How to prevent users from installing programs.

[Guest RandyH]

We have an app that requires users to be local admins, crappy I know,

but I how can i prevent users from installing programs?

 

If the TS has be in admin mode anyway, why would MS let programs get

installed otherwise????? - rant..

[Guest Lanwench [MVP - Exchange]]

Re: How to prevent users from installing programs.

 

RandyH <RHollaw@HOTmail.com> wrote:

> We have an app that requires users to be local admins, crappy I know,

> but I how can i prevent users from installing programs?

>

> If the TS has be in admin mode anyway, why would MS let programs get

> installed otherwise????? - rant..

 

You can lock down most everything you need to --and should-- but why not fix

the underlying problem with this application first? You should be able to

identify the file system & registry areas to which it wants access - try

using Process Monitor from Sysinternals (available for download on the MS

website). Users should not be admins on workstations, let alone servers &

you shouldn't have to leave them that way.

 

Basics: you should be running Terminal Services on a dedicated member server

with *no* other roles on the network. It should be set up in its own OU,

with a policy specifically for TS (including loopback processing so that all

users who log in get the same settings, regardless of their own inherited

user policy settings). See KB 278295 for some good lockdown suggestions.

Also see MVP Patrick Rouse's articles at

http://www.sessioncomputing.com/articles.htm

[Guest RandyH]

Re: How to prevent users from installing programs.

 

I guess Disable Windows Installer could have been a good answer too.

Thanks for the KB, I had followed most of that article minus the Disable

Windows Installer setting.

 

do you know anything about Worldox? it's a POS and we've tried what you

have suggested in the past without success.

 

again, thanks for the KB...

 

 

 

Lanwench [MVP - Exchange] wrote:

> RandyH <RHollaw@HOTmail.com> wrote:

>> We have an app that requires users to be local admins, crappy I know,

>> but I how can i prevent users from installing programs?

>>

>> If the TS has be in admin mode anyway, why would MS let programs get

>> installed otherwise????? - rant..

>

> You can lock down most everything you need to --and should-- but why not fix

> the underlying problem with this application first? You should be able to

> identify the file system & registry areas to which it wants access - try

> using Process Monitor from Sysinternals (available for download on the MS

> website). Users should not be admins on workstations, let alone servers &

> you shouldn't have to leave them that way.

>

> Basics: you should be running Terminal Services on a dedicated member server

> with *no* other roles on the network. It should be set up in its own OU,

> with a policy specifically for TS (including loopback processing so that all

> users who log in get the same settings, regardless of their own inherited

> user policy settings). See KB 278295 for some good lockdown suggestions.

> Also see MVP Patrick Rouse's articles at

> http://www.sessioncomputing.com/articles.htm

>

>

[Guest Lanwench [MVP - Exchange]]

Re: How to prevent users from installing programs.

 

RandyH <RHollaw@HOTmail.com> wrote:

> I guess Disable Windows Installer could have been a good answer too.

> Thanks for the KB, I had followed most of that article minus the

> Disable Windows Installer setting.

>

> do you know anything about Worldox? it's a POS and we've tried what

> you have suggested in the past without success.

>

> again, thanks for the KB...

 

No prob. I presume that by POS you don't mean "point of sale" but something

else. ;-)

And no, I'm not familiar with it. Just try the sysinternals tool...it's very

handy.

>

>

>

> Lanwench [MVP - Exchange] wrote:

>> RandyH <RHollaw@HOTmail.com> wrote:

>>> We have an app that requires users to be local admins, crappy I

>>> know, but I how can i prevent users from installing programs?

>>>

>>> If the TS has be in admin mode anyway, why would MS let programs get

>>> installed otherwise????? - rant..

>>

>> You can lock down most everything you need to --and should-- but why

>> not fix the underlying problem with this application first? You

>> should be able to identify the file system & registry areas to which

>> it wants access - try using Process Monitor from Sysinternals

>> (available for download on the MS website). Users should not be

>> admins on workstations, let alone servers & you shouldn't have to

>> leave them that way. Basics: you should be running Terminal Services on a

>> dedicated

>> member server with *no* other roles on the network. It should be set

>> up in its own OU, with a policy specifically for TS (including

>> loopback processing so that all users who log in get the same

>> settings, regardless of their own inherited user policy settings).

>> See KB 278295 for some good lockdown suggestions. Also see MVP

>> Patrick Rouse's articles at

>> http://www.sessioncomputing.com/articles.htm

[Guest ThomasT.]

Re: How to prevent users from installing programs.

 

Hi,

 

You can try Remote Application Center : http://www.mqtechnologies.com

 

Regards

 

ThomasT.

 

"RandyH" <RHollaw@HOTmail.com> wrote in message

news:OdJDrmm9IHA.1468@TK2MSFTNGP05.phx.gbl...

> We have an app that requires users to be local admins, crappy I know, but

> I how can i prevent users from installing programs?

>

> If the TS has be in admin mode anyway, why would MS let programs get

> installed otherwise????? - rant..

[Guest RandyH]

Re: How to prevent users from installing programs.

 

I was looking at Disable Windows Installer setting and see another

setting called, Prohibit User Installs.

 

Would that prevent users from installing programs?

 

The Disable Windows Installer, would that only apply to MSI's?

 

Thanks again,

RandyH

 

 

 

Lanwench [MVP - Exchange] wrote:

> RandyH <RHollaw@HOTmail.com> wrote:

>> I guess Disable Windows Installer could have been a good answer too.

>> Thanks for the KB, I had followed most of that article minus the

>> Disable Windows Installer setting.

>>

>> do you know anything about Worldox? it's a POS and we've tried what

>> you have suggested in the past without success.

>>

>> again, thanks for the KB...

>

> No prob. I presume that by POS you don't mean "point of sale" but something

> else. ;-)

> And no, I'm not familiar with it. Just try the sysinternals tool...it's very

> handy.

>>

>>

>> Lanwench [MVP - Exchange] wrote:

>>> RandyH <RHollaw@HOTmail.com> wrote:

>>>> We have an app that requires users to be local admins, crappy I

>>>> know, but I how can i prevent users from installing programs?

>>>>

>>>> If the TS has be in admin mode anyway, why would MS let programs get

>>>> installed otherwise????? - rant..

>>> You can lock down most everything you need to --and should-- but why

>>> not fix the underlying problem with this application first? You

>>> should be able to identify the file system & registry areas to which

>>> it wants access - try using Process Monitor from Sysinternals

>>> (available for download on the MS website). Users should not be

>>> admins on workstations, let alone servers & you shouldn't have to

>>> leave them that way. Basics: you should be running Terminal Services on a

>>> dedicated

>>> member server with *no* other roles on the network. It should be set

>>> up in its own OU, with a policy specifically for TS (including

>>> loopback processing so that all users who log in get the same

>>> settings, regardless of their own inherited user policy settings).

>>> See KB 278295 for some good lockdown suggestions. Also see MVP

>>> Patrick Rouse's articles at

>>> http://www.sessioncomputing.com/articles.htm

>

>

>

[Guest Vera Noest [MVP]]

Re: How to prevent users from installing programs.

 

No, this setting is about the difference between installing

applications per computer or per user.

Tip: read the "Explain" text that is available for all GPO

settings:

 

This setting allows you to configure user installs. To configure

this setting, set it to enabled and use the drop-down list to

select the behavior you want. If this setting is not configured,

or if the setting is enabled and Allow User Installs is selected,

the installer allows and makes use of products that are installed

per user, and products that are installed per computer. If the

installer finds a per-user install of an application, this hides a

per-computer installation of that same product. If this setting is

enabled and Hide User Installs is selected, the installer ignores

per-user applications. This causes a per-computer installed

application to be visible to users, even if those users have a per-

user install of the product registered in their user profile. If

this setting is enabled and Prohibit User Installs is selected, the

installer prevents applications from being installed per user, and

it ignores previously installed per-user applications. An attempt

to perform a per-user installation causes the installer to display

an error message and stop the installation. This setting is useful

in environments where the administrator only wants per-computer

applications installed, such as on a kiosk or a Windows Terminal

Server.

 

And for the setting Disable Windows Installer, the "Explain" text

says:

"This setting affects Windows Installer only. It does not prevent

users from using other methods to install and upgrade programs."

 

You're only option is to limit the user's rights and permissions.

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

RandyH <RHollaw@HOTmail.com> wrote on 06 aug 2008 in

microsoft.public.windows.terminal_services:

> I was looking at Disable Windows Installer setting and see

> another setting called, Prohibit User Installs.

>

> Would that prevent users from installing programs?

>

> The Disable Windows Installer, would that only apply to MSI's?

>

> Thanks again,

> RandyH

>

>

>

> Lanwench [MVP - Exchange] wrote:

>> RandyH <RHollaw@HOTmail.com> wrote:

>>> I guess Disable Windows Installer could have been a good

>>> answer too. Thanks for the KB, I had followed most of that

>>> article minus the Disable Windows Installer setting.

>>>

>>> do you know anything about Worldox? it's a POS and we've

>>> tried what

>>> you have suggested in the past without success.

>>>

>>> again, thanks for the KB...

>>

>> No prob. I presume that by POS you don't mean "point of sale"

>> but something else. ;-)

>> And no, I'm not familiar with it. Just try the sysinternals

>> tool...it's very handy.

>>>

>>>

>>> Lanwench [MVP - Exchange] wrote:

>>>> RandyH <RHollaw@HOTmail.com> wrote:

>>>>> We have an app that requires users to be local admins,

>>>>> crappy I know, but I how can i prevent users from installing

>>>>> programs?

>>>>>

>>>>> If the TS has be in admin mode anyway, why would MS let

>>>>> programs get installed otherwise????? - rant..

>>>> You can lock down most everything you need to --and should--

>>>> but why not fix the underlying problem with this application

>>>> first? You should be able to identify the file system &

>>>> registry areas to which it wants access - try using Process

>>>> Monitor from Sysinternals (available for download on the MS

>>>> website). Users should not be admins on workstations, let

>>>> alone servers & you shouldn't have to leave them that way.

>>>> Basics: you should be running Terminal Services on a

>>>> dedicated member server with *no* other roles on the network.

>>>> It should be set up in its own OU, with a policy specifically

>>>> for TS (including loopback processing so that all users who

>>>> log in get the same settings, regardless of their own

>>>> inherited user policy settings). See KB 278295 for some good

>>>> lockdown suggestions. Also see MVP Patrick Rouse's articles

>>>> at http://www.sessioncomputing.com/articles.htm

[Guest RandyH]

Re: How to prevent users from installing programs.

 

Thank you again Vera.

 

I had a user install WinRar. My boss told me I need to take an outage

and remove winrar and install it in admin mode..

 

Vera Noest [MVP] wrote:

> No, this setting is about the difference between installing

> applications per computer or per user.

> Tip: read the "Explain" text that is available for all GPO

> settings:

>

> This setting allows you to configure user installs. To configure

> this setting, set it to enabled and use the drop-down list to

> select the behavior you want. If this setting is not configured,

> or if the setting is enabled and Allow User Installs is selected,

> the installer allows and makes use of products that are installed

> per user, and products that are installed per computer. If the

> installer finds a per-user install of an application, this hides a

> per-computer installation of that same product. If this setting is

> enabled and Hide User Installs is selected, the installer ignores

> per-user applications. This causes a per-computer installed

> application to be visible to users, even if those users have a per-

> user install of the product registered in their user profile. If

> this setting is enabled and Prohibit User Installs is selected, the

> installer prevents applications from being installed per user, and

> it ignores previously installed per-user applications. An attempt

> to perform a per-user installation causes the installer to display

> an error message and stop the installation. This setting is useful

> in environments where the administrator only wants per-computer

> applications installed, such as on a kiosk or a Windows Terminal

> Server.

>

> And for the setting Disable Windows Installer, the "Explain" text

> says:

> "This setting affects Windows Installer only. It does not prevent

> users from using other methods to install and upgrade programs."

>

> You're only option is to limit the user's rights and permissions.

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> RandyH <RHollaw@HOTmail.com> wrote on 06 aug 2008 in

> microsoft.public.windows.terminal_services:

>

>> I was looking at Disable Windows Installer setting and see

>> another setting called, Prohibit User Installs.

>>

>> Would that prevent users from installing programs?

>>

>> The Disable Windows Installer, would that only apply to MSI's?

>>

>> Thanks again,

>> RandyH

>>

>>

>>

>> Lanwench [MVP - Exchange] wrote:

>>> RandyH <RHollaw@HOTmail.com> wrote:

>>>> I guess Disable Windows Installer could have been a good

>>>> answer too. Thanks for the KB, I had followed most of that

>>>> article minus the Disable Windows Installer setting.

>>>>

>>>> do you know anything about Worldox? it's a POS and we've

>>>> tried what

>>>> you have suggested in the past without success.

>>>>

>>>> again, thanks for the KB...

>>> No prob. I presume that by POS you don't mean "point of sale"

>>> but something else. ;-)

>>> And no, I'm not familiar with it. Just try the sysinternals

>>> tool...it's very handy.

>>>>

>>>> Lanwench [MVP - Exchange] wrote:

>>>>> RandyH <RHollaw@HOTmail.com> wrote:

>>>>>> We have an app that requires users to be local admins,

>>>>>> crappy I know, but I how can i prevent users from installing

>>>>>> programs?

>>>>>>

>>>>>> If the TS has be in admin mode anyway, why would MS let

>>>>>> programs get installed otherwise????? - rant..

>>>>> You can lock down most everything you need to --and should--

>>>>> but why not fix the underlying problem with this application

>>>>> first? You should be able to identify the file system &

>>>>> registry areas to which it wants access - try using Process

>>>>> Monitor from Sysinternals (available for download on the MS

>>>>> website). Users should not be admins on workstations, let

>>>>> alone servers & you shouldn't have to leave them that way.

>>>>> Basics: you should be running Terminal Services on a

>>>>> dedicated member server with *no* other roles on the network.

>>>>> It should be set up in its own OU, with a policy specifically

>>>>> for TS (including loopback processing so that all users who

>>>>> log in get the same settings, regardless of their own

>>>>> inherited user policy settings). See KB 278295 for some good

>>>>> lockdown suggestions. Also see MVP Patrick Rouse's articles

>>>>> at http://www.sessioncomputing.com/articles.htm

[Guest Jeff Pitsch]

Re: How to prevent users from installing programs.

 

You could also remove the execute file permissions from key directories.

this works beautifully for most things.

 

--

Jeff Pitsch

Microsoft MVP - Terminal Services

 

"RandyH" <RHollaw@HOTmail.com> wrote in message

news:%23ta7tQ99IHA.224@TK2MSFTNGP06.phx.gbl...

> Thank you again Vera.

>

> I had a user install WinRar. My boss told me I need to take an outage and

> remove winrar and install it in admin mode..

>

> Vera Noest [MVP] wrote:

>> No, this setting is about the difference between installing applications

>> per computer or per user.

>> Tip: read the "Explain" text that is available for all GPO settings:

>>

>> This setting allows you to configure user installs. To configure this

>> setting, set it to enabled and use the drop-down list to select the

>> behavior you want. If this setting is not configured, or if the setting

>> is enabled and Allow User Installs is selected, the installer allows and

>> makes use of products that are installed per user, and products that are

>> installed per computer. If the installer finds a per-user install of an

>> application, this hides a per-computer installation of that same product.

>> If this setting is enabled and Hide User Installs is selected, the

>> installer ignores per-user applications. This causes a per-computer

>> installed application to be visible to users, even if those users have a

>> per-

>> user install of the product registered in their user profile. If this

>> setting is enabled and Prohibit User Installs is selected, the installer

>> prevents applications from being installed per user, and it ignores

>> previously installed per-user applications. An attempt to perform a

>> per-user installation causes the installer to display an error message

>> and stop the installation. This setting is useful in environments where

>> the administrator only wants per-computer applications installed, such as

>> on a kiosk or a Windows Terminal Server.

>>

>> And for the setting Disable Windows Installer, the "Explain" text says:

>> "This setting affects Windows Installer only. It does not prevent users

>> from using other methods to install and upgrade programs."

>>

>> You're only option is to limit the user's rights and permissions.

>>

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> RandyH <RHollaw@HOTmail.com> wrote on 06 aug 2008 in

>> microsoft.public.windows.terminal_services:

>>> I was looking at Disable Windows Installer setting and see

>>> another setting called, Prohibit User Installs.

>>>

>>> Would that prevent users from installing programs?

>>>

>>> The Disable Windows Installer, would that only apply to MSI's?

>>>

>>> Thanks again,

>>> RandyH

>>>

>>>

>>>

>>> Lanwench [MVP - Exchange] wrote:

>>>> RandyH <RHollaw@HOTmail.com> wrote:

>>>>> I guess Disable Windows Installer could have been a good

>>>>> answer too. Thanks for the KB, I had followed most of that

>>>>> article minus the Disable Windows Installer setting.

>>>>>

>>>>> do you know anything about Worldox? it's a POS and we've

>>>>> tried what you have suggested in the past without success.

>>>>>

>>>>> again, thanks for the KB...

>>>> No prob. I presume that by POS you don't mean "point of sale" but

>>>> something else. ;-)

>>>> And no, I'm not familiar with it. Just try the sysinternals

>>>> tool...it's very handy.

>>>>>

>>>>> Lanwench [MVP - Exchange] wrote:

>>>>>> RandyH <RHollaw@HOTmail.com> wrote:

>>>>>>> We have an app that requires users to be local admins,

>>>>>>> crappy I know, but I how can i prevent users from installing

>>>>>>> programs?

>>>>>>> If the TS has be in admin mode anyway, why would MS let

>>>>>>> programs get installed otherwise????? - rant..

>>>>>> You can lock down most everything you need to --and should--

>>>>>> but why not fix the underlying problem with this application

>>>>>> first? You should be able to identify the file system &

>>>>>> registry areas to which it wants access - try using Process

>>>>>> Monitor from Sysinternals (available for download on the MS

>>>>>> website). Users should not be admins on workstations, let

>>>>>> alone servers & you shouldn't have to leave them that way.

>>>>>> Basics: you should be running Terminal Services on a dedicated member

>>>>>> server with *no* other roles on the network.

>>>>>> It should be set up in its own OU, with a policy specifically

>>>>>> for TS (including loopback processing so that all users who

>>>>>> log in get the same settings, regardless of their own

>>>>>> inherited user policy settings). See KB 278295 for some good

>>>>>> lockdown suggestions. Also see MVP Patrick Rouse's articles

>>>>>> at http://www.sessioncomputing.com/articles.htm

>

[Guest RandyH]

Re: How to prevent users from installing programs.

 

Jeff Pitsch wrote:

> You could also remove the execute file permissions from key directories.

> this works beautifully for most things.

>

that sounds like winner....which key directories are you suggesting?

[Guest Jeff Pitsch]

Re: How to prevent users from installing programs.

 

Home directory, file shares, temp directories, desktop, (or profile

directories), that type of thing. Basically anywhere you think a program

would download and execute from.

 

--

Jeff Pitsch

Microsoft MVP - Terminal Services

 

"RandyH" <RHollaw@HOTmail.com> wrote in message

news:ubqEhFA%23IHA.5404@TK2MSFTNGP04.phx.gbl...

> Jeff Pitsch wrote:

>> You could also remove the execute file permissions from key directories.

>> this works beautifully for most things.

>>

> that sounds like winner....which key directories are you suggesting?

[Guest RandyH]

Re: How to prevent users from installing programs.

 

Jeff Pitsch wrote:

> Home directory, file shares, temp directories, desktop, (or profile

> directories), that type of thing. Basically anywhere you think a program

> would download and execute from.

>

sweet....I will give that a try!

 

Thanks Jeff

[Guest Lanwench [MVP - Exchange]]

Re: How to prevent users from installing programs.

 

RandyH <RHollaw@HOTmail.com> wrote:

> I was looking at Disable Windows Installer setting and see another

> setting called, Prohibit User Installs.

>

> Would that prevent users from installing programs?

>

> The Disable Windows Installer, would that only apply to MSI's?

>

> Thanks again,

> RandyH

 

Did you try my suggestion? I think you're going to make yourself crazy with

this one. The right answer is to revoke the admin rights (as well as run

general policy lockdown). Anything else you do will be a kluge and not a

simple one.

>

>

>

> Lanwench [MVP - Exchange] wrote:

>> RandyH <RHollaw@HOTmail.com> wrote:

>>> I guess Disable Windows Installer could have been a good answer too.

>>> Thanks for the KB, I had followed most of that article minus the

>>> Disable Windows Installer setting.

>>>

>>> do you know anything about Worldox? it's a POS and we've tried what

>>> you have suggested in the past without success.

>>>

>>> again, thanks for the KB...

>>

>> No prob. I presume that by POS you don't mean "point of sale" but

>> something else. ;-)

>> And no, I'm not familiar with it. Just try the sysinternals

>> tool...it's very handy.

>>>

>>>

>>> Lanwench [MVP - Exchange] wrote:

>>>> RandyH <RHollaw@HOTmail.com> wrote:

>>>>> We have an app that requires users to be local admins, crappy I

>>>>> know, but I how can i prevent users from installing programs?

>>>>>

>>>>> If the TS has be in admin mode anyway, why would MS let programs

>>>>> get installed otherwise????? - rant..

>>>> You can lock down most everything you need to --and should-- but

>>>> why not fix the underlying problem with this application first? You

>>>> should be able to identify the file system & registry areas to

>>>> which it wants access - try using Process Monitor from Sysinternals

>>>> (available for download on the MS website). Users should not be

>>>> admins on workstations, let alone servers & you shouldn't have to

>>>> leave them that way. Basics: you should be running Terminal

>>>> Services on a dedicated

>>>> member server with *no* other roles on the network. It should be

>>>> set up in its own OU, with a policy specifically for TS (including

>>>> loopback processing so that all users who log in get the same

>>>> settings, regardless of their own inherited user policy settings).

>>>> See KB 278295 for some good lockdown suggestions. Also see MVP

>>>> Patrick Rouse's articles at

>>>> http://www.sessioncomputing.com/articles.htm

[Guest Vera Noest [MVP]]

Re: How to prevent users from installing programs.

 

But your users are all Administrators, right?

They'll simply undo whatever change you make.

 

There no way you can lock your server down without making them normal

users.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

RandyH <RHollaw@HOTmail.com> wrote on 06 aug 2008 in

microsoft.public.windows.terminal_services:

> Jeff Pitsch wrote:

>> Home directory, file shares, temp directories, desktop, (or

>> profile directories), that type of thing. Basically anywhere

>> you think a program would download and execute from.

>>

> sweet....I will give that a try!

>

> Thanks Jeff

[Guest RandyH]

Re: How to prevent users from installing programs.

 

ugh...you guys are right....Thanks for the all the help.

 

 

Lanwench [MVP - Exchange] wrote:

> RandyH <RHollaw@HOTmail.com> wrote:

>> I was looking at Disable Windows Installer setting and see another

>> setting called, Prohibit User Installs.

>>

>> Would that prevent users from installing programs?

>>

>> The Disable Windows Installer, would that only apply to MSI's?

>>

>> Thanks again,

>> RandyH

>

> Did you try my suggestion? I think you're going to make yourself crazy with

> this one. The right answer is to revoke the admin rights (as well as run

> general policy lockdown). Anything else you do will be a kluge and not a

> simple one.

>>

>>

>> Lanwench [MVP - Exchange] wrote:

>>> RandyH <RHollaw@HOTmail.com> wrote:

>>>> I guess Disable Windows Installer could have been a good answer too.

>>>> Thanks for the KB, I had followed most of that article minus the

>>>> Disable Windows Installer setting.

>>>>

>>>> do you know anything about Worldox? it's a POS and we've tried what

>>>> you have suggested in the past without success.

>>>>

>>>> again, thanks for the KB...

>>> No prob. I presume that by POS you don't mean "point of sale" but

>>> something else. ;-)

>>> And no, I'm not familiar with it. Just try the sysinternals

>>> tool...it's very handy.

>>>>

>>>> Lanwench [MVP - Exchange] wrote:

>>>>> RandyH <RHollaw@HOTmail.com> wrote:

>>>>>> We have an app that requires users to be local admins, crappy I

>>>>>> know, but I how can i prevent users from installing programs?

>>>>>>

>>>>>> If the TS has be in admin mode anyway, why would MS let programs

>>>>>> get installed otherwise????? - rant..

>>>>> You can lock down most everything you need to --and should-- but

>>>>> why not fix the underlying problem with this application first? You

>>>>> should be able to identify the file system & registry areas to

>>>>> which it wants access - try using Process Monitor from Sysinternals

>>>>> (available for download on the MS website). Users should not be

>>>>> admins on workstations, let alone servers & you shouldn't have to

>>>>> leave them that way. Basics: you should be running Terminal

>>>>> Services on a dedicated

>>>>> member server with *no* other roles on the network. It should be

>>>>> set up in its own OU, with a policy specifically for TS (including

>>>>> loopback processing so that all users who log in get the same

>>>>> settings, regardless of their own inherited user policy settings).

>>>>> See KB 278295 for some good lockdown suggestions. Also see MVP

>>>>> Patrick Rouse's articles at

>>>>> http://www.sessioncomputing.com/articles.htm

>

>

>

[Guest RandyH]

Re: How to prevent users from installing programs.

 

You're right....I need to get that app worldox in check...

 

Vera Noest [MVP] wrote:

> But your users are all Administrators, right?

> They'll simply undo whatever change you make.

>

> There no way you can lock your server down without making them normal

> users.

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> RandyH <RHollaw@HOTmail.com> wrote on 06 aug 2008 in

> microsoft.public.windows.terminal_services:

>

>> Jeff Pitsch wrote:

>>> Home directory, file shares, temp directories, desktop, (or

>>> profile directories), that type of thing. Basically anywhere

>>> you think a program would download and execute from.

>>>

>> sweet....I will give that a try!

>>

>> Thanks Jeff

[Guest Lanwench [MVP - Exchange]]

Re: How to prevent users from installing programs.

 

RandyH <RHollaw@HOTmail.com> wrote:

> ugh...you guys are right....Thanks for the all the help.

 

You're welcome. I know this isn't much fun when you're dealing with badly

written software, but 99.9999% of the time you can work around it. Oh, and

don't forget to holler at the developers who wrote the POS. And you know

which definition of that abbreviation I mean.

>

>

> Lanwench [MVP - Exchange] wrote:

>> RandyH <RHollaw@HOTmail.com> wrote:

>>> I was looking at Disable Windows Installer setting and see another

>>> setting called, Prohibit User Installs.

>>>

>>> Would that prevent users from installing programs?

>>>

>>> The Disable Windows Installer, would that only apply to MSI's?

>>>

>>> Thanks again,

>>> RandyH

>>

>> Did you try my suggestion? I think you're going to make yourself

>> crazy with this one. The right answer is to revoke the admin rights

>> (as well as run general policy lockdown). Anything else you do will

>> be a kluge and not a simple one.

>>>

>>>

>>> Lanwench [MVP - Exchange] wrote:

>>>> RandyH <RHollaw@HOTmail.com> wrote:

>>>>> I guess Disable Windows Installer could have been a good answer

>>>>> too. Thanks for the KB, I had followed most of that article minus

>>>>> the Disable Windows Installer setting.

>>>>>

>>>>> do you know anything about Worldox? it's a POS and we've tried

>>>>> what you have suggested in the past without success.

>>>>>

>>>>> again, thanks for the KB...

>>>> No prob. I presume that by POS you don't mean "point of sale" but

>>>> something else. ;-)

>>>> And no, I'm not familiar with it. Just try the sysinternals

>>>> tool...it's very handy.

>>>>>

>>>>> Lanwench [MVP - Exchange] wrote:

>>>>>> RandyH <RHollaw@HOTmail.com> wrote:

>>>>>>> We have an app that requires users to be local admins, crappy I

>>>>>>> know, but I how can i prevent users from installing programs?

>>>>>>>

>>>>>>> If the TS has be in admin mode anyway, why would MS let programs

>>>>>>> get installed otherwise????? - rant..

>>>>>> You can lock down most everything you need to --and should-- but

>>>>>> why not fix the underlying problem with this application first?

>>>>>> You should be able to identify the file system & registry areas

>>>>>> to which it wants access - try using Process Monitor from

>>>>>> Sysinternals (available for download on the MS website). Users

>>>>>> should not be admins on workstations, let alone servers & you

>>>>>> shouldn't have to leave them that way. Basics: you should be

>>>>>> running Terminal Services on a dedicated

>>>>>> member server with *no* other roles on the network. It should be

>>>>>> set up in its own OU, with a policy specifically for TS

>>>>>> (including loopback processing so that all users who log in get

>>>>>> the same settings, regardless of their own inherited user policy

>>>>>> settings). See KB 278295 for some good lockdown suggestions.

>>>>>> Also see MVP Patrick Rouse's articles at

>>>>>> http://www.sessioncomputing.com/articles.htm