Guest Baker72 Posted October 15, 2008 Posted October 15, 2008 I have a W2k3 SP1 server, which the users login via Terminal server. The My Documents folder is re-routed to another server. I need to stop the user from installing and running .exe files from they "My Documents". Upgrading to W2K3 R2 is not an option for now... Any ideas
Guest Thee Chicago Wolf Posted October 15, 2008 Posted October 15, 2008 Re: disable .exe files in My Documents >I have a W2k3 SP1 server, which the users login via Terminal server. The My >Documents folder is re-routed to another server. I need to stop the user from >installing and running .exe files from they "My Documents". Upgrading to W2K3 >R2 is not an option for now... > >Any ideas Sure. Try this: Start > Run > gpedit.msc OR if you've got a policy set up, apply it to your specific policy Navigate to the following keys and turn these on: Local Computer Policy > Computer Config > Windows Settings > Security Settings > Software Restriction Policies > Additional Rules You should be able to set up a simple PATH rule to My Documents disallowing *.exe, that should do it for that folder. If you need to put it on other My Doc. folders, do as you see fit. Next... Local Computer Policy > Computer Config > Administrative Templates > Windows Components > Windows Installer ----------------------------------------------------------------------------------------------------------- Always Install With Elevated Privileges = Disabled Enable User Control Over Install = Disabled Prohibit User Installs = Enabled, User Install Behavior = Prohibit Installs The above should turn off the ability for anyone to install junk. They pretty much speak for themselves. Lastly... User Configuration > Administrative Templates > Windows Components > Windows Installer ----------------------------------------------------------------------------------------------------------- Always install with elevated Privileges = Disabled Prevent removable media source for any install = Enabled If you need to, adjust these as well. Should put the hammer down on those philistines. ;-) Let me know how it goes. - Thee Chicago Wolf
Guest Baker72 Posted October 15, 2008 Posted October 15, 2008 Re: disable .exe files in My Documents Wow, that is what I call detail information. Thanks man!!! One more question. The policies should I configured them in the server that they connect to, or the server where the My documents is located? I assumed that is the one that they connect to... "Thee Chicago Wolf" wrote: > >I have a W2k3 SP1 server, which the users login via Terminal server. The My > >Documents folder is re-routed to another server. I need to stop the user from > >installing and running .exe files from they "My Documents". Upgrading to W2K3 > >R2 is not an option for now... > > > >Any ideas > > Sure. Try this: Start > Run > gpedit.msc OR if you've got a policy set > up, apply it to your specific policy > > Navigate to the following keys and turn these on: > > Local Computer Policy > Computer Config > Windows Settings > Security > Settings > Software Restriction Policies > Additional Rules > > You should be able to set up a simple PATH rule to My Documents > disallowing *.exe, that should do it for that folder. If you need to > put it on other My Doc. folders, do as you see fit. > > > Next... > Local Computer Policy > Computer Config > Administrative Templates > > Windows Components > Windows Installer > ----------------------------------------------------------------------------------------------------------- > Always Install With Elevated Privileges = Disabled > Enable User Control Over Install = Disabled > Prohibit User Installs = Enabled, User Install Behavior = Prohibit > Installs > > The above should turn off the ability for anyone to install junk. They > pretty much speak for themselves. > > > Lastly... > User Configuration > Administrative Templates > Windows Components > > Windows Installer > ----------------------------------------------------------------------------------------------------------- > Always install with elevated Privileges = Disabled > Prevent removable media source for any install = Enabled > > If you need to, adjust these as well. Should put the hammer down on > those philistines. ;-) > > Let me know how it goes. > > - Thee Chicago Wolf >
Guest Thee Chicago Wolf Posted October 15, 2008 Posted October 15, 2008 Re: disable .exe files in My Documents >Wow, that is what I call detail information. Thanks man!!! > >One more question. The policies should I configured them in the server that >they connect to, or the server where the My documents is located? I assumed >that is the one that they connect to... On the server should be fine. Remember that these might also affect the Admin account as well so you might have to temporarily disable them to install stuff. However, I've only ever seen it complain with MSI's. In any case, I don't know too many admins who install stuff on their servers to have to worry about it. It's be interesting to see how it works for you. Let me know, ok? - Thee Chicago Wolf
Recommended Posts