProjectUsers
group.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting:
http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
"Pieman" <bullens_at_no_spam_nifcoeu.com> wrote on 28 nov 2007 in
microsoft.public.windows.terminal_services:
> Vera,
>
> Thanks for replying, I was thinking along the lines of software
> restrictions using GP, but have never used them before, can you
> elaborate a bit more on how to utilise them on a TS?
>
> Regards
> Pieman
>
> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote
> in message
> news:Xns99F69842A57A2veranoesthemutforsse@207.46.248.16...
>> One way to achieve this is by changing the NTFS permissions on
>> the main executable file for MS project.
>>
>> Another way is to use a Software Restriction policy and use
>> security filtering of the GPO to apply it only to specific user
>> groups.
>>
>> 324036 - HOW TO: Use Software Restriction Policies in Windows
>> Server 2003
>> http://support.microsoft.com/?kbid=324036
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> =?Utf-8?B?UGllbWFu?= <Pieman@discussions.microsoft.com> wrote
>> on 28 nov 2007 in microsoft.public.windows.terminal_services:
>>
>>> How do you go about controlling which users can run specific
>>> applications that are installed in a TS environment?
>>>
>>> As an example, say you have 100 users connecting into a TS
>>> server that has MS Office and MS Project installed, but you
>>> only have a need for 5 users to run Project how would you
>>> prevent the remaining users from having the ability to run
>>> Project or even know that it was installed but still allow
>>> them to run Office?
>>>
>>> Cheers