installing MS Office 2003/2007 on TS Machines

  • Thread starter Thread starter Cary Shultz
  • Start date Start date
C

Cary Shultz

Guest
Good moring!

I hope that all of you in the US had a great 4th of July (we did...but the
little ones do not quite appreciate the Fireworks after bedtime!).

QUESTION: on a WIN2003 R2 SP2 Terminal Server we have, among other things,
MS Office 2007 installed. Additionally, we installed MS Office Project 2007
(default location). I need to limit the users who are able to make use of
MS Office Project 2007. Is this possible? Please read the short novel
below to understand why I am asking this question....


SHORT NOVEL!!!!!!

I noticed on the Terminal Server that C:\Program Files has an "extra"
Security Group in the NTFS Permissions tab - "TERMINAL SERVER USERS". I
have to admit that I have never noticed that before. I remoted into three
or four TS Boxes at different clients and lo and behold! All of them have
that!

I do not see this Security Group anywhere in Active Directory so *assume*
that it is a TS specific thing...can anyone shed a light on this for me? I
will admit that I have not used ldifde to enummeeate all of the objects in
AD so I would not necessarily be surprised to find it tucked away....

The true reason for this post, as already mentioned, is that I want to limit
one of the MS Office 2007 applications (MS Office Project 2007) to a
specific group of users. I have the Security Groups already set up
(Universal Security Group containing the user account objects and then a
Local Security Group on the TS box...I made the USG a member of the LSG). I
do not want to remove the "Terminal Server Users" security group
(essentially, replace that with the LSG) on the executable (WINPROJ.exe) as
I do not want to mess things up.

Any guidance?

Thanks,

Cary
 
Re: installing MS Office 2003/2007 on TS Machines

"Cary Shultz" <cshultz@nospam.outsourceitcorp.com> schrieb im Newsbeitrag
news:%23bRD17o3IHA.3624@TK2MSFTNGP05.phx.gbl...
> Good moring!
>
> I hope that all of you in the US had a great 4th of July (we did...but the
> little ones do not quite appreciate the Fireworks after bedtime!).
>
> QUESTION: on a WIN2003 R2 SP2 Terminal Server we have, among other things,
> MS Office 2007 installed. Additionally, we installed MS Office Project
> 2007 (default location). I need to limit the users who are able to make
> use of MS Office Project 2007. Is this possible? Please read the short
> novel below to understand why I am asking this question....
>
>
> SHORT NOVEL!!!!!!
>
> I noticed on the Terminal Server that C:\Program Files has an "extra"
> Security Group in the NTFS Permissions tab - "TERMINAL SERVER USERS".

I guess that is the relaxed/default security thingy. It seems the
TSUserEnabled dword is set to 1 under
"HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server". Can
you confirm this? For additional informations have a look to this article:
http://www.brianmadden.com/content/...nal-Servers-Permissions-Compatibility-Options

> I have to admit that I have never noticed that before. I remoted into
> three or four TS Boxes at different clients and lo and behold! All of
> them have that!
>
> I do not see this Security Group anywhere in Active Directory so *assume*
> that it is a TS specific thing...can anyone shed a light on this for me?
> I will admit that I have not used ldifde to enummeeate all of the objects
> in AD so I would not necessarily be surprised to find it tucked away....
>
> The true reason for this post, as already mentioned, is that I want to
> limit one of the MS Office 2007 applications (MS Office Project 2007) to a
> specific group of users. I have the Security Groups already set up
> (Universal Security Group containing the user account objects and then a
> Local Security Group on the TS box...I made the USG a member of the LSG).
> I do not want to remove the "Terminal Server Users" security group
> (essentially, replace that with the LSG) on the executable (WINPROJ.exe)
> as I do not want to mess things up.

We create local groups like "app.office14.project", and put the user in the
group. Local groups, because each TS is very special here. On the file in
question "WINPROJ.EXE" we break up the ntfs-inheritance (copy), remove the
std. user groups and add the mentioned group. This way we enforce the
licensing and for example access via internet explorer to the internet.

-jolt
 
Re: installing MS Office 2003/2007 on TS Machines

"jolteroli" <jolt1976@gmx.net> wrote on 05 jul 2008 in
microsoft.public.windows.terminal_services:

> "Cary Shultz" <cshultz@nospam.outsourceitcorp.com> schrieb im
> Newsbeitrag news:%23bRD17o3IHA.3624@TK2MSFTNGP05.phx.gbl...
>> Good moring!
>>
>> I hope that all of you in the US had a great 4th of July (we
>> did...but the little ones do not quite appreciate the Fireworks
>> after bedtime!).
>>
>> QUESTION: on a WIN2003 R2 SP2 Terminal Server we have, among
>> other things, MS Office 2007 installed. Additionally, we
>> installed MS Office Project 2007 (default location). I need to
>> limit the users who are able to make use of MS Office Project
>> 2007. Is this possible? Please read the short novel below to
>> understand why I am asking this question....
>>
>>
>> SHORT NOVEL!!!!!!
>>
>> I noticed on the Terminal Server that C:\Program Files has an
>> "extra" Security Group in the NTFS Permissions tab - "TERMINAL
>> SERVER USERS".
>
> I guess that is the relaxed/default security thingy. It seems
> the TSUserEnabled dword is set to 1 under
> "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal
> Server". Can you confirm this? For additional informations have
> a look to this article:
> http://www.brianmadden.com/content/article/Understanding-Terminal
> -Servers-Permissions-Compatibility-Options
>
>> I have to admit that I have never noticed that before. I
>> remoted into three or four TS Boxes at different clients and lo
>> and behold! All of them have that!
>>
>> I do not see this Security Group anywhere in Active Directory
>> so *assume* that it is a TS specific thing...can anyone shed a
>> light on this for me? I will admit that I have not used ldifde
>> to enummeeate all of the objects in AD so I would not
>> necessarily be surprised to find it tucked away....
>>
>> The true reason for this post, as already mentioned, is that I
>> want to limit one of the MS Office 2007 applications (MS Office
>> Project 2007) to a specific group of users. I have the
>> Security Groups already set up (Universal Security Group
>> containing the user account objects and then a Local Security
>> Group on the TS box...I made the USG a member of the LSG). I do
>> not want to remove the "Terminal Server Users" security group
>> (essentially, replace that with the LSG) on the executable
>> (WINPROJ.exe) as I do not want to mess things up.
>
> We create local groups like "app.office14.project", and put the
> user in the group. Local groups, because each TS is very special
> here. On the file in question "WINPROJ.EXE" we break up the
> ntfs-inheritance (copy), remove the std. user groups and add the
> mentioned group. This way we enforce the licensing and for
> example access via internet explorer to the internet.
>
> -jolt

Yes, that's how it is mostly done.
Problem is that Office is licensed per *client*, not per user. So
strictly speaking, you are not enforcing the Office EULA. But until
Microsoft introduces Office Per User licenses, I wouldn't know of a
better way to do it.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
 
Re: installing MS Office 2003/2007 on TS Machines

NTFS permissions above and you could use Software Restriction Policies in
group policy.

Jeff Pitsch
Microsoft MVP - Terminal Services


"jolteroli" <jolt1976@gmx.net> wrote in message
news:eBu2JXp3IHA.4856@TK2MSFTNGP02.phx.gbl...
> "Cary Shultz" <cshultz@nospam.outsourceitcorp.com> schrieb im Newsbeitrag
> news:%23bRD17o3IHA.3624@TK2MSFTNGP05.phx.gbl...
>> Good moring!
>>
>> I hope that all of you in the US had a great 4th of July (we did...but
>> the little ones do not quite appreciate the Fireworks after bedtime!).
>>
>> QUESTION: on a WIN2003 R2 SP2 Terminal Server we have, among other
>> things, MS Office 2007 installed. Additionally, we installed MS Office
>> Project 2007 (default location). I need to limit the users who are able
>> to make use of MS Office Project 2007. Is this possible? Please read
>> the short novel below to understand why I am asking this question....
>>
>>
>> SHORT NOVEL!!!!!!
>>
>> I noticed on the Terminal Server that C:\Program Files has an "extra"
>> Security Group in the NTFS Permissions tab - "TERMINAL SERVER USERS".
>
> I guess that is the relaxed/default security thingy. It seems the
> TSUserEnabled dword is set to 1 under
> "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server". Can
> you confirm this? For additional informations have a look to this article:
> http://www.brianmadden.com/content/...nal-Servers-Permissions-Compatibility-Options
>
>> I have to admit that I have never noticed that before. I remoted into
>> three or four TS Boxes at different clients and lo and behold! All of
>> them have that!
>>
>> I do not see this Security Group anywhere in Active Directory so *assume*
>> that it is a TS specific thing...can anyone shed a light on this for me?
>> I will admit that I have not used ldifde to enummeeate all of the objects
>> in AD so I would not necessarily be surprised to find it tucked away....
>>
>> The true reason for this post, as already mentioned, is that I want to
>> limit one of the MS Office 2007 applications (MS Office Project 2007) to
>> a specific group of users. I have the Security Groups already set up
>> (Universal Security Group containing the user account objects and then a
>> Local Security Group on the TS box...I made the USG a member of the LSG).
>> I do not want to remove the "Terminal Server Users" security group
>> (essentially, replace that with the LSG) on the executable (WINPROJ.exe)
>> as I do not want to mess things up.
>
> We create local groups like "app.office14.project", and put the user in
> the group. Local groups, because each TS is very special here. On the file
> in question "WINPROJ.EXE" we break up the ntfs-inheritance (copy), remove
> the std. user groups and add the mentioned group. This way we enforce the
> licensing and for example access via internet explorer to the internet.
>
> -jolt
>
 
Re: installing MS Office 2003/2007 on TS Machines

"Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in
news:ej6JC7p3IHA.1196@TK2MSFTNGP05.phx.gbl...
> NTFS permissions above and you could use Software Restriction Policies in
> group policy.

The latter seems the better. I didn't know about that, thanks Jeff.

"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in
news:Xns9AD297F54470Cveranoesthemutforsse@207.46.248.16...
> "jolteroli" <jolt1976@gmx.net> wrote on 05 jul 2008 in
> microsoft.public.windows.terminal_services:
> Yes, that's how it is mostly done.
> Problem is that Office is licensed per *client*, not per user. So strictly
> speaking, you are not enforcing the Office EULA. But until Microsoft
> introduces Office Per User licenses, I wouldn't know of a better way to do
> it.

In layman's terms: If it were ->even possible<- to use Office (n licenses)
from (n+1) client machines, the EULA were broken? Same thing as TS
licensing?

If so, one could enumerate the processes along with the session-id, grep for
'winword.exe' and unique the list. If the list has more than n entries, show
a message box instead of
starting winword.exe.

#process-image:session-id
winword.exe:11 # Vera has opened Word twice, but
winword.exe:11 # that counts as one single CAL, right?
winword.exe:22 # Jeff also works in Word, OK.
winword.exe:33 # And Jolt breaks the EULA,

because we have had money for 2 licenses only. Jolt -> Jail!

-jolt (off with probation)
 
Re: installing MS Office 2003/2007 on TS Machines

"jolteroli" <jolt1976@gmx.net> wrote on 05 jul 2008 in
microsoft.public.windows.terminal_services:

> "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in
> news:ej6JC7p3IHA.1196@TK2MSFTNGP05.phx.gbl...
>> NTFS permissions above and you could use Software Restriction
>> Policies in group policy.
>
> The latter seems the better. I didn't know about that, thanks
> Jeff.
>
> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote
> in news:Xns9AD297F54470Cveranoesthemutforsse@207.46.248.16...
>> "jolteroli" <jolt1976@gmx.net> wrote on 05 jul 2008 in
>> microsoft.public.windows.terminal_services:
>> Yes, that's how it is mostly done.
>> Problem is that Office is licensed per *client*, not per user.
>> So strictly speaking, you are not enforcing the Office EULA.
>> But until Microsoft introduces Office Per User licenses, I
>> wouldn't know of a better way to do it.
>
> In layman's terms: If it were ->even possible<- to use Office (n
> licenses) from (n+1) client machines, the EULA were broken? Same
> thing as TS licensing?
>
> If so, one could enumerate the processes along with the
> session-id, grep for 'winword.exe' and unique the list. If the
> list has more than n entries, show a message box instead of
> starting winword.exe.
>
> #process-image:session-id
> winword.exe:11 # Vera has opened Word twice, but
> winword.exe:11 # that counts as one single CAL, right?
> winword.exe:22 # Jeff also works in Word, OK.
> winword.exe:33 # And Jolt breaks the EULA,
>
> because we have had money for 2 licenses only. Jolt -> Jail!
>
> -jolt (off with probation)

Nice try, but even that doesn't do it :-)
You are checking for *concurrent* instances of Office, but the per
device licensing scheme of Office is not per concurrent instance.
So if you have 2 licenses, one single person could violate the EULA
by using Office from client 1 on Monday, from client 2 on Tuesday
and client 3 on Wednesday.
But restricting Office on a per user base is the best you can do,
I've never seen a Microsoft representative propose a better
solution.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
 
Re: installing MS Office 2003/2007 on TS Machines

On Jul 5, 7:53 am, "jolteroli" <jolt1...@gmx.net> wrote:
> "Cary Shultz" <cshu...@nospam.outsourceitcorp.com> schrieb im Newsbeitragnews:%23bRD17o3IHA.3624@TK2MSFTNGP05.phx.gbl...
>
>
>
> > Good moring!
>
> > I hope that all of you in the US had a great 4th of July (we did...but the
> > little ones do not quite appreciate the Fireworks after bedtime!).
>
> > QUESTION: on a WIN2003 R2 SP2 Terminal Server we have, among other things,
> > MS Office 2007 installed. Additionally, we installed MS Office Project
> > 2007 (default location). I need to limit the users who are able to make
> > use of MS Office Project 2007. Is this possible? Please read the short
> > novel below to understand why I am asking this question....
>
> > SHORT NOVEL!!!!!!
>
> > I noticed on the Terminal Server that C:\Program Files has an "extra"
> > Security Group in the NTFS Permissions tab - "TERMINAL SERVER USERS".
>
> I guess that is the relaxed/default security thingy. It seems the
> TSUserEnabled dword is set to 1 under
> "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server". Can
> you confirm this? For additional informations have a look to this article:http://www.brianmadden.com/content/article/Understanding-Terminal-Ser...
>
>
>
> > I have to admit that I have never noticed that before. I remoted into
> > three or four TS Boxes at different clients and lo and behold! All of
> > them have that!
>
> > I do not see this Security Group anywhere in Active Directory so *assume*
> > that it is a TS specific thing...can anyone shed a light on this for me?
> > I will admit that I have not used ldifde to enummeeate all of the objects
> > in AD so I would not necessarily be surprised to find it tucked away....
>
> > The true reason for this post, as already mentioned, is that I want to
> > limit one of the MS Office 2007 applications (MS Office Project 2007) to a
> > specific group of users. I have the Security Groups already set up
> > (Universal Security Group containing the user account objects and then a
> > Local Security Group on the TS box...I made the USG a member of the LSG).
> > I do not want to remove the "Terminal Server Users" security group
> > (essentially, replace that with the LSG) on the executable (WINPROJ.exe)
> > as I do not want to mess things up.
>
> We create local groups like "app.office14.project", and put the user in the
> group. Local groups, because each TS is very special here. On the file in
> question "WINPROJ.EXE" we break up the ntfs-inheritance (copy), remove the
> std. user groups and add the mentioned group. This way we enforce the
> licensing and for example access via internet explorer to the internet.
>
> -jolt

Does this work in a workgroup environment? I have been trying to
figure out how to restrict certain users from using specific apps.
Everything I have read on Software Restriction Policies you have to be
in an AD to use them.

Jeff
 
Re: installing MS Office 2003/2007 on TS Machines

To use them properly yes. Why is the box in a workgroup? Novell in the mix
or something?

Jeff Pitsch
Microsoft MVP - Terminal Services

"jphallett" <jphallett@gmail.com> wrote in message
news:b9564a02-f560-48a4-b6a6-327dcd8626ac@y38g2000hsy.googlegroups.com...
> On Jul 5, 7:53 am, "jolteroli" <jolt1...@gmx.net> wrote:
>> "Cary Shultz" <cshu...@nospam.outsourceitcorp.com> schrieb im
>> Newsbeitragnews:%23bRD17o3IHA.3624@TK2MSFTNGP05.phx.gbl...
>>
>>
>>
>> > Good moring!
>>
>> > I hope that all of you in the US had a great 4th of July (we did...but
>> > the
>> > little ones do not quite appreciate the Fireworks after bedtime!).
>>
>> > QUESTION: on a WIN2003 R2 SP2 Terminal Server we have, among other
>> > things,
>> > MS Office 2007 installed. Additionally, we installed MS Office Project
>> > 2007 (default location). I need to limit the users who are able to
>> > make
>> > use of MS Office Project 2007. Is this possible? Please read the
>> > short
>> > novel below to understand why I am asking this question....
>>
>> > SHORT NOVEL!!!!!!
>>
>> > I noticed on the Terminal Server that C:\Program Files has an "extra"
>> > Security Group in the NTFS Permissions tab - "TERMINAL SERVER USERS".
>>
>> I guess that is the relaxed/default security thingy. It seems the
>> TSUserEnabled dword is set to 1 under
>> "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server".
>> Can
>> you confirm this? For additional informations have a look to this
>> article:http://www.brianmadden.com/content/article/Understanding-Terminal-Ser...
>>
>>
>>
>> > I have to admit that I have never noticed that before. I remoted into
>> > three or four TS Boxes at different clients and lo and behold! All of
>> > them have that!
>>
>> > I do not see this Security Group anywhere in Active Directory so
>> > *assume*
>> > that it is a TS specific thing...can anyone shed a light on this for
>> > me?
>> > I will admit that I have not used ldifde to enummeeate all of the
>> > objects
>> > in AD so I would not necessarily be surprised to find it tucked
>> > away....
>>
>> > The true reason for this post, as already mentioned, is that I want to
>> > limit one of the MS Office 2007 applications (MS Office Project 2007)
>> > to a
>> > specific group of users. I have the Security Groups already set up
>> > (Universal Security Group containing the user account objects and then
>> > a
>> > Local Security Group on the TS box...I made the USG a member of the
>> > LSG).
>> > I do not want to remove the "Terminal Server Users" security group
>> > (essentially, replace that with the LSG) on the executable
>> > (WINPROJ.exe)
>> > as I do not want to mess things up.
>>
>> We create local groups like "app.office14.project", and put the user in
>> the
>> group. Local groups, because each TS is very special here. On the file in
>> question "WINPROJ.EXE" we break up the ntfs-inheritance (copy), remove
>> the
>> std. user groups and add the mentioned group. This way we enforce the
>> licensing and for example access via internet explorer to the internet.
>>
>> -jolt
>
> Does this work in a workgroup environment? I have been trying to
> figure out how to restrict certain users from using specific apps.
> Everything I have read on Software Restriction Policies you have to be
> in an AD to use them.
>
> Jeff
 
Re: installing MS Office 2003/2007 on TS Machines

On Jul 7, 10:51 am, "Jeff Pitsch" <j...@jeffpitschconsulting.com>
wrote:
> To use them properly yes. Why is the box in a workgroup? Novell in the mix
> or something?
>
> Jeff Pitsch
> Microsoft MVP - Terminal Services
>
> "jphallett" <jphall...@gmail.com> wrote in message
>
> news:b9564a02-f560-48a4-b6a6-327dcd8626ac@y38g2000hsy.googlegroups.com...
>
> > On Jul 5, 7:53 am, "jolteroli" <jolt1...@gmx.net> wrote:
> >> "Cary Shultz" <cshu...@nospam.outsourceitcorp.com> schrieb im
> >> Newsbeitragnews:%23bRD17o3IHA.3624@TK2MSFTNGP05.phx.gbl...
>
> >> > Good moring!
>
> >> > I hope that all of you in the US had a great 4th of July (we did...but
> >> > the
> >> > little ones do not quite appreciate the Fireworks after bedtime!).
>
> >> > QUESTION: on a WIN2003 R2 SP2 Terminal Server we have, among other
> >> > things,
> >> > MS Office 2007 installed. Additionally, we installed MS Office Project
> >> > 2007 (default location). I need to limit the users who are able to
> >> > make
> >> > use of MS Office Project 2007. Is this possible? Please read the
> >> > short
> >> > novel below to understand why I am asking this question....
>
> >> > SHORT NOVEL!!!!!!
>
> >> > I noticed on the Terminal Server that C:\Program Files has an "extra"
> >> > Security Group in the NTFS Permissions tab - "TERMINAL SERVER USERS".
>
> >> I guess that is the relaxed/default security thingy. It seems the
> >> TSUserEnabled dword is set to 1 under
> >> "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server".
> >> Can
> >> you confirm this? For additional informations have a look to this
> >> article:http://www.brianmadden.com/content/article/Understanding-Terminal-Ser...
>
> >> > I have to admit that I have never noticed that before. I remoted into
> >> > three or four TS Boxes at different clients and lo and behold! All of
> >> > them have that!
>
> >> > I do not see this Security Group anywhere in Active Directory so
> >> > *assume*
> >> > that it is a TS specific thing...can anyone shed a light on this for
> >> > me?
> >> > I will admit that I have not used ldifde to enummeeate all of the
> >> > objects
> >> > in AD so I would not necessarily be surprised to find it tucked
> >> > away....
>
> >> > The true reason for this post, as already mentioned, is that I want to
> >> > limit one of the MS Office 2007 applications (MS Office Project 2007)
> >> > to a
> >> > specific group of users. I have the Security Groups already set up
> >> > (Universal Security Group containing the user account objects and then
> >> > a
> >> > Local Security Group on the TS box...I made the USG a member of the
> >> > LSG).
> >> > I do not want to remove the "Terminal Server Users" security group
> >> > (essentially, replace that with the LSG) on the executable
> >> > (WINPROJ.exe)
> >> > as I do not want to mess things up.
>
> >> We create local groups like "app.office14.project", and put the user in
> >> the
> >> group. Local groups, because each TS is very special here. On the file in
> >> question "WINPROJ.EXE" we break up the ntfs-inheritance (copy), remove
> >> the
> >> std. user groups and add the mentioned group. This way we enforce the
> >> licensing and for example access via internet explorer to the internet.
>
> >> -jolt
>
> > Does this work in a workgroup environment? I have been trying to
> > figure out how to restrict certain users from using specific apps.
> > Everything I have read on Software Restriction Policies you have to be
> > in an AD to use them.
>
> > Jeff

Hi Jolt,
yes my TS is in a workgroup environment not an AD. Your solution with
the local groups seems like it might work. Is there information on it
posted somewhere that you could direct me to?

Thanks
Jeff
 
Re: installing MS Office 2003/2007 on TS Machines

Information on configuring NTFS permissions?

Jeff Pitsch
Microsoft MVP - Terminal Services


"jphallett" <jphallett@gmail.com> wrote in message
news:e5e9e638-a99f-46cb-a644-56943c49989f@27g2000hsf.googlegroups.com...
> On Jul 7, 10:51 am, "Jeff Pitsch" <j...@jeffpitschconsulting.com>
> wrote:
>> To use them properly yes. Why is the box in a workgroup? Novell in the
>> mix
>> or something?
>>
>> Jeff Pitsch
>> Microsoft MVP - Terminal Services
>>
>> "jphallett" <jphall...@gmail.com> wrote in message
>>
>> news:b9564a02-f560-48a4-b6a6-327dcd8626ac@y38g2000hsy.googlegroups.com...
>>
>> > On Jul 5, 7:53 am, "jolteroli" <jolt1...@gmx.net> wrote:
>> >> "Cary Shultz" <cshu...@nospam.outsourceitcorp.com> schrieb im
>> >> Newsbeitragnews:%23bRD17o3IHA.3624@TK2MSFTNGP05.phx.gbl...
>>
>> >> > Good moring!
>>
>> >> > I hope that all of you in the US had a great 4th of July (we
>> >> > did...but
>> >> > the
>> >> > little ones do not quite appreciate the Fireworks after bedtime!).
>>
>> >> > QUESTION: on a WIN2003 R2 SP2 Terminal Server we have, among other
>> >> > things,
>> >> > MS Office 2007 installed. Additionally, we installed MS Office
>> >> > Project
>> >> > 2007 (default location). I need to limit the users who are able to
>> >> > make
>> >> > use of MS Office Project 2007. Is this possible? Please read the
>> >> > short
>> >> > novel below to understand why I am asking this question....
>>
>> >> > SHORT NOVEL!!!!!!
>>
>> >> > I noticed on the Terminal Server that C:\Program Files has an
>> >> > "extra"
>> >> > Security Group in the NTFS Permissions tab - "TERMINAL SERVER
>> >> > USERS".
>>
>> >> I guess that is the relaxed/default security thingy. It seems the
>> >> TSUserEnabled dword is set to 1 under
>> >> "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server".
>> >> Can
>> >> you confirm this? For additional informations have a look to this
>> >> article:http://www.brianmadden.com/content/article/Understanding-Terminal-Ser...
>>
>> >> > I have to admit that I have never noticed that before. I remoted
>> >> > into
>> >> > three or four TS Boxes at different clients and lo and behold! All
>> >> > of
>> >> > them have that!
>>
>> >> > I do not see this Security Group anywhere in Active Directory so
>> >> > *assume*
>> >> > that it is a TS specific thing...can anyone shed a light on this for
>> >> > me?
>> >> > I will admit that I have not used ldifde to enummeeate all of the
>> >> > objects
>> >> > in AD so I would not necessarily be surprised to find it tucked
>> >> > away....
>>
>> >> > The true reason for this post, as already mentioned, is that I want
>> >> > to
>> >> > limit one of the MS Office 2007 applications (MS Office Project
>> >> > 2007)
>> >> > to a
>> >> > specific group of users. I have the Security Groups already set up
>> >> > (Universal Security Group containing the user account objects and
>> >> > then
>> >> > a
>> >> > Local Security Group on the TS box...I made the USG a member of the
>> >> > LSG).
>> >> > I do not want to remove the "Terminal Server Users" security group
>> >> > (essentially, replace that with the LSG) on the executable
>> >> > (WINPROJ.exe)
>> >> > as I do not want to mess things up.
>>
>> >> We create local groups like "app.office14.project", and put the user
>> >> in
>> >> the
>> >> group. Local groups, because each TS is very special here. On the file
>> >> in
>> >> question "WINPROJ.EXE" we break up the ntfs-inheritance (copy), remove
>> >> the
>> >> std. user groups and add the mentioned group. This way we enforce the
>> >> licensing and for example access via internet explorer to the
>> >> internet.
>>
>> >> -jolt
>>
>> > Does this work in a workgroup environment? I have been trying to
>> > figure out how to restrict certain users from using specific apps.
>> > Everything I have read on Software Restriction Policies you have to be
>> > in an AD to use them.
>>
>> > Jeff
>
> Hi Jolt,
> yes my TS is in a workgroup environment not an AD. Your solution with
> the local groups seems like it might work. Is there information on it
> posted somewhere that you could direct me to?
>
> Thanks
> Jeff
 
Re: installing MS Office 2003/2007 on TS Machines

"jphallett" <jphallett@gmail.com> schrieb im Newsbeitrag
news:e5e9e638-a99f-46cb-a644-56943c49989f@27g2000hsf.googlegroups.com...

> Hi Jolt,
> yes my TS is in a workgroup environment not an AD. Your solution with
> the local groups seems like it might work. Is there information on it
> posted somewhere that you could direct me to?
>
> Thanks
> Jeff

Hey Jeff

Altough I wouldn't recommend, we do it that way:

We keep a list `ALLOWEXEC.txt´ in the "Program Files" directory, to know
what files or directories have been changed and to what permission.

------------------------
/foobar/start.exe
- Users
- Domain-Users
+ app.foobar
------------------------

This is important, because you'll never remember all the files after a
month. And searching for them is a pain in the 8

The local groups should have meaningful names, so you know which
application(s) this particular group allows to execute. Stuff the members
in.

Go to the executable, that is referenced by the shortcut or look in the task
manager what image name is running. On the permissions-tab of the file,
break up the ACL-inheritance and choose to copy the inherited ACL's. So u
keep the original permissions, but now they are unique to this single file.
Then boot out the standard user groups like Users and/or Domain-Users,
depending on your environment. Add the designated group and check the group
may read/execute. Done.

Another option were to work on the whole directory of the application root.

Beware, this kinda ``security´´ is deceiving. If for example the
Internet Explorer execution is denied this way, one can copy IEXPLORE.EXE
from another location to his/her home directory, set a shortcut to the
single
file and choose the working directory to "C:/Program Files/Internet
Explorer". Viola! From the view of IEXPLORE.EXE nothing has changed.

I believe to know there are 3rd party tools out, that accomplish exactly
this task. But I don't know how they do it and if they require Active
Directory or other resources not available in workgroup environments.

May be the professionals knowing a better way ???

-jolt
 

Similar threads

C
Microsoft Office is getting a major redesign in Windows 11
Replies
0
Views
77
Chris Smith
C
C
Microsoft Office 2021 launches on Windows and Mac later this year
Replies
0
Views
153
Chris Smith
C
J
The entire series of ‘The Office’ is streaming free on Peacock for a week
Replies
0
Views
102
Jacob Siegal
J
B
Can't listen on anything but localhost
Replies
0
Views
372
Blue Baron
B
M
Setting up Client Certificate Authentication for WCF Service hosted as an Azure Web App
Replies
0
Views
301
Meghali
M
Back
Top