How to prevent users from installing programs.

  • Thread starter Thread starter RandyH
  • Start date Start date
R

RandyH

Guest
We have an app that requires users to be local admins, crappy I know,
but I how can i prevent users from installing programs?

If the TS has be in admin mode anyway, why would MS let programs get
installed otherwise????? - rant..
 
Re: How to prevent users from installing programs.

RandyH <RHollaw@HOTmail.com> wrote:
> We have an app that requires users to be local admins, crappy I know,
> but I how can i prevent users from installing programs?
>
> If the TS has be in admin mode anyway, why would MS let programs get
> installed otherwise????? - rant..

You can lock down most everything you need to --and should-- but why not fix
the underlying problem with this application first? You should be able to
identify the file system & registry areas to which it wants access - try
using Process Monitor from Sysinternals (available for download on the MS
website). Users should not be admins on workstations, let alone servers &
you shouldn't have to leave them that way.

Basics: you should be running Terminal Services on a dedicated member server
with *no* other roles on the network. It should be set up in its own OU,
with a policy specifically for TS (including loopback processing so that all
users who log in get the same settings, regardless of their own inherited
user policy settings). See KB 278295 for some good lockdown suggestions.
Also see MVP Patrick Rouse's articles at
http://www.sessioncomputing.com/articles.htm
 
Re: How to prevent users from installing programs.

I guess Disable Windows Installer could have been a good answer too.
Thanks for the KB, I had followed most of that article minus the Disable
Windows Installer setting.

do you know anything about Worldox? it's a POS and we've tried what you
have suggested in the past without success.

again, thanks for the KB...



Lanwench [MVP - Exchange] wrote:
> RandyH <RHollaw@HOTmail.com> wrote:
>> We have an app that requires users to be local admins, crappy I know,
>> but I how can i prevent users from installing programs?
>>
>> If the TS has be in admin mode anyway, why would MS let programs get
>> installed otherwise????? - rant..
>
> You can lock down most everything you need to --and should-- but why not fix
> the underlying problem with this application first? You should be able to
> identify the file system & registry areas to which it wants access - try
> using Process Monitor from Sysinternals (available for download on the MS
> website). Users should not be admins on workstations, let alone servers &
> you shouldn't have to leave them that way.
>
> Basics: you should be running Terminal Services on a dedicated member server
> with *no* other roles on the network. It should be set up in its own OU,
> with a policy specifically for TS (including loopback processing so that all
> users who log in get the same settings, regardless of their own inherited
> user policy settings). See KB 278295 for some good lockdown suggestions.
> Also see MVP Patrick Rouse's articles at
> http://www.sessioncomputing.com/articles.htm
>
>
 
Re: How to prevent users from installing programs.

RandyH <RHollaw@HOTmail.com> wrote:
> I guess Disable Windows Installer could have been a good answer too.
> Thanks for the KB, I had followed most of that article minus the
> Disable Windows Installer setting.
>
> do you know anything about Worldox? it's a POS and we've tried what
> you have suggested in the past without success.
>
> again, thanks for the KB...

No prob. I presume that by POS you don't mean "point of sale" but something
else. ;-)
And no, I'm not familiar with it. Just try the sysinternals tool...it's very
handy.
>
>
>
> Lanwench [MVP - Exchange] wrote:
>> RandyH <RHollaw@HOTmail.com> wrote:
>>> We have an app that requires users to be local admins, crappy I
>>> know, but I how can i prevent users from installing programs?
>>>
>>> If the TS has be in admin mode anyway, why would MS let programs get
>>> installed otherwise????? - rant..
>>
>> You can lock down most everything you need to --and should-- but why
>> not fix the underlying problem with this application first? You
>> should be able to identify the file system & registry areas to which
>> it wants access - try using Process Monitor from Sysinternals
>> (available for download on the MS website). Users should not be
>> admins on workstations, let alone servers & you shouldn't have to
>> leave them that way. Basics: you should be running Terminal Services on a
>> dedicated
>> member server with *no* other roles on the network. It should be set
>> up in its own OU, with a policy specifically for TS (including
>> loopback processing so that all users who log in get the same
>> settings, regardless of their own inherited user policy settings).
>> See KB 278295 for some good lockdown suggestions. Also see MVP
>> Patrick Rouse's articles at
>> http://www.sessioncomputing.com/articles.htm
 
Re: How to prevent users from installing programs.

Hi,

You can try Remote Application Center : http://www.mqtechnologies.com

Regards

ThomasT.

"RandyH" <RHollaw@HOTmail.com> wrote in message
news:OdJDrmm9IHA.1468@TK2MSFTNGP05.phx.gbl...
> We have an app that requires users to be local admins, crappy I know, but
> I how can i prevent users from installing programs?
>
> If the TS has be in admin mode anyway, why would MS let programs get
> installed otherwise????? - rant..
 
Re: How to prevent users from installing programs.

I was looking at Disable Windows Installer setting and see another
setting called, Prohibit User Installs.

Would that prevent users from installing programs?

The Disable Windows Installer, would that only apply to MSI's?

Thanks again,
RandyH



Lanwench [MVP - Exchange] wrote:
> RandyH <RHollaw@HOTmail.com> wrote:
>> I guess Disable Windows Installer could have been a good answer too.
>> Thanks for the KB, I had followed most of that article minus the
>> Disable Windows Installer setting.
>>
>> do you know anything about Worldox? it's a POS and we've tried what
>> you have suggested in the past without success.
>>
>> again, thanks for the KB...
>
> No prob. I presume that by POS you don't mean "point of sale" but something
> else. ;-)
> And no, I'm not familiar with it. Just try the sysinternals tool...it's very
> handy.
>>
>>
>> Lanwench [MVP - Exchange] wrote:
>>> RandyH <RHollaw@HOTmail.com> wrote:
>>>> We have an app that requires users to be local admins, crappy I
>>>> know, but I how can i prevent users from installing programs?
>>>>
>>>> If the TS has be in admin mode anyway, why would MS let programs get
>>>> installed otherwise????? - rant..
>>> You can lock down most everything you need to --and should-- but why
>>> not fix the underlying problem with this application first? You
>>> should be able to identify the file system & registry areas to which
>>> it wants access - try using Process Monitor from Sysinternals
>>> (available for download on the MS website). Users should not be
>>> admins on workstations, let alone servers & you shouldn't have to
>>> leave them that way. Basics: you should be running Terminal Services on a
>>> dedicated
>>> member server with *no* other roles on the network. It should be set
>>> up in its own OU, with a policy specifically for TS (including
>>> loopback processing so that all users who log in get the same
>>> settings, regardless of their own inherited user policy settings).
>>> See KB 278295 for some good lockdown suggestions. Also see MVP
>>> Patrick Rouse's articles at
>>> http://www.sessioncomputing.com/articles.htm
>
>
>
 
Re: How to prevent users from installing programs.

No, this setting is about the difference between installing
applications per computer or per user.
Tip: read the "Explain" text that is available for all GPO
settings:

This setting allows you to configure user installs. To configure
this setting, set it to enabled and use the drop-down list to
select the behavior you want. If this setting is not configured,
or if the setting is enabled and Allow User Installs is selected,
the installer allows and makes use of products that are installed
per user, and products that are installed per computer. If the
installer finds a per-user install of an application, this hides a
per-computer installation of that same product. If this setting is
enabled and Hide User Installs is selected, the installer ignores
per-user applications. This causes a per-computer installed
application to be visible to users, even if those users have a per-
user install of the product registered in their user profile. If
this setting is enabled and Prohibit User Installs is selected, the
installer prevents applications from being installed per user, and
it ignores previously installed per-user applications. An attempt
to perform a per-user installation causes the installer to display
an error message and stop the installation. This setting is useful
in environments where the administrator only wants per-computer
applications installed, such as on a kiosk or a Windows Terminal
Server.

And for the setting Disable Windows Installer, the "Explain" text
says:
"This setting affects Windows Installer only. It does not prevent
users from using other methods to install and upgrade programs."

You're only option is to limit the user's rights and permissions.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

RandyH <RHollaw@HOTmail.com> wrote on 06 aug 2008 in
microsoft.public.windows.terminal_services:

> I was looking at Disable Windows Installer setting and see
> another setting called, Prohibit User Installs.
>
> Would that prevent users from installing programs?
>
> The Disable Windows Installer, would that only apply to MSI's?
>
> Thanks again,
> RandyH
>
>
>
> Lanwench [MVP - Exchange] wrote:
>> RandyH <RHollaw@HOTmail.com> wrote:
>>> I guess Disable Windows Installer could have been a good
>>> answer too. Thanks for the KB, I had followed most of that
>>> article minus the Disable Windows Installer setting.
>>>
>>> do you know anything about Worldox? it's a POS and we've
>>> tried what
>>> you have suggested in the past without success.
>>>
>>> again, thanks for the KB...
>>
>> No prob. I presume that by POS you don't mean "point of sale"
>> but something else. ;-)
>> And no, I'm not familiar with it. Just try the sysinternals
>> tool...it's very handy.
>>>
>>>
>>> Lanwench [MVP - Exchange] wrote:
>>>> RandyH <RHollaw@HOTmail.com> wrote:
>>>>> We have an app that requires users to be local admins,
>>>>> crappy I know, but I how can i prevent users from installing
>>>>> programs?
>>>>>
>>>>> If the TS has be in admin mode anyway, why would MS let
>>>>> programs get installed otherwise????? - rant..
>>>> You can lock down most everything you need to --and should--
>>>> but why not fix the underlying problem with this application
>>>> first? You should be able to identify the file system &
>>>> registry areas to which it wants access - try using Process
>>>> Monitor from Sysinternals (available for download on the MS
>>>> website). Users should not be admins on workstations, let
>>>> alone servers & you shouldn't have to leave them that way.
>>>> Basics: you should be running Terminal Services on a
>>>> dedicated member server with *no* other roles on the network.
>>>> It should be set up in its own OU, with a policy specifically
>>>> for TS (including loopback processing so that all users who
>>>> log in get the same settings, regardless of their own
>>>> inherited user policy settings). See KB 278295 for some good
>>>> lockdown suggestions. Also see MVP Patrick Rouse's articles
>>>> at http://www.sessioncomputing.com/articles.htm
 
Re: How to prevent users from installing programs.

Thank you again Vera.

I had a user install WinRar. My boss told me I need to take an outage
and remove winrar and install it in admin mode..

Vera Noest [MVP] wrote:
> No, this setting is about the difference between installing
> applications per computer or per user.
> Tip: read the "Explain" text that is available for all GPO
> settings:
>
> This setting allows you to configure user installs. To configure
> this setting, set it to enabled and use the drop-down list to
> select the behavior you want. If this setting is not configured,
> or if the setting is enabled and Allow User Installs is selected,
> the installer allows and makes use of products that are installed
> per user, and products that are installed per computer. If the
> installer finds a per-user install of an application, this hides a
> per-computer installation of that same product. If this setting is
> enabled and Hide User Installs is selected, the installer ignores
> per-user applications. This causes a per-computer installed
> application to be visible to users, even if those users have a per-
> user install of the product registered in their user profile. If
> this setting is enabled and Prohibit User Installs is selected, the
> installer prevents applications from being installed per user, and
> it ignores previously installed per-user applications. An attempt
> to perform a per-user installation causes the installer to display
> an error message and stop the installation. This setting is useful
> in environments where the administrator only wants per-computer
> applications installed, such as on a kiosk or a Windows Terminal
> Server.
>
> And for the setting Disable Windows Installer, the "Explain" text
> says:
> "This setting affects Windows Installer only. It does not prevent
> users from using other methods to install and upgrade programs."
>
> You're only option is to limit the user's rights and permissions.
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> RandyH <RHollaw@HOTmail.com> wrote on 06 aug 2008 in
> microsoft.public.windows.terminal_services:
>
>> I was looking at Disable Windows Installer setting and see
>> another setting called, Prohibit User Installs.
>>
>> Would that prevent users from installing programs?
>>
>> The Disable Windows Installer, would that only apply to MSI's?
>>
>> Thanks again,
>> RandyH
>>
>>
>>
>> Lanwench [MVP - Exchange] wrote:
>>> RandyH <RHollaw@HOTmail.com> wrote:
>>>> I guess Disable Windows Installer could have been a good
>>>> answer too. Thanks for the KB, I had followed most of that
>>>> article minus the Disable Windows Installer setting.
>>>>
>>>> do you know anything about Worldox? it's a POS and we've
>>>> tried what
>>>> you have suggested in the past without success.
>>>>
>>>> again, thanks for the KB...
>>> No prob. I presume that by POS you don't mean "point of sale"
>>> but something else. ;-)
>>> And no, I'm not familiar with it. Just try the sysinternals
>>> tool...it's very handy.
>>>>
>>>> Lanwench [MVP - Exchange] wrote:
>>>>> RandyH <RHollaw@HOTmail.com> wrote:
>>>>>> We have an app that requires users to be local admins,
>>>>>> crappy I know, but I how can i prevent users from installing
>>>>>> programs?
>>>>>>
>>>>>> If the TS has be in admin mode anyway, why would MS let
>>>>>> programs get installed otherwise????? - rant..
>>>>> You can lock down most everything you need to --and should--
>>>>> but why not fix the underlying problem with this application
>>>>> first? You should be able to identify the file system &
>>>>> registry areas to which it wants access - try using Process
>>>>> Monitor from Sysinternals (available for download on the MS
>>>>> website). Users should not be admins on workstations, let
>>>>> alone servers & you shouldn't have to leave them that way.
>>>>> Basics: you should be running Terminal Services on a
>>>>> dedicated member server with *no* other roles on the network.
>>>>> It should be set up in its own OU, with a policy specifically
>>>>> for TS (including loopback processing so that all users who
>>>>> log in get the same settings, regardless of their own
>>>>> inherited user policy settings). See KB 278295 for some good
>>>>> lockdown suggestions. Also see MVP Patrick Rouse's articles
>>>>> at http://www.sessioncomputing.com/articles.htm
 
Re: How to prevent users from installing programs.

You could also remove the execute file permissions from key directories.
this works beautifully for most things.

--
Jeff Pitsch
Microsoft MVP - Terminal Services

"RandyH" <RHollaw@HOTmail.com> wrote in message
news:%23ta7tQ99IHA.224@TK2MSFTNGP06.phx.gbl...
> Thank you again Vera.
>
> I had a user install WinRar. My boss told me I need to take an outage and
> remove winrar and install it in admin mode..
>
> Vera Noest [MVP] wrote:
>> No, this setting is about the difference between installing applications
>> per computer or per user.
>> Tip: read the "Explain" text that is available for all GPO settings:
>>
>> This setting allows you to configure user installs. To configure this
>> setting, set it to enabled and use the drop-down list to select the
>> behavior you want. If this setting is not configured, or if the setting
>> is enabled and Allow User Installs is selected, the installer allows and
>> makes use of products that are installed per user, and products that are
>> installed per computer. If the installer finds a per-user install of an
>> application, this hides a per-computer installation of that same product.
>> If this setting is enabled and Hide User Installs is selected, the
>> installer ignores per-user applications. This causes a per-computer
>> installed application to be visible to users, even if those users have a
>> per-
>> user install of the product registered in their user profile. If this
>> setting is enabled and Prohibit User Installs is selected, the installer
>> prevents applications from being installed per user, and it ignores
>> previously installed per-user applications. An attempt to perform a
>> per-user installation causes the installer to display an error message
>> and stop the installation. This setting is useful in environments where
>> the administrator only wants per-computer applications installed, such as
>> on a kiosk or a Windows Terminal Server.
>>
>> And for the setting Disable Windows Installer, the "Explain" text says:
>> "This setting affects Windows Installer only. It does not prevent users
>> from using other methods to install and upgrade programs."
>>
>> You're only option is to limit the user's rights and permissions.
>>
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> RandyH <RHollaw@HOTmail.com> wrote on 06 aug 2008 in
>> microsoft.public.windows.terminal_services:
>>> I was looking at Disable Windows Installer setting and see
>>> another setting called, Prohibit User Installs.
>>>
>>> Would that prevent users from installing programs?
>>>
>>> The Disable Windows Installer, would that only apply to MSI's?
>>>
>>> Thanks again,
>>> RandyH
>>>
>>>
>>>
>>> Lanwench [MVP - Exchange] wrote:
>>>> RandyH <RHollaw@HOTmail.com> wrote:
>>>>> I guess Disable Windows Installer could have been a good
>>>>> answer too. Thanks for the KB, I had followed most of that
>>>>> article minus the Disable Windows Installer setting.
>>>>>
>>>>> do you know anything about Worldox? it's a POS and we've
>>>>> tried what you have suggested in the past without success.
>>>>>
>>>>> again, thanks for the KB...
>>>> No prob. I presume that by POS you don't mean "point of sale" but
>>>> something else. ;-)
>>>> And no, I'm not familiar with it. Just try the sysinternals
>>>> tool...it's very handy.
>>>>>
>>>>> Lanwench [MVP - Exchange] wrote:
>>>>>> RandyH <RHollaw@HOTmail.com> wrote:
>>>>>>> We have an app that requires users to be local admins,
>>>>>>> crappy I know, but I how can i prevent users from installing
>>>>>>> programs?
>>>>>>> If the TS has be in admin mode anyway, why would MS let
>>>>>>> programs get installed otherwise????? - rant..
>>>>>> You can lock down most everything you need to --and should--
>>>>>> but why not fix the underlying problem with this application
>>>>>> first? You should be able to identify the file system &
>>>>>> registry areas to which it wants access - try using Process
>>>>>> Monitor from Sysinternals (available for download on the MS
>>>>>> website). Users should not be admins on workstations, let
>>>>>> alone servers & you shouldn't have to leave them that way.
>>>>>> Basics: you should be running Terminal Services on a dedicated member
>>>>>> server with *no* other roles on the network.
>>>>>> It should be set up in its own OU, with a policy specifically
>>>>>> for TS (including loopback processing so that all users who
>>>>>> log in get the same settings, regardless of their own
>>>>>> inherited user policy settings). See KB 278295 for some good
>>>>>> lockdown suggestions. Also see MVP Patrick Rouse's articles
>>>>>> at http://www.sessioncomputing.com/articles.htm
>
 
Re: How to prevent users from installing programs.

Jeff Pitsch wrote:
> You could also remove the execute file permissions from key directories.
> this works beautifully for most things.
>
that sounds like winner....which key directories are you suggesting?
 
Re: How to prevent users from installing programs.

Home directory, file shares, temp directories, desktop, (or profile
directories), that type of thing. Basically anywhere you think a program
would download and execute from.

--
Jeff Pitsch
Microsoft MVP - Terminal Services

"RandyH" <RHollaw@HOTmail.com> wrote in message
news:ubqEhFA%23IHA.5404@TK2MSFTNGP04.phx.gbl...
> Jeff Pitsch wrote:
>> You could also remove the execute file permissions from key directories.
>> this works beautifully for most things.
>>
> that sounds like winner....which key directories are you suggesting?
 
Re: How to prevent users from installing programs.

Jeff Pitsch wrote:
> Home directory, file shares, temp directories, desktop, (or profile
> directories), that type of thing. Basically anywhere you think a program
> would download and execute from.
>
sweet....I will give that a try!

Thanks Jeff
 
Re: How to prevent users from installing programs.

RandyH <RHollaw@HOTmail.com> wrote:
> I was looking at Disable Windows Installer setting and see another
> setting called, Prohibit User Installs.
>
> Would that prevent users from installing programs?
>
> The Disable Windows Installer, would that only apply to MSI's?
>
> Thanks again,
> RandyH

Did you try my suggestion? I think you're going to make yourself crazy with
this one. The right answer is to revoke the admin rights (as well as run
general policy lockdown). Anything else you do will be a kluge and not a
simple one.
>
>
>
> Lanwench [MVP - Exchange] wrote:
>> RandyH <RHollaw@HOTmail.com> wrote:
>>> I guess Disable Windows Installer could have been a good answer too.
>>> Thanks for the KB, I had followed most of that article minus the
>>> Disable Windows Installer setting.
>>>
>>> do you know anything about Worldox? it's a POS and we've tried what
>>> you have suggested in the past without success.
>>>
>>> again, thanks for the KB...
>>
>> No prob. I presume that by POS you don't mean "point of sale" but
>> something else. ;-)
>> And no, I'm not familiar with it. Just try the sysinternals
>> tool...it's very handy.
>>>
>>>
>>> Lanwench [MVP - Exchange] wrote:
>>>> RandyH <RHollaw@HOTmail.com> wrote:
>>>>> We have an app that requires users to be local admins, crappy I
>>>>> know, but I how can i prevent users from installing programs?
>>>>>
>>>>> If the TS has be in admin mode anyway, why would MS let programs
>>>>> get installed otherwise????? - rant..
>>>> You can lock down most everything you need to --and should-- but
>>>> why not fix the underlying problem with this application first? You
>>>> should be able to identify the file system & registry areas to
>>>> which it wants access - try using Process Monitor from Sysinternals
>>>> (available for download on the MS website). Users should not be
>>>> admins on workstations, let alone servers & you shouldn't have to
>>>> leave them that way. Basics: you should be running Terminal
>>>> Services on a dedicated
>>>> member server with *no* other roles on the network. It should be
>>>> set up in its own OU, with a policy specifically for TS (including
>>>> loopback processing so that all users who log in get the same
>>>> settings, regardless of their own inherited user policy settings).
>>>> See KB 278295 for some good lockdown suggestions. Also see MVP
>>>> Patrick Rouse's articles at
>>>> http://www.sessioncomputing.com/articles.htm
 
Re: How to prevent users from installing programs.

But your users are all Administrators, right?
They'll simply undo whatever change you make.

There no way you can lock your server down without making them normal
users.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

RandyH <RHollaw@HOTmail.com> wrote on 06 aug 2008 in
microsoft.public.windows.terminal_services:

> Jeff Pitsch wrote:
>> Home directory, file shares, temp directories, desktop, (or
>> profile directories), that type of thing. Basically anywhere
>> you think a program would download and execute from.
>>
> sweet....I will give that a try!
>
> Thanks Jeff
 
Re: How to prevent users from installing programs.

ugh...you guys are right....Thanks for the all the help.


Lanwench [MVP - Exchange] wrote:
> RandyH <RHollaw@HOTmail.com> wrote:
>> I was looking at Disable Windows Installer setting and see another
>> setting called, Prohibit User Installs.
>>
>> Would that prevent users from installing programs?
>>
>> The Disable Windows Installer, would that only apply to MSI's?
>>
>> Thanks again,
>> RandyH
>
> Did you try my suggestion? I think you're going to make yourself crazy with
> this one. The right answer is to revoke the admin rights (as well as run
> general policy lockdown). Anything else you do will be a kluge and not a
> simple one.
>>
>>
>> Lanwench [MVP - Exchange] wrote:
>>> RandyH <RHollaw@HOTmail.com> wrote:
>>>> I guess Disable Windows Installer could have been a good answer too.
>>>> Thanks for the KB, I had followed most of that article minus the
>>>> Disable Windows Installer setting.
>>>>
>>>> do you know anything about Worldox? it's a POS and we've tried what
>>>> you have suggested in the past without success.
>>>>
>>>> again, thanks for the KB...
>>> No prob. I presume that by POS you don't mean "point of sale" but
>>> something else. ;-)
>>> And no, I'm not familiar with it. Just try the sysinternals
>>> tool...it's very handy.
>>>>
>>>> Lanwench [MVP - Exchange] wrote:
>>>>> RandyH <RHollaw@HOTmail.com> wrote:
>>>>>> We have an app that requires users to be local admins, crappy I
>>>>>> know, but I how can i prevent users from installing programs?
>>>>>>
>>>>>> If the TS has be in admin mode anyway, why would MS let programs
>>>>>> get installed otherwise????? - rant..
>>>>> You can lock down most everything you need to --and should-- but
>>>>> why not fix the underlying problem with this application first? You
>>>>> should be able to identify the file system & registry areas to
>>>>> which it wants access - try using Process Monitor from Sysinternals
>>>>> (available for download on the MS website). Users should not be
>>>>> admins on workstations, let alone servers & you shouldn't have to
>>>>> leave them that way. Basics: you should be running Terminal
>>>>> Services on a dedicated
>>>>> member server with *no* other roles on the network. It should be
>>>>> set up in its own OU, with a policy specifically for TS (including
>>>>> loopback processing so that all users who log in get the same
>>>>> settings, regardless of their own inherited user policy settings).
>>>>> See KB 278295 for some good lockdown suggestions. Also see MVP
>>>>> Patrick Rouse's articles at
>>>>> http://www.sessioncomputing.com/articles.htm
>
>
>
 
Re: How to prevent users from installing programs.

You're right....I need to get that app worldox in check...

Vera Noest [MVP] wrote:
> But your users are all Administrators, right?
> They'll simply undo whatever change you make.
>
> There no way you can lock your server down without making them normal
> users.
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> RandyH <RHollaw@HOTmail.com> wrote on 06 aug 2008 in
> microsoft.public.windows.terminal_services:
>
>> Jeff Pitsch wrote:
>>> Home directory, file shares, temp directories, desktop, (or
>>> profile directories), that type of thing. Basically anywhere
>>> you think a program would download and execute from.
>>>
>> sweet....I will give that a try!
>>
>> Thanks Jeff
 
Re: How to prevent users from installing programs.

RandyH <RHollaw@HOTmail.com> wrote:
> ugh...you guys are right....Thanks for the all the help.

You're welcome. I know this isn't much fun when you're dealing with badly
written software, but 99.9999% of the time you can work around it. Oh, and
don't forget to holler at the developers who wrote the POS. And you know
which definition of that abbreviation I mean.
>
>
> Lanwench [MVP - Exchange] wrote:
>> RandyH <RHollaw@HOTmail.com> wrote:
>>> I was looking at Disable Windows Installer setting and see another
>>> setting called, Prohibit User Installs.
>>>
>>> Would that prevent users from installing programs?
>>>
>>> The Disable Windows Installer, would that only apply to MSI's?
>>>
>>> Thanks again,
>>> RandyH
>>
>> Did you try my suggestion? I think you're going to make yourself
>> crazy with this one. The right answer is to revoke the admin rights
>> (as well as run general policy lockdown). Anything else you do will
>> be a kluge and not a simple one.
>>>
>>>
>>> Lanwench [MVP - Exchange] wrote:
>>>> RandyH <RHollaw@HOTmail.com> wrote:
>>>>> I guess Disable Windows Installer could have been a good answer
>>>>> too. Thanks for the KB, I had followed most of that article minus
>>>>> the Disable Windows Installer setting.
>>>>>
>>>>> do you know anything about Worldox? it's a POS and we've tried
>>>>> what you have suggested in the past without success.
>>>>>
>>>>> again, thanks for the KB...
>>>> No prob. I presume that by POS you don't mean "point of sale" but
>>>> something else. ;-)
>>>> And no, I'm not familiar with it. Just try the sysinternals
>>>> tool...it's very handy.
>>>>>
>>>>> Lanwench [MVP - Exchange] wrote:
>>>>>> RandyH <RHollaw@HOTmail.com> wrote:
>>>>>>> We have an app that requires users to be local admins, crappy I
>>>>>>> know, but I how can i prevent users from installing programs?
>>>>>>>
>>>>>>> If the TS has be in admin mode anyway, why would MS let programs
>>>>>>> get installed otherwise????? - rant..
>>>>>> You can lock down most everything you need to --and should-- but
>>>>>> why not fix the underlying problem with this application first?
>>>>>> You should be able to identify the file system & registry areas
>>>>>> to which it wants access - try using Process Monitor from
>>>>>> Sysinternals (available for download on the MS website). Users
>>>>>> should not be admins on workstations, let alone servers & you
>>>>>> shouldn't have to leave them that way. Basics: you should be
>>>>>> running Terminal Services on a dedicated
>>>>>> member server with *no* other roles on the network. It should be
>>>>>> set up in its own OU, with a policy specifically for TS
>>>>>> (including loopback processing so that all users who log in get
>>>>>> the same settings, regardless of their own inherited user policy
>>>>>> settings). See KB 278295 for some good lockdown suggestions.
>>>>>> Also see MVP Patrick Rouse's articles at
>>>>>> http://www.sessioncomputing.com/articles.htm
 
Back
Top