installing MS Office 2003/2007 on TS Machines

[Guest Cary Shultz]

Good moring!

 

I hope that all of you in the US had a great 4th of July (we did...but the

little ones do not quite appreciate the Fireworks after bedtime!).

 

QUESTION: on a WIN2003 R2 SP2 Terminal Server we have, among other things,

MS Office 2007 installed. Additionally, we installed MS Office Project 2007

(default location). I need to limit the users who are able to make use of

MS Office Project 2007. Is this possible? Please read the short novel

below to understand why I am asking this question....

 

 

SHORT NOVEL!!!!!!

 

I noticed on the Terminal Server that C:\Program Files has an "extra"

Security Group in the NTFS Permissions tab - "TERMINAL SERVER USERS". I

have to admit that I have never noticed that before. I remoted into three

or four TS Boxes at different clients and lo and behold! All of them have

that!

 

I do not see this Security Group anywhere in Active Directory so *assume*

that it is a TS specific thing...can anyone shed a light on this for me? I

will admit that I have not used ldifde to enummeeate all of the objects in

AD so I would not necessarily be surprised to find it tucked away....

 

The true reason for this post, as already mentioned, is that I want to limit

one of the MS Office 2007 applications (MS Office Project 2007) to a

specific group of users. I have the Security Groups already set up

(Universal Security Group containing the user account objects and then a

Local Security Group on the TS box...I made the USG a member of the LSG). I

do not want to remove the "Terminal Server Users" security group

(essentially, replace that with the LSG) on the executable (WINPROJ.exe) as

I do not want to mess things up.

 

Any guidance?

 

Thanks,

 

Cary

[Guest jolteroli]

Re: installing MS Office 2003/2007 on TS Machines

 

"Cary Shultz" <cshultz@nospam.outsourceitcorp.com> schrieb im Newsbeitrag

news:%23bRD17o3IHA.3624@TK2MSFTNGP05.phx.gbl...

> Good moring!

>

> I hope that all of you in the US had a great 4th of July (we did...but the

> little ones do not quite appreciate the Fireworks after bedtime!).

>

> QUESTION: on a WIN2003 R2 SP2 Terminal Server we have, among other things,

> MS Office 2007 installed. Additionally, we installed MS Office Project

> 2007 (default location). I need to limit the users who are able to make

> use of MS Office Project 2007. Is this possible? Please read the short

> novel below to understand why I am asking this question....

>

>

> SHORT NOVEL!!!!!!

>

> I noticed on the Terminal Server that C:\Program Files has an "extra"

> Security Group in the NTFS Permissions tab - "TERMINAL SERVER USERS".

 

I guess that is the relaxed/default security thingy. It seems the

TSUserEnabled dword is set to 1 under

"HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server". Can

you confirm this? For additional informations have a look to this article:

http://www.brianmadden.com/content/article/Understanding-Terminal-Servers-Permissions-Compatibility-Options

> I have to admit that I have never noticed that before. I remoted into

> three or four TS Boxes at different clients and lo and behold! All of

> them have that!

>

> I do not see this Security Group anywhere in Active Directory so *assume*

> that it is a TS specific thing...can anyone shed a light on this for me?

> I will admit that I have not used ldifde to enummeeate all of the objects

> in AD so I would not necessarily be surprised to find it tucked away....

>

> The true reason for this post, as already mentioned, is that I want to

> limit one of the MS Office 2007 applications (MS Office Project 2007) to a

> specific group of users. I have the Security Groups already set up

> (Universal Security Group containing the user account objects and then a

> Local Security Group on the TS box...I made the USG a member of the LSG).

> I do not want to remove the "Terminal Server Users" security group

> (essentially, replace that with the LSG) on the executable (WINPROJ.exe)

> as I do not want to mess things up.

 

We create local groups like "app.office14.project", and put the user in the

group. Local groups, because each TS is very special here. On the file in

question "WINPROJ.EXE" we break up the ntfs-inheritance (copy), remove the

std. user groups and add the mentioned group. This way we enforce the

licensing and for example access via internet explorer to the internet.

 

-jolt

[Guest Vera Noest [MVP]]

Re: installing MS Office 2003/2007 on TS Machines

 

"jolteroli" <jolt1976@gmx.net> wrote on 05 jul 2008 in

microsoft.public.windows.terminal_services:

> "Cary Shultz" <cshultz@nospam.outsourceitcorp.com> schrieb im

> Newsbeitrag news:%23bRD17o3IHA.3624@TK2MSFTNGP05.phx.gbl...

>> Good moring!

>>

>> I hope that all of you in the US had a great 4th of July (we

>> did...but the little ones do not quite appreciate the Fireworks

>> after bedtime!).

>>

>> QUESTION: on a WIN2003 R2 SP2 Terminal Server we have, among

>> other things, MS Office 2007 installed. Additionally, we

>> installed MS Office Project 2007 (default location). I need to

>> limit the users who are able to make use of MS Office Project

>> 2007. Is this possible? Please read the short novel below to

>> understand why I am asking this question....

>>

>>

>> SHORT NOVEL!!!!!!

>>

>> I noticed on the Terminal Server that C:\Program Files has an

>> "extra" Security Group in the NTFS Permissions tab - "TERMINAL

>> SERVER USERS".

>

> I guess that is the relaxed/default security thingy. It seems

> the TSUserEnabled dword is set to 1 under

> "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal

> Server". Can you confirm this? For additional informations have

> a look to this article:

> http://www.brianmadden.com/content/article/Understanding-Terminal

> -Servers-Permissions-Compatibility-Options

>

>> I have to admit that I have never noticed that before. I

>> remoted into three or four TS Boxes at different clients and lo

>> and behold! All of them have that!

>>

>> I do not see this Security Group anywhere in Active Directory

>> so *assume* that it is a TS specific thing...can anyone shed a

>> light on this for me? I will admit that I have not used ldifde

>> to enummeeate all of the objects in AD so I would not

>> necessarily be surprised to find it tucked away....

>>

>> The true reason for this post, as already mentioned, is that I

>> want to limit one of the MS Office 2007 applications (MS Office

>> Project 2007) to a specific group of users. I have the

>> Security Groups already set up (Universal Security Group

>> containing the user account objects and then a Local Security

>> Group on the TS box...I made the USG a member of the LSG). I do

>> not want to remove the "Terminal Server Users" security group

>> (essentially, replace that with the LSG) on the executable

>> (WINPROJ.exe) as I do not want to mess things up.

>

> We create local groups like "app.office14.project", and put the

> user in the group. Local groups, because each TS is very special

> here. On the file in question "WINPROJ.EXE" we break up the

> ntfs-inheritance (copy), remove the std. user groups and add the

> mentioned group. This way we enforce the licensing and for

> example access via internet explorer to the internet.

>

> -jolt

 

Yes, that's how it is mostly done.

Problem is that Office is licensed per *client*, not per user. So

strictly speaking, you are not enforcing the Office EULA. But until

Microsoft introduces Office Per User licenses, I wouldn't know of a

better way to do it.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

[Guest Jeff Pitsch]

Re: installing MS Office 2003/2007 on TS Machines

 

NTFS permissions above and you could use Software Restriction Policies in

group policy.

 

Jeff Pitsch

Microsoft MVP - Terminal Services

 

 

"jolteroli" <jolt1976@gmx.net> wrote in message

news:eBu2JXp3IHA.4856@TK2MSFTNGP02.phx.gbl...

> "Cary Shultz" <cshultz@nospam.outsourceitcorp.com> schrieb im Newsbeitrag

> news:%23bRD17o3IHA.3624@TK2MSFTNGP05.phx.gbl...

>> Good moring!

>>

>> I hope that all of you in the US had a great 4th of July (we did...but

>> the little ones do not quite appreciate the Fireworks after bedtime!).

>>

>> QUESTION: on a WIN2003 R2 SP2 Terminal Server we have, among other

>> things, MS Office 2007 installed. Additionally, we installed MS Office

>> Project 2007 (default location). I need to limit the users who are able

>> to make use of MS Office Project 2007. Is this possible? Please read

>> the short novel below to understand why I am asking this question....

>>

>>

>> SHORT NOVEL!!!!!!

>>

>> I noticed on the Terminal Server that C:\Program Files has an "extra"

>> Security Group in the NTFS Permissions tab - "TERMINAL SERVER USERS".

>

> I guess that is the relaxed/default security thingy. It seems the

> TSUserEnabled dword is set to 1 under

> "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server". Can

> you confirm this? For additional informations have a look to this article:

> http://www.brianmadden.com/content/article/Understanding-Terminal-Servers-Permissions-Compatibility-Options

>

>> I have to admit that I have never noticed that before. I remoted into

>> three or four TS Boxes at different clients and lo and behold! All of

>> them have that!

>>

>> I do not see this Security Group anywhere in Active Directory so *assume*

>> that it is a TS specific thing...can anyone shed a light on this for me?

>> I will admit that I have not used ldifde to enummeeate all of the objects

>> in AD so I would not necessarily be surprised to find it tucked away....

>>

>> The true reason for this post, as already mentioned, is that I want to

>> limit one of the MS Office 2007 applications (MS Office Project 2007) to

>> a specific group of users. I have the Security Groups already set up

>> (Universal Security Group containing the user account objects and then a

>> Local Security Group on the TS box...I made the USG a member of the LSG).

>> I do not want to remove the "Terminal Server Users" security group

>> (essentially, replace that with the LSG) on the executable (WINPROJ.exe)

>> as I do not want to mess things up.

>

> We create local groups like "app.office14.project", and put the user in

> the group. Local groups, because each TS is very special here. On the file

> in question "WINPROJ.EXE" we break up the ntfs-inheritance (copy), remove

> the std. user groups and add the mentioned group. This way we enforce the

> licensing and for example access via internet explorer to the internet.

>

> -jolt

>

[Guest jolteroli]

Re: installing MS Office 2003/2007 on TS Machines

 

"Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in

news:ej6JC7p3IHA.1196@TK2MSFTNGP05.phx.gbl...

> NTFS permissions above and you could use Software Restriction Policies in

> group policy.

 

The latter seems the better. I didn't know about that, thanks Jeff.

 

"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in

news:Xns9AD297F54470Cveranoesthemutforsse@207.46.248.16...

> "jolteroli" <jolt1976@gmx.net> wrote on 05 jul 2008 in

> microsoft.public.windows.terminal_services:

> Yes, that's how it is mostly done.

> Problem is that Office is licensed per *client*, not per user. So strictly

> speaking, you are not enforcing the Office EULA. But until Microsoft

> introduces Office Per User licenses, I wouldn't know of a better way to do

> it.

 

In layman's terms: If it were ->even possible<- to use Office (n licenses)

from (n+1) client machines, the EULA were broken? Same thing as TS

licensing?

 

If so, one could enumerate the processes along with the session-id, grep for

'winword.exe' and unique the list. If the list has more than n entries, show

a message box instead of

starting winword.exe.

 

#process-image:session-id

winword.exe:11 # Vera has opened Word twice, but

winword.exe:11 # that counts as one single CAL, right?

winword.exe:22 # Jeff also works in Word, OK.

winword.exe:33 # And Jolt breaks the EULA,

 

because we have had money for 2 licenses only. Jolt -> Jail!

 

-jolt (off with probation)

[Guest Vera Noest [MVP]]

Re: installing MS Office 2003/2007 on TS Machines

 

"jolteroli" <jolt1976@gmx.net> wrote on 05 jul 2008 in

microsoft.public.windows.terminal_services:

> "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in

> news:ej6JC7p3IHA.1196@TK2MSFTNGP05.phx.gbl...

>> NTFS permissions above and you could use Software Restriction

>> Policies in group policy.

>

> The latter seems the better. I didn't know about that, thanks

> Jeff.

>

> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote

> in news:Xns9AD297F54470Cveranoesthemutforsse@207.46.248.16...

>> "jolteroli" <jolt1976@gmx.net> wrote on 05 jul 2008 in

>> microsoft.public.windows.terminal_services:

>> Yes, that's how it is mostly done.

>> Problem is that Office is licensed per *client*, not per user.

>> So strictly speaking, you are not enforcing the Office EULA.

>> But until Microsoft introduces Office Per User licenses, I

>> wouldn't know of a better way to do it.

>

> In layman's terms: If it were ->even possible<- to use Office (n

> licenses) from (n+1) client machines, the EULA were broken? Same

> thing as TS licensing?

>

> If so, one could enumerate the processes along with the

> session-id, grep for 'winword.exe' and unique the list. If the

> list has more than n entries, show a message box instead of

> starting winword.exe.

>

> #process-image:session-id

> winword.exe:11 # Vera has opened Word twice, but

> winword.exe:11 # that counts as one single CAL, right?

> winword.exe:22 # Jeff also works in Word, OK.

> winword.exe:33 # And Jolt breaks the EULA,

>

> because we have had money for 2 licenses only. Jolt -> Jail!

>

> -jolt (off with probation)

 

Nice try, but even that doesn't do it :-)

You are checking for *concurrent* instances of Office, but the per

device licensing scheme of Office is not per concurrent instance.

So if you have 2 licenses, one single person could violate the EULA

by using Office from client 1 on Monday, from client 2 on Tuesday

and client 3 on Wednesday.

But restricting Office on a per user base is the best you can do,

I've never seen a Microsoft representative propose a better

solution.

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

[Guest jphallett]

Re: installing MS Office 2003/2007 on TS Machines

 

On Jul 5, 7:53 am, "jolteroli" <jolt1...@gmx.net> wrote:

> "Cary Shultz" <cshu...@nospam.outsourceitcorp.com> schrieb im Newsbeitragnews:%23bRD17o3IHA.3624@TK2MSFTNGP05.phx.gbl...

>

>

>

> > Good moring!

>

> > I hope that all of you in the US had a great 4th of July (we did...but the

> > little ones do not quite appreciate the Fireworks after bedtime!).

>

> > QUESTION: on a WIN2003 R2 SP2 Terminal Server we have, among other things,

> > MS Office 2007 installed. Additionally, we installed MS Office Project

> > 2007 (default location). I need to limit the users who are able to make

> > use of MS Office Project 2007. Is this possible? Please read the short

> > novel below to understand why I am asking this question....

>

> > SHORT NOVEL!!!!!!

>

> > I noticed on the Terminal Server that C:\Program Files has an "extra"

> > Security Group in the NTFS Permissions tab - "TERMINAL SERVER USERS".

>

> I guess that is the relaxed/default security thingy. It seems the

> TSUserEnabled dword is set to 1 under

> "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server". Can

> you confirm this? For additional informations have a look to this article:http://www.brianmadden.com/content/article/Understanding-Terminal-Ser...

>

>

>

> > I have to admit that I have never noticed that before. I remoted into

> > three or four TS Boxes at different clients and lo and behold! All of

> > them have that!

>

> > I do not see this Security Group anywhere in Active Directory so *assume*

> > that it is a TS specific thing...can anyone shed a light on this for me?

> > I will admit that I have not used ldifde to enummeeate all of the objects

> > in AD so I would not necessarily be surprised to find it tucked away....

>

> > The true reason for this post, as already mentioned, is that I want to

> > limit one of the MS Office 2007 applications (MS Office Project 2007) to a

> > specific group of users. I have the Security Groups already set up

> > (Universal Security Group containing the user account objects and then a

> > Local Security Group on the TS box...I made the USG a member of the LSG).

> > I do not want to remove the "Terminal Server Users" security group

> > (essentially, replace that with the LSG) on the executable (WINPROJ.exe)

> > as I do not want to mess things up.

>

> We create local groups like "app.office14.project", and put the user in the

> group. Local groups, because each TS is very special here. On the file in

> question "WINPROJ.EXE" we break up the ntfs-inheritance (copy), remove the

> std. user groups and add the mentioned group. This way we enforce the

> licensing and for example access via internet explorer to the internet.

>

> -jolt

 

Does this work in a workgroup environment? I have been trying to

figure out how to restrict certain users from using specific apps.

Everything I have read on Software Restriction Policies you have to be

in an AD to use them.

 

Jeff

[Guest Jeff Pitsch]

Re: installing MS Office 2003/2007 on TS Machines

 

To use them properly yes. Why is the box in a workgroup? Novell in the mix

or something?

 

Jeff Pitsch

Microsoft MVP - Terminal Services

 

"jphallett" <jphallett@gmail.com> wrote in message

news:b9564a02-f560-48a4-b6a6-327dcd8626ac@y38g2000hsy.googlegroups.com...

> On Jul 5, 7:53 am, "jolteroli" <jolt1...@gmx.net> wrote:

>> "Cary Shultz" <cshu...@nospam.outsourceitcorp.com> schrieb im

>> Newsbeitragnews:%23bRD17o3IHA.3624@TK2MSFTNGP05.phx.gbl...

>>

>>

>>

>> > Good moring!

>>

>> > I hope that all of you in the US had a great 4th of July (we did...but

>> > the

>> > little ones do not quite appreciate the Fireworks after bedtime!).

>>

>> > QUESTION: on a WIN2003 R2 SP2 Terminal Server we have, among other

>> > things,

>> > MS Office 2007 installed. Additionally, we installed MS Office Project

>> > 2007 (default location). I need to limit the users who are able to

>> > make

>> > use of MS Office Project 2007. Is this possible? Please read the

>> > short

>> > novel below to understand why I am asking this question....

>>

>> > SHORT NOVEL!!!!!!

>>

>> > I noticed on the Terminal Server that C:\Program Files has an "extra"

>> > Security Group in the NTFS Permissions tab - "TERMINAL SERVER USERS".

>>

>> I guess that is the relaxed/default security thingy. It seems the

>> TSUserEnabled dword is set to 1 under

>> "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server".

>> Can

>> you confirm this? For additional informations have a look to this

>> article:http://www.brianmadden.com/content/article/Understanding-Terminal-Ser...

>>

>>

>>

>> > I have to admit that I have never noticed that before. I remoted into

>> > three or four TS Boxes at different clients and lo and behold! All of

>> > them have that!

>>

>> > I do not see this Security Group anywhere in Active Directory so

>> > *assume*

>> > that it is a TS specific thing...can anyone shed a light on this for

>> > me?

>> > I will admit that I have not used ldifde to enummeeate all of the

>> > objects

>> > in AD so I would not necessarily be surprised to find it tucked

>> > away....

>>

>> > The true reason for this post, as already mentioned, is that I want to

>> > limit one of the MS Office 2007 applications (MS Office Project 2007)

>> > to a

>> > specific group of users. I have the Security Groups already set up

>> > (Universal Security Group containing the user account objects and then

>> > a

>> > Local Security Group on the TS box...I made the USG a member of the

>> > LSG).

>> > I do not want to remove the "Terminal Server Users" security group

>> > (essentially, replace that with the LSG) on the executable

>> > (WINPROJ.exe)

>> > as I do not want to mess things up.

>>

>> We create local groups like "app.office14.project", and put the user in

>> the

>> group. Local groups, because each TS is very special here. On the file in

>> question "WINPROJ.EXE" we break up the ntfs-inheritance (copy), remove

>> the

>> std. user groups and add the mentioned group. This way we enforce the

>> licensing and for example access via internet explorer to the internet.

>>

>> -jolt

>

> Does this work in a workgroup environment? I have been trying to

> figure out how to restrict certain users from using specific apps.

> Everything I have read on Software Restriction Policies you have to be

> in an AD to use them.

>

> Jeff

[Guest jphallett]

Re: installing MS Office 2003/2007 on TS Machines

 

On Jul 7, 10:51 am, "Jeff Pitsch" <j...@jeffpitschconsulting.com>

wrote:

> To use them properly yes. Why is the box in a workgroup? Novell in the mix

> or something?

>

> Jeff Pitsch

> Microsoft MVP - Terminal Services

>

> "jphallett" <jphall...@gmail.com> wrote in message

>

> news:b9564a02-f560-48a4-b6a6-327dcd8626ac@y38g2000hsy.googlegroups.com...

>

> > On Jul 5, 7:53 am, "jolteroli" <jolt1...@gmx.net> wrote:

> >> "Cary Shultz" <cshu...@nospam.outsourceitcorp.com> schrieb im

> >> Newsbeitragnews:%23bRD17o3IHA.3624@TK2MSFTNGP05.phx.gbl...

>

> >> > Good moring!

>

> >> > I hope that all of you in the US had a great 4th of July (we did...but

> >> > the

> >> > little ones do not quite appreciate the Fireworks after bedtime!).

>

> >> > QUESTION: on a WIN2003 R2 SP2 Terminal Server we have, among other

> >> > things,

> >> > MS Office 2007 installed. Additionally, we installed MS Office Project

> >> > 2007 (default location). I need to limit the users who are able to

> >> > make

> >> > use of MS Office Project 2007. Is this possible? Please read the

> >> > short

> >> > novel below to understand why I am asking this question....

>

> >> > SHORT NOVEL!!!!!!

>

> >> > I noticed on the Terminal Server that C:\Program Files has an "extra"

> >> > Security Group in the NTFS Permissions tab - "TERMINAL SERVER USERS".

>

> >> I guess that is the relaxed/default security thingy. It seems the

> >> TSUserEnabled dword is set to 1 under

> >> "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server".

> >> Can

> >> you confirm this? For additional informations have a look to this

> >> article:http://www.brianmadden.com/content/article/Understanding-Terminal-Ser...

>

> >> > I have to admit that I have never noticed that before. I remoted into

> >> > three or four TS Boxes at different clients and lo and behold! All of

> >> > them have that!

>

> >> > I do not see this Security Group anywhere in Active Directory so

> >> > *assume*

> >> > that it is a TS specific thing...can anyone shed a light on this for

> >> > me?

> >> > I will admit that I have not used ldifde to enummeeate all of the

> >> > objects

> >> > in AD so I would not necessarily be surprised to find it tucked

> >> > away....

>

> >> > The true reason for this post, as already mentioned, is that I want to

> >> > limit one of the MS Office 2007 applications (MS Office Project 2007)

> >> > to a

> >> > specific group of users. I have the Security Groups already set up

> >> > (Universal Security Group containing the user account objects and then

> >> > a

> >> > Local Security Group on the TS box...I made the USG a member of the

> >> > LSG).

> >> > I do not want to remove the "Terminal Server Users" security group

> >> > (essentially, replace that with the LSG) on the executable

> >> > (WINPROJ.exe)

> >> > as I do not want to mess things up.

>

> >> We create local groups like "app.office14.project", and put the user in

> >> the

> >> group. Local groups, because each TS is very special here. On the file in

> >> question "WINPROJ.EXE" we break up the ntfs-inheritance (copy), remove

> >> the

> >> std. user groups and add the mentioned group. This way we enforce the

> >> licensing and for example access via internet explorer to the internet.

>

> >> -jolt

>

> > Does this work in a workgroup environment? I have been trying to

> > figure out how to restrict certain users from using specific apps.

> > Everything I have read on Software Restriction Policies you have to be

> > in an AD to use them.

>

> > Jeff

 

Hi Jolt,

yes my TS is in a workgroup environment not an AD. Your solution with

the local groups seems like it might work. Is there information on it

posted somewhere that you could direct me to?

 

Thanks

Jeff

[Guest Jeff Pitsch]

Re: installing MS Office 2003/2007 on TS Machines

 

Information on configuring NTFS permissions?

 

Jeff Pitsch

Microsoft MVP - Terminal Services

 

 

"jphallett" <jphallett@gmail.com> wrote in message

news:e5e9e638-a99f-46cb-a644-56943c49989f@27g2000hsf.googlegroups.com...

> On Jul 7, 10:51 am, "Jeff Pitsch" <j...@jeffpitschconsulting.com>

> wrote:

>> To use them properly yes. Why is the box in a workgroup? Novell in the

>> mix

>> or something?

>>

>> Jeff Pitsch

>> Microsoft MVP - Terminal Services

>>

>> "jphallett" <jphall...@gmail.com> wrote in message

>>

>> news:b9564a02-f560-48a4-b6a6-327dcd8626ac@y38g2000hsy.googlegroups.com...

>>

>> > On Jul 5, 7:53 am, "jolteroli" <jolt1...@gmx.net> wrote:

>> >> "Cary Shultz" <cshu...@nospam.outsourceitcorp.com> schrieb im

>> >> Newsbeitragnews:%23bRD17o3IHA.3624@TK2MSFTNGP05.phx.gbl...

>>

>> >> > Good moring!

>>

>> >> > I hope that all of you in the US had a great 4th of July (we

>> >> > did...but

>> >> > the

>> >> > little ones do not quite appreciate the Fireworks after bedtime!).

>>

>> >> > QUESTION: on a WIN2003 R2 SP2 Terminal Server we have, among other

>> >> > things,

>> >> > MS Office 2007 installed. Additionally, we installed MS Office

>> >> > Project

>> >> > 2007 (default location). I need to limit the users who are able to

>> >> > make

>> >> > use of MS Office Project 2007. Is this possible? Please read the

>> >> > short

>> >> > novel below to understand why I am asking this question....

>>

>> >> > SHORT NOVEL!!!!!!

>>

>> >> > I noticed on the Terminal Server that C:\Program Files has an

>> >> > "extra"

>> >> > Security Group in the NTFS Permissions tab - "TERMINAL SERVER

>> >> > USERS".

>>

>> >> I guess that is the relaxed/default security thingy. It seems the

>> >> TSUserEnabled dword is set to 1 under

>> >> "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server".

>> >> Can

>> >> you confirm this? For additional informations have a look to this

>> >> article:http://www.brianmadden.com/content/article/Understanding-Terminal-Ser...

>>

>> >> > I have to admit that I have never noticed that before. I remoted

>> >> > into

>> >> > three or four TS Boxes at different clients and lo and behold! All

>> >> > of

>> >> > them have that!

>>

>> >> > I do not see this Security Group anywhere in Active Directory so

>> >> > *assume*

>> >> > that it is a TS specific thing...can anyone shed a light on this for

>> >> > me?

>> >> > I will admit that I have not used ldifde to enummeeate all of the

>> >> > objects

>> >> > in AD so I would not necessarily be surprised to find it tucked

>> >> > away....

>>

>> >> > The true reason for this post, as already mentioned, is that I want

>> >> > to

>> >> > limit one of the MS Office 2007 applications (MS Office Project

>> >> > 2007)

>> >> > to a

>> >> > specific group of users. I have the Security Groups already set up

>> >> > (Universal Security Group containing the user account objects and

>> >> > then

>> >> > a

>> >> > Local Security Group on the TS box...I made the USG a member of the

>> >> > LSG).

>> >> > I do not want to remove the "Terminal Server Users" security group

>> >> > (essentially, replace that with the LSG) on the executable

>> >> > (WINPROJ.exe)

>> >> > as I do not want to mess things up.

>>

>> >> We create local groups like "app.office14.project", and put the user

>> >> in

>> >> the

>> >> group. Local groups, because each TS is very special here. On the file

>> >> in

>> >> question "WINPROJ.EXE" we break up the ntfs-inheritance (copy), remove

>> >> the

>> >> std. user groups and add the mentioned group. This way we enforce the

>> >> licensing and for example access via internet explorer to the

>> >> internet.

>>

>> >> -jolt

>>

>> > Does this work in a workgroup environment? I have been trying to

>> > figure out how to restrict certain users from using specific apps.

>> > Everything I have read on Software Restriction Policies you have to be

>> > in an AD to use them.

>>

>> > Jeff

>

> Hi Jolt,

> yes my TS is in a workgroup environment not an AD. Your solution with

> the local groups seems like it might work. Is there information on it

> posted somewhere that you could direct me to?

>

> Thanks

> Jeff

[Guest jolteroli]

Re: installing MS Office 2003/2007 on TS Machines

 

"jphallett" <jphallett@gmail.com> schrieb im Newsbeitrag

news:e5e9e638-a99f-46cb-a644-56943c49989f@27g2000hsf.googlegroups.com...

> Hi Jolt,

> yes my TS is in a workgroup environment not an AD. Your solution with

> the local groups seems like it might work. Is there information on it

> posted somewhere that you could direct me to?

>

> Thanks

> Jeff

 

Hey Jeff

 

Altough I wouldn't recommend, we do it that way:

 

We keep a list `ALLOWEXEC.txt´ in the "Program Files" directory, to know

what files or directories have been changed and to what permission.

 

------------------------

/foobar/start.exe

- Users

- Domain-Users

+ app.foobar

------------------------

 

This is important, because you'll never remember all the files after a

month. And searching for them is a pain in the 8

 

The local groups should have meaningful names, so you know which

application(s) this particular group allows to execute. Stuff the members

in.

 

Go to the executable, that is referenced by the shortcut or look in the task

manager what image name is running. On the permissions-tab of the file,

break up the ACL-inheritance and choose to copy the inherited ACL's. So u

keep the original permissions, but now they are unique to this single file.

Then boot out the standard user groups like Users and/or Domain-Users,

depending on your environment. Add the designated group and check the group

may read/execute. Done.

 

Another option were to work on the whole directory of the application root.

 

Beware, this kinda ``security´´ is deceiving. If for example the

Internet Explorer execution is denied this way, one can copy IEXPLORE.EXE

from another location to his/her home directory, set a shortcut to the

single

file and choose the working directory to "C:/Program Files/Internet

Explorer". Viola! From the view of IEXPLORE.EXE nothing has changed.

 

I believe to know there are 3rd party tools out, that accomplish exactly

this task. But I don't know how they do it and if they require Active

Directory or other resources not available in workgroup environments.

 

May be the professionals knowing a better way ???

 

-jolt