Prevent users from launching tsadmin.exe?

  • Thread starter Thread starter Dennis_S
  • Start date Start date
D

Dennis_S

Guest
What is the best practice to prevent users from being able to launch
tsadmin.exe?

Thanks.
 
Re: Prevent users from launching tsadmin.exe?

You can always change the NTFS permissions on tsadmin.exe
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?RGVubmlzX1M=?= <DennisS@discussions.microsoft.com> wrote
on 19 mar 2008 in microsoft.public.windows.terminal_services:

> What is the best practice to prevent users from being able to
> launch tsadmin.exe?
>
> Thanks.
 
Re: Prevent users from launching tsadmin.exe?

Thanks for the reply Vera. I considered that option, but I don't want to
select Deny for the Users (computername\Users). If I delete this group, is
there a way to replace it if needed?

Much appreciated.

Dennis

"Vera Noest [MVP]" wrote:

> You can always change the NTFS permissions on tsadmin.exe
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?RGVubmlzX1M=?= <DennisS@discussions.microsoft.com> wrote
> on 19 mar 2008 in microsoft.public.windows.terminal_services:
>
> > What is the best practice to prevent users from being able to
> > launch tsadmin.exe?
> >
> > Thanks.
>
 
Re: Prevent users from launching tsadmin.exe?

I wouldn't add a "Deny" ACL, I would add an ACL which ensures that
you can continue to use tsadmin.exe, something like
computername\Administrators or maybe domain\Domain Admins with Full
Control and then remove the Authenticated Users ACL.

As long as you make sure that there is an ACL which allows you Full
Control (and there is no rule which denies you access), you can
always undo your changes. Keep in mind that a "Deny" rule overrides
other rules, so be extremely careful (or better: avoid) Deny rules.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?RGVubmlzX1M=?= <DennisS@discussions.microsoft.com> wrote
on 20 mar 2008 in microsoft.public.windows.terminal_services:

> Thanks for the reply Vera. I considered that option, but I
> don't want to select Deny for the Users (computername\Users).
> If I delete this group, is there a way to replace it if needed?
>
> Much appreciated.
>
> Dennis
>
> "Vera Noest [MVP]" wrote:
>
>> You can always change the NTFS permissions on tsadmin.exe
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> =?Utf-8?B?RGVubmlzX1M=?= <DennisS@discussions.microsoft.com>
>> wrote on 19 mar 2008 in
>> microsoft.public.windows.terminal_services:
>>
>> > What is the best practice to prevent users from being able to
>> > launch tsadmin.exe?
>> >
>> > Thanks.
 
Re: Prevent users from launching tsadmin.exe?

Can you please share why would you want to prevent users running tsadmin?
Please keep in mind that tsadmin functionalities also available in ts
command line tools.
Thanks
Soo Kuan


--
This posting is provided "AS IS" with no warranties, and confers no rights.

"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message
news:Xns9A67D5F6A8281veranoesthemutforsse@207.46.248.16...
>I wouldn't add a "Deny" ACL, I would add an ACL which ensures that
> you can continue to use tsadmin.exe, something like
> computername\Administrators or maybe domain\Domain Admins with Full
> Control and then remove the Authenticated Users ACL.
>
> As long as you make sure that there is an ACL which allows you Full
> Control (and there is no rule which denies you access), you can
> always undo your changes. Keep in mind that a "Deny" rule overrides
> other rules, so be extremely careful (or better: avoid) Deny rules.
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?RGVubmlzX1M=?= <DennisS@discussions.microsoft.com> wrote
> on 20 mar 2008 in microsoft.public.windows.terminal_services:
>
>> Thanks for the reply Vera. I considered that option, but I
>> don't want to select Deny for the Users (computername\Users).
>> If I delete this group, is there a way to replace it if needed?
>>
>> Much appreciated.
>>
>> Dennis
>>
>> "Vera Noest [MVP]" wrote:
>>
>>> You can always change the NTFS permissions on tsadmin.exe
>>> _________________________________________________________
>>> Vera Noest
>>> MCSE, CCEA, Microsoft MVP - Terminal Server
>>> TS troubleshooting: http://ts.veranoest.net
>>> ___ please respond in newsgroup, NOT by private email ___
>>>
>>> =?Utf-8?B?RGVubmlzX1M=?= <DennisS@discussions.microsoft.com>
>>> wrote on 19 mar 2008 in
>>> microsoft.public.windows.terminal_services:
>>>
>>> > What is the best practice to prevent users from being able to
>>> > launch tsadmin.exe?
>>> >
>>> > Thanks.
 
Back
Top