Jump to content

Administrator Consoled in Can not install software

Guest TM

By Guest TM
in Windows NT Server

 Share

Recommended Posts

Guest TM

Guest TM

Posted
Posted

I am having an issue installing programs consoled in and logged in as

admininstrator.

It keeps giving the message of "The system administrator has set policies to

prevent this installation"

 

I don't know of any policy set to prevent this from even happening for the

administrator. I have went to the lengths of removing the group policy for

the users and trying it again without any luck.

 

Does anyone know how to reset everything on that server or any suggestions.

 

Thanks,

TM

  • Replies 22
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: Administrator Consoled in Can not install software

 

Sounds like you want to enable this GPO setting:

 

Computer Configuration - Administrative Templates - Windows

Components - Windows Installer

"Allow admin to install from Terminal Services session"

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 08 nov

2007 in microsoft.public.windows.terminal_services:

> I am having an issue installing programs consoled in and logged

> in as admininstrator.

> It keeps giving the message of "The system administrator has set

> policies to prevent this installation"

>

> I don't know of any policy set to prevent this from even

> happening for the administrator. I have went to the lengths of

> removing the group policy for the users and trying it again

> without any luck.

>

> Does anyone know how to reset everything on that server or any

> suggestions.

>

> Thanks,

> TM

Guest TM

Guest TM

Posted
Posted

Re: Administrator Consoled in Can not install software

 

Thanks for the reply

 

I found an article on doing that and it still isn't working. I have even

restarted the terminal server to try and fix the issue.

 

Could there be a registry setting on the server itself that would prevent

installations?

 

 

"Vera Noest [MVP]" wrote:

> Sounds like you want to enable this GPO setting:

>

> Computer Configuration - Administrative Templates - Windows

> Components - Windows Installer

> "Allow admin to install from Terminal Services session"

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 08 nov

> 2007 in microsoft.public.windows.terminal_services:

>

> > I am having an issue installing programs consoled in and logged

> > in as admininstrator.

> > It keeps giving the message of "The system administrator has set

> > policies to prevent this installation"

> >

> > I don't know of any policy set to prevent this from even

> > happening for the administrator. I have went to the lengths of

> > removing the group policy for the users and trying it again

> > without any luck.

> >

> > Does anyone know how to reset everything on that server or any

> > suggestions.

> >

> > Thanks,

> > TM

>

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: Administrator Consoled in Can not install software

 

Given the error message that you get, I'm still convinced it's a

GPO setting. Have you tried resultant set of Policies?

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 08 nov

2007 in microsoft.public.windows.terminal_services:

> Thanks for the reply

>

> I found an article on doing that and it still isn't working. I

> have even restarted the terminal server to try and fix the

> issue.

>

> Could there be a registry setting on the server itself that

> would prevent installations?

>

>

> "Vera Noest [MVP]" wrote:

>

>> Sounds like you want to enable this GPO setting:

>>

>> Computer Configuration - Administrative Templates - Windows

>> Components - Windows Installer

>> "Allow admin to install from Terminal Services session"

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 08 nov

>> 2007 in microsoft.public.windows.terminal_services:

>>

>> > I am having an issue installing programs consoled in and

>> > logged in as admininstrator.

>> > It keeps giving the message of "The system administrator has

>> > set policies to prevent this installation"

>> >

>> > I don't know of any policy set to prevent this from even

>> > happening for the administrator. I have went to the lengths

>> > of removing the group policy for the users and trying it

>> > again without any luck.

>> >

>> > Does anyone know how to reset everything on that server or

>> > any suggestions.

>> >

>> > Thanks,

>> > TM

Guest TM

Guest TM

Posted
Posted

Re: Administrator Consoled in Can not install software

 

Well I have went through on the domain controller and removed the group

policy for that server.

Even when consoled and logged in as Administrator it still gives that error.

 

Is there any chance a setting could have been set locally on that server. If

so where does a person look to find out if it has been reset?

 

thanks for your response

 

"Vera Noest [MVP]" wrote:

> Given the error message that you get, I'm still convinced it's a

> GPO setting. Have you tried resultant set of Policies?

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 08 nov

> 2007 in microsoft.public.windows.terminal_services:

>

> > Thanks for the reply

> >

> > I found an article on doing that and it still isn't working. I

> > have even restarted the terminal server to try and fix the

> > issue.

> >

> > Could there be a registry setting on the server itself that

> > would prevent installations?

> >

> >

> > "Vera Noest [MVP]" wrote:

> >

> >> Sounds like you want to enable this GPO setting:

> >>

> >> Computer Configuration - Administrative Templates - Windows

> >> Components - Windows Installer

> >> "Allow admin to install from Terminal Services session"

> >> _________________________________________________________

> >> Vera Noest

> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> TS troubleshooting: http://ts.veranoest.net

> >> ___ please respond in newsgroup, NOT by private email ___

> >>

> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 08 nov

> >> 2007 in microsoft.public.windows.terminal_services:

> >>

> >> > I am having an issue installing programs consoled in and

> >> > logged in as admininstrator.

> >> > It keeps giving the message of "The system administrator has

> >> > set policies to prevent this installation"

> >> >

> >> > I don't know of any policy set to prevent this from even

> >> > happening for the administrator. I have went to the lengths

> >> > of removing the group policy for the users and trying it

> >> > again without any luck.

> >> >

> >> > Does anyone know how to reset everything on that server or

> >> > any suggestions.

> >> >

> >> > Thanks,

> >> > TM

>

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: Administrator Consoled in Can not install software

 

Did you run Resultant Set of Policies, as I suggested in my

previous post? That would tell you exactly which policy has the

setting configured.

You can edit the local policy with gpedit.msc

 

If you get this error message even when you are logged in at the

physical console of the server, then it seems that Windows

Installer is disabled completely, not only for installations from

within a TS session. That setting can be found in

Computer Configuration - Administrative Templates - Windows

Components - Windows Installer

"Disable Windows Installer"

 

Other troubleshooting tools could be:

 

223300 - How to Enable Windows Installer Logging

http://support.microsoft.com/?kbid=223300

 

221833 - How to enable user environment debug logging in retail

builds of Windows

http://support.microsoft.com/?kbid=221833

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 14 nov

2007 in microsoft.public.windows.terminal_services:

> Well I have went through on the domain controller and removed

> the group policy for that server.

> Even when consoled and logged in as Administrator it still gives

> that error.

>

> Is there any chance a setting could have been set locally on

> that server. If so where does a person look to find out if it

> has been reset?

>

> thanks for your response

>

> "Vera Noest [MVP]" wrote:

>

>> Given the error message that you get, I'm still convinced it's

>> a GPO setting. Have you tried resultant set of Policies?

>>

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 08 nov

>> 2007 in microsoft.public.windows.terminal_services:

>>

>> > Thanks for the reply

>> >

>> > I found an article on doing that and it still isn't working.

>> > I have even restarted the terminal server to try and fix the

>> > issue.

>> >

>> > Could there be a registry setting on the server itself that

>> > would prevent installations?

>> >

>> >

>> > "Vera Noest [MVP]" wrote:

>> >

>> >> Sounds like you want to enable this GPO setting:

>> >>

>> >> Computer Configuration - Administrative Templates - Windows

>> >> Components - Windows Installer

>> >> "Allow admin to install from Terminal Services session"

>> >> _________________________________________________________

>> >> Vera Noest

>> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> TS troubleshooting: http://ts.veranoest.net

>> >> ___ please respond in newsgroup, NOT by private email ___

>> >>

>> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 08

>> >> nov 2007 in microsoft.public.windows.terminal_services:

>> >>

>> >> > I am having an issue installing programs consoled in and

>> >> > logged in as admininstrator.

>> >> > It keeps giving the message of "The system administrator

>> >> > has set policies to prevent this installation"

>> >> >

>> >> > I don't know of any policy set to prevent this from even

>> >> > happening for the administrator. I have went to the

>> >> > lengths of removing the group policy for the users and

>> >> > trying it again without any luck.

>> >> >

>> >> > Does anyone know how to reset everything on that server or

>> >> > any suggestions.

>> >> >

>> >> > Thanks,

>> >> > TM

Guest TM

Guest TM

Posted
Posted

Re: Administrator Consoled in Can not install software

 

Thanks for your help it was the local policy that was still turned on.

 

 

"Vera Noest [MVP]" wrote:

> Did you run Resultant Set of Policies, as I suggested in my

> previous post? That would tell you exactly which policy has the

> setting configured.

> You can edit the local policy with gpedit.msc

>

> If you get this error message even when you are logged in at the

> physical console of the server, then it seems that Windows

> Installer is disabled completely, not only for installations from

> within a TS session. That setting can be found in

> Computer Configuration - Administrative Templates - Windows

> Components - Windows Installer

> "Disable Windows Installer"

>

> Other troubleshooting tools could be:

>

> 223300 - How to Enable Windows Installer Logging

> http://support.microsoft.com/?kbid=223300

>

> 221833 - How to enable user environment debug logging in retail

> builds of Windows

> http://support.microsoft.com/?kbid=221833

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 14 nov

> 2007 in microsoft.public.windows.terminal_services:

>

> > Well I have went through on the domain controller and removed

> > the group policy for that server.

> > Even when consoled and logged in as Administrator it still gives

> > that error.

> >

> > Is there any chance a setting could have been set locally on

> > that server. If so where does a person look to find out if it

> > has been reset?

> >

> > thanks for your response

> >

> > "Vera Noest [MVP]" wrote:

> >

> >> Given the error message that you get, I'm still convinced it's

> >> a GPO setting. Have you tried resultant set of Policies?

> >>

> >> _________________________________________________________

> >> Vera Noest

> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> TS troubleshooting: http://ts.veranoest.net

> >> ___ please respond in newsgroup, NOT by private email ___

> >>

> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 08 nov

> >> 2007 in microsoft.public.windows.terminal_services:

> >>

> >> > Thanks for the reply

> >> >

> >> > I found an article on doing that and it still isn't working.

> >> > I have even restarted the terminal server to try and fix the

> >> > issue.

> >> >

> >> > Could there be a registry setting on the server itself that

> >> > would prevent installations?

> >> >

> >> >

> >> > "Vera Noest [MVP]" wrote:

> >> >

> >> >> Sounds like you want to enable this GPO setting:

> >> >>

> >> >> Computer Configuration - Administrative Templates - Windows

> >> >> Components - Windows Installer

> >> >> "Allow admin to install from Terminal Services session"

> >> >> _________________________________________________________

> >> >> Vera Noest

> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> >> TS troubleshooting: http://ts.veranoest.net

> >> >> ___ please respond in newsgroup, NOT by private email ___

> >> >>

> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 08

> >> >> nov 2007 in microsoft.public.windows.terminal_services:

> >> >>

> >> >> > I am having an issue installing programs consoled in and

> >> >> > logged in as admininstrator.

> >> >> > It keeps giving the message of "The system administrator

> >> >> > has set policies to prevent this installation"

> >> >> >

> >> >> > I don't know of any policy set to prevent this from even

> >> >> > happening for the administrator. I have went to the

> >> >> > lengths of removing the group policy for the users and

> >> >> > trying it again without any luck.

> >> >> >

> >> >> > Does anyone know how to reset everything on that server or

> >> >> > any suggestions.

> >> >> >

> >> >> > Thanks,

> >> >> > TM

>

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: Administrator Consoled in Can not install software

 

OK, thanks for the feedback, I'm glad that your problem is solved!

It's a bit puzzeling though that the problem didn't disappear by

configuring the GPO setting in the domain-wide GPO applied to the

TS, since those settings override the local policy.

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 14 nov

2007 in microsoft.public.windows.terminal_services:

> Thanks for your help it was the local policy that was still

> turned on.

>

>

> "Vera Noest [MVP]" wrote:

>

>> Did you run Resultant Set of Policies, as I suggested in my

>> previous post? That would tell you exactly which policy has the

>> setting configured.

>> You can edit the local policy with gpedit.msc

>>

>> If you get this error message even when you are logged in at

>> the physical console of the server, then it seems that Windows

>> Installer is disabled completely, not only for installations

>> from within a TS session. That setting can be found in

>> Computer Configuration - Administrative Templates - Windows

>> Components - Windows Installer

>> "Disable Windows Installer"

>>

>> Other troubleshooting tools could be:

>>

>> 223300 - How to Enable Windows Installer Logging

>> http://support.microsoft.com/?kbid=223300

>>

>> 221833 - How to enable user environment debug logging in retail

>> builds of Windows

>> http://support.microsoft.com/?kbid=221833

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 14 nov

>> 2007 in microsoft.public.windows.terminal_services:

>>

>> > Well I have went through on the domain controller and removed

>> > the group policy for that server.

>> > Even when consoled and logged in as Administrator it still

>> > gives that error.

>> >

>> > Is there any chance a setting could have been set locally on

>> > that server. If so where does a person look to find out if it

>> > has been reset?

>> >

>> > thanks for your response

>> >

>> > "Vera Noest [MVP]" wrote:

>> >

>> >> Given the error message that you get, I'm still convinced

>> >> it's a GPO setting. Have you tried resultant set of

>> >> Policies?

>> >>

>> >> _________________________________________________________

>> >> Vera Noest

>> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> TS troubleshooting: http://ts.veranoest.net

>> >> ___ please respond in newsgroup, NOT by private email ___

>> >>

>> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 08

>> >> nov 2007 in microsoft.public.windows.terminal_services:

>> >>

>> >> > Thanks for the reply

>> >> >

>> >> > I found an article on doing that and it still isn't

>> >> > working. I have even restarted the terminal server to try

>> >> > and fix the issue.

>> >> >

>> >> > Could there be a registry setting on the server itself

>> >> > that would prevent installations?

>> >> >

>> >> >

>> >> > "Vera Noest [MVP]" wrote:

>> >> >

>> >> >> Sounds like you want to enable this GPO setting:

>> >> >>

>> >> >> Computer Configuration - Administrative Templates -

>> >> >> Windows Components - Windows Installer

>> >> >> "Allow admin to install from Terminal Services session"

>> >> >> _________________________________________________________

>> >> >> Vera Noest

>> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> >> TS troubleshooting: http://ts.veranoest.net

>> >> >> ___ please respond in newsgroup, NOT by private email ___

>> >> >>

>> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on

>> >> >> 08 nov 2007 in

>> >> >> microsoft.public.windows.terminal_services:

>> >> >>

>> >> >> > I am having an issue installing programs consoled in

>> >> >> > and logged in as admininstrator.

>> >> >> > It keeps giving the message of "The system

>> >> >> > administrator has set policies to prevent this

>> >> >> > installation"

>> >> >> >

>> >> >> > I don't know of any policy set to prevent this from

>> >> >> > even happening for the administrator. I have went to

>> >> >> > the lengths of removing the group policy for the users

>> >> >> > and trying it again without any luck.

>> >> >> >

>> >> >> > Does anyone know how to reset everything on that server

>> >> >> > or any suggestions.

>> >> >> >

>> >> >> > Thanks,

>> >> >> > TM

  • 8 months later...
Guest Asif Shah

Guest Asif Shah

Posted
Posted

Re: Administrator Consoled in Can not install software

 

Vera,

 

I have disabled the windows installer but that only applies to software

installations that use windows installer to install itself. There are other

installs that dont use windows install. e.g. installing Mozilla Firefox. I

have the GPO you mentioned for the windows installer enabled but i can still

install firefox........what else can i try?

 

"Vera Noest [MVP]" wrote:

> OK, thanks for the feedback, I'm glad that your problem is solved!

> It's a bit puzzeling though that the problem didn't disappear by

> configuring the GPO setting in the domain-wide GPO applied to the

> TS, since those settings override the local policy.

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 14 nov

> 2007 in microsoft.public.windows.terminal_services:

>

> > Thanks for your help it was the local policy that was still

> > turned on.

> >

> >

> > "Vera Noest [MVP]" wrote:

> >

> >> Did you run Resultant Set of Policies, as I suggested in my

> >> previous post? That would tell you exactly which policy has the

> >> setting configured.

> >> You can edit the local policy with gpedit.msc

> >>

> >> If you get this error message even when you are logged in at

> >> the physical console of the server, then it seems that Windows

> >> Installer is disabled completely, not only for installations

> >> from within a TS session. That setting can be found in

> >> Computer Configuration - Administrative Templates - Windows

> >> Components - Windows Installer

> >> "Disable Windows Installer"

> >>

> >> Other troubleshooting tools could be:

> >>

> >> 223300 - How to Enable Windows Installer Logging

> >> http://support.microsoft.com/?kbid=223300

> >>

> >> 221833 - How to enable user environment debug logging in retail

> >> builds of Windows

> >> http://support.microsoft.com/?kbid=221833

> >> _________________________________________________________

> >> Vera Noest

> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> TS troubleshooting: http://ts.veranoest.net

> >> ___ please respond in newsgroup, NOT by private email ___

> >>

> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 14 nov

> >> 2007 in microsoft.public.windows.terminal_services:

> >>

> >> > Well I have went through on the domain controller and removed

> >> > the group policy for that server.

> >> > Even when consoled and logged in as Administrator it still

> >> > gives that error.

> >> >

> >> > Is there any chance a setting could have been set locally on

> >> > that server. If so where does a person look to find out if it

> >> > has been reset?

> >> >

> >> > thanks for your response

> >> >

> >> > "Vera Noest [MVP]" wrote:

> >> >

> >> >> Given the error message that you get, I'm still convinced

> >> >> it's a GPO setting. Have you tried resultant set of

> >> >> Policies?

> >> >>

> >> >> _________________________________________________________

> >> >> Vera Noest

> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> >> TS troubleshooting: http://ts.veranoest.net

> >> >> ___ please respond in newsgroup, NOT by private email ___

> >> >>

> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 08

> >> >> nov 2007 in microsoft.public.windows.terminal_services:

> >> >>

> >> >> > Thanks for the reply

> >> >> >

> >> >> > I found an article on doing that and it still isn't

> >> >> > working. I have even restarted the terminal server to try

> >> >> > and fix the issue.

> >> >> >

> >> >> > Could there be a registry setting on the server itself

> >> >> > that would prevent installations?

> >> >> >

> >> >> >

> >> >> > "Vera Noest [MVP]" wrote:

> >> >> >

> >> >> >> Sounds like you want to enable this GPO setting:

> >> >> >>

> >> >> >> Computer Configuration - Administrative Templates -

> >> >> >> Windows Components - Windows Installer

> >> >> >> "Allow admin to install from Terminal Services session"

> >> >> >> _________________________________________________________

> >> >> >> Vera Noest

> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> >> >> TS troubleshooting: http://ts.veranoest.net

> >> >> >> ___ please respond in newsgroup, NOT by private email ___

> >> >> >>

> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on

> >> >> >> 08 nov 2007 in

> >> >> >> microsoft.public.windows.terminal_services:

> >> >> >>

> >> >> >> > I am having an issue installing programs consoled in

> >> >> >> > and logged in as admininstrator.

> >> >> >> > It keeps giving the message of "The system

> >> >> >> > administrator has set policies to prevent this

> >> >> >> > installation"

> >> >> >> >

> >> >> >> > I don't know of any policy set to prevent this from

> >> >> >> > even happening for the administrator. I have went to

> >> >> >> > the lengths of removing the group policy for the users

> >> >> >> > and trying it again without any luck.

> >> >> >> >

> >> >> >> > Does anyone know how to reset everything on that server

> >> >> >> > or any suggestions.

> >> >> >> >

> >> >> >> > Thanks,

> >> >> >> > TM

>

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: Administrator Consoled in Can not install software

 

Asif, you seem to append to an old thread which was about the

opposite of your problem. That's very confusing. Next time, please

start a new thread and clearly state your problem.

 

What exactly is it that you want to achieve? I'm assuming that your

are the Administrator of a TS, and that you want to prohibit users

to install software, is that correct? Or do you want to disable

this for all users, including Administrators?

 

If you just want to take away this possibility for normal users,

the answer is that they don't have the proper rights any way,

assuming that you run on Windows 2003 and have installed Terminal

Services with "Full Security". They can install applications in

their home folder, but can't add or replace system files, dll's

etc.

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

*----------- Please reply in newsgroup -------------*

 

=?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com>

wrote on 01 aug 2008:

> Vera,

>

> I have disabled the windows installer but that only applies to

> software installations that use windows installer to install

> itself. There are other installs that dont use windows install.

> e.g. installing Mozilla Firefox. I have the GPO you mentioned

> for the windows installer enabled but i can still install

> firefox........what else can i try?

>

> "Vera Noest [MVP]" wrote:

>

>> OK, thanks for the feedback, I'm glad that your problem is

>> solved! It's a bit puzzeling though that the problem didn't

>> disappear by configuring the GPO setting in the domain-wide GPO

>> applied to the TS, since those settings override the local

>> policy.

>>

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 14 nov

>> 2007 in microsoft.public.windows.terminal_services:

>>

>> > Thanks for your help it was the local policy that was still

>> > turned on.

>> >

>> >

>> > "Vera Noest [MVP]" wrote:

>> >

>> >> Did you run Resultant Set of Policies, as I suggested in my

>> >> previous post? That would tell you exactly which policy has

>> >> the setting configured.

>> >> You can edit the local policy with gpedit.msc

>> >>

>> >> If you get this error message even when you are logged in at

>> >> the physical console of the server, then it seems that

>> >> Windows Installer is disabled completely, not only for

>> >> installations from within a TS session. That setting can be

>> >> found in Computer Configuration - Administrative Templates -

>> >> Windows Components - Windows Installer

>> >> "Disable Windows Installer"

>> >>

>> >> Other troubleshooting tools could be:

>> >>

>> >> 223300 - How to Enable Windows Installer Logging

>> >> http://support.microsoft.com/?kbid=223300

>> >>

>> >> 221833 - How to enable user environment debug logging in

>> >> retail builds of Windows

>> >> http://support.microsoft.com/?kbid=221833

>> >> _________________________________________________________

>> >> Vera Noest

>> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> TS troubleshooting: http://ts.veranoest.net

>> >> ___ please respond in newsgroup, NOT by private email ___

>> >>

>> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 14

>> >> nov 2007 in microsoft.public.windows.terminal_services:

>> >>

>> >> > Well I have went through on the domain controller and

>> >> > removed the group policy for that server.

>> >> > Even when consoled and logged in as Administrator it still

>> >> > gives that error.

>> >> >

>> >> > Is there any chance a setting could have been set locally

>> >> > on that server. If so where does a person look to find out

>> >> > if it has been reset?

>> >> >

>> >> > thanks for your response

>> >> >

>> >> > "Vera Noest [MVP]" wrote:

>> >> >

>> >> >> Given the error message that you get, I'm still convinced

>> >> >> it's a GPO setting. Have you tried resultant set of

>> >> >> Policies?

>> >> >>

>> >> >> _________________________________________________________

>> >> >> Vera Noest

>> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> >> TS troubleshooting: http://ts.veranoest.net

>> >> >> ___ please respond in newsgroup, NOT by private email ___

>> >> >>

>> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on

>> >> >> 08 nov 2007 in

>> >> >> microsoft.public.windows.terminal_services:

>> >> >>

>> >> >> > Thanks for the reply

>> >> >> >

>> >> >> > I found an article on doing that and it still isn't

>> >> >> > working. I have even restarted the terminal server to

>> >> >> > try and fix the issue.

>> >> >> >

>> >> >> > Could there be a registry setting on the server itself

>> >> >> > that would prevent installations?

>> >> >> >

>> >> >> >

>> >> >> > "Vera Noest [MVP]" wrote:

>> >> >> >

>> >> >> >> Sounds like you want to enable this GPO setting:

>> >> >> >>

>> >> >> >> Computer Configuration - Administrative Templates -

>> >> >> >> Windows Components - Windows Installer

>> >> >> >> "Allow admin to install from Terminal Services

>> >> >> >> session"

>> >> >> >> _______________________________________________________

>> >> >> >> __ Vera Noest

>> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> >> >> TS troubleshooting: http://ts.veranoest.net

>> >> >> >> ___ please respond in newsgroup, NOT by private email

>> >> >> >> ___

>> >> >> >>

>> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote

>> >> >> >> on 08 nov 2007 in

>> >> >> >> microsoft.public.windows.terminal_services:

>> >> >> >>

>> >> >> >> > I am having an issue installing programs consoled in

>> >> >> >> > and logged in as admininstrator.

>> >> >> >> > It keeps giving the message of "The system

>> >> >> >> > administrator has set policies to prevent this

>> >> >> >> > installation"

>> >> >> >> >

>> >> >> >> > I don't know of any policy set to prevent this from

>> >> >> >> > even happening for the administrator. I have went to

>> >> >> >> > the lengths of removing the group policy for the

>> >> >> >> > users and trying it again without any luck.

>> >> >> >> >

>> >> >> >> > Does anyone know how to reset everything on that

>> >> >> >> > server or any suggestions.

>> >> >> >> >

>> >> >> >> > Thanks,

>> >> >> >> > TM

Guest Asif Shah

Guest Asif Shah

Posted
Posted

Re: Administrator Consoled in Can not install software

 

Vera,

 

My appoligies for adding to an older thread. I just thought since you were

dicussing a similiar problem I would post my issue. I will keep in mind nex

time.

 

I am the administrator and I am trying to restrict all non-admin users from

installing software on the server. This is on a Windows 2000 server. How can

I check if I installed TS with full security. Apprently something is not

setup right, because few days ago I discovered that new software were

installed, some games and Mozilla Firebox. I checked with my admins and they

didnt. So it had to have been a regular user. No other user has right like us

admins. I even did a test. I logged in as a normal user whose password I knew

and I was able to download and install Firefox and other software.

 

The only thing I have done is disable the windows installer but seems like

that only works for software that use windows installer to install itself.

The article I read from Microsoft that talks about this GPO mentions this

condition. What else can I do? What else can I check?

 

Thanks.

 

"Vera Noest [MVP]" wrote:

> Asif, you seem to append to an old thread which was about the

> opposite of your problem. That's very confusing. Next time, please

> start a new thread and clearly state your problem.

>

> What exactly is it that you want to achieve? I'm assuming that your

> are the Administrator of a TS, and that you want to prohibit users

> to install software, is that correct? Or do you want to disable

> this for all users, including Administrators?

>

> If you just want to take away this possibility for normal users,

> the answer is that they don't have the proper rights any way,

> assuming that you run on Windows 2003 and have installed Terminal

> Services with "Full Security". They can install applications in

> their home folder, but can't add or replace system files, dll's

> etc.

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> *----------- Please reply in newsgroup -------------*

>

> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com>

> wrote on 01 aug 2008:

>

> > Vera,

> >

> > I have disabled the windows installer but that only applies to

> > software installations that use windows installer to install

> > itself. There are other installs that dont use windows install.

> > e.g. installing Mozilla Firefox. I have the GPO you mentioned

> > for the windows installer enabled but i can still install

> > firefox........what else can i try?

> >

> > "Vera Noest [MVP]" wrote:

> >

> >> OK, thanks for the feedback, I'm glad that your problem is

> >> solved! It's a bit puzzeling though that the problem didn't

> >> disappear by configuring the GPO setting in the domain-wide GPO

> >> applied to the TS, since those settings override the local

> >> policy.

> >>

> >> _________________________________________________________

> >> Vera Noest

> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> TS troubleshooting: http://ts.veranoest.net

> >> ___ please respond in newsgroup, NOT by private email ___

> >>

> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 14 nov

> >> 2007 in microsoft.public.windows.terminal_services:

> >>

> >> > Thanks for your help it was the local policy that was still

> >> > turned on.

> >> >

> >> >

> >> > "Vera Noest [MVP]" wrote:

> >> >

> >> >> Did you run Resultant Set of Policies, as I suggested in my

> >> >> previous post? That would tell you exactly which policy has

> >> >> the setting configured.

> >> >> You can edit the local policy with gpedit.msc

> >> >>

> >> >> If you get this error message even when you are logged in at

> >> >> the physical console of the server, then it seems that

> >> >> Windows Installer is disabled completely, not only for

> >> >> installations from within a TS session. That setting can be

> >> >> found in Computer Configuration - Administrative Templates -

> >> >> Windows Components - Windows Installer

> >> >> "Disable Windows Installer"

> >> >>

> >> >> Other troubleshooting tools could be:

> >> >>

> >> >> 223300 - How to Enable Windows Installer Logging

> >> >> http://support.microsoft.com/?kbid=223300

> >> >>

> >> >> 221833 - How to enable user environment debug logging in

> >> >> retail builds of Windows

> >> >> http://support.microsoft.com/?kbid=221833

> >> >> _________________________________________________________

> >> >> Vera Noest

> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> >> TS troubleshooting: http://ts.veranoest.net

> >> >> ___ please respond in newsgroup, NOT by private email ___

> >> >>

> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 14

> >> >> nov 2007 in microsoft.public.windows.terminal_services:

> >> >>

> >> >> > Well I have went through on the domain controller and

> >> >> > removed the group policy for that server.

> >> >> > Even when consoled and logged in as Administrator it still

> >> >> > gives that error.

> >> >> >

> >> >> > Is there any chance a setting could have been set locally

> >> >> > on that server. If so where does a person look to find out

> >> >> > if it has been reset?

> >> >> >

> >> >> > thanks for your response

> >> >> >

> >> >> > "Vera Noest [MVP]" wrote:

> >> >> >

> >> >> >> Given the error message that you get, I'm still convinced

> >> >> >> it's a GPO setting. Have you tried resultant set of

> >> >> >> Policies?

> >> >> >>

> >> >> >> _________________________________________________________

> >> >> >> Vera Noest

> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> >> >> TS troubleshooting: http://ts.veranoest.net

> >> >> >> ___ please respond in newsgroup, NOT by private email ___

> >> >> >>

> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on

> >> >> >> 08 nov 2007 in

> >> >> >> microsoft.public.windows.terminal_services:

> >> >> >>

> >> >> >> > Thanks for the reply

> >> >> >> >

> >> >> >> > I found an article on doing that and it still isn't

> >> >> >> > working. I have even restarted the terminal server to

> >> >> >> > try and fix the issue.

> >> >> >> >

> >> >> >> > Could there be a registry setting on the server itself

> >> >> >> > that would prevent installations?

> >> >> >> >

> >> >> >> >

> >> >> >> > "Vera Noest [MVP]" wrote:

> >> >> >> >

> >> >> >> >> Sounds like you want to enable this GPO setting:

> >> >> >> >>

> >> >> >> >> Computer Configuration - Administrative Templates -

> >> >> >> >> Windows Components - Windows Installer

> >> >> >> >> "Allow admin to install from Terminal Services

> >> >> >> >> session"

> >> >> >> >> _______________________________________________________

> >> >> >> >> __ Vera Noest

> >> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> >> >> >> TS troubleshooting: http://ts.veranoest.net

> >> >> >> >> ___ please respond in newsgroup, NOT by private email

> >> >> >> >> ___

> >> >> >> >>

> >> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote

> >> >> >> >> on 08 nov 2007 in

> >> >> >> >> microsoft.public.windows.terminal_services:

> >> >> >> >>

> >> >> >> >> > I am having an issue installing programs consoled in

> >> >> >> >> > and logged in as admininstrator.

> >> >> >> >> > It keeps giving the message of "The system

> >> >> >> >> > administrator has set policies to prevent this

> >> >> >> >> > installation"

> >> >> >> >> >

> >> >> >> >> > I don't know of any policy set to prevent this from

> >> >> >> >> > even happening for the administrator. I have went to

> >> >> >> >> > the lengths of removing the group policy for the

> >> >> >> >> > users and trying it again without any luck.

> >> >> >> >> >

> >> >> >> >> > Does anyone know how to reset everything on that

> >> >> >> >> > server or any suggestions.

> >> >> >> >> >

> >> >> >> >> > Thanks,

> >> >> >> >> > TM

>

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: Administrator Consoled in Can not install software

 

OK, seems like the Terminal Services was installed with relaxed

security. It's a long time ago that I worked with W2K TS, so I'm

unsure about the details, but I believe that you can check (and

change?) this in Terminal Services Configuration - Server settings.

 

You'll have to further secure the server with NTFS permissions on

the file system. At the minimum, modify the NTFS permissions as

follows:

%SystemDrive%, %SystemRoot%, %ProgramFiles% and

%SystemRoot%\system32 :

System - Full Control

Administrators - Full Control

Authenticated Users - Read & Execute

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com>

wrote on 01 aug 2008 in

microsoft.public.windows.terminal_services:

> Vera,

>

> My appoligies for adding to an older thread. I just thought

> since you were dicussing a similiar problem I would post my

> issue. I will keep in mind nex time.

>

> I am the administrator and I am trying to restrict all non-admin

> users from installing software on the server. This is on a

> Windows 2000 server. How can I check if I installed TS with full

> security. Apprently something is not setup right, because few

> days ago I discovered that new software were installed, some

> games and Mozilla Firebox. I checked with my admins and they

> didnt. So it had to have been a regular user. No other user has

> right like us admins. I even did a test. I logged in as a normal

> user whose password I knew and I was able to download and

> install Firefox and other software.

>

> The only thing I have done is disable the windows installer but

> seems like that only works for software that use windows

> installer to install itself. The article I read from Microsoft

> that talks about this GPO mentions this condition. What else can

> I do? What else can I check?

>

> Thanks.

>

> "Vera Noest [MVP]" wrote:

>

>> Asif, you seem to append to an old thread which was about the

>> opposite of your problem. That's very confusing. Next time,

>> please start a new thread and clearly state your problem.

>>

>> What exactly is it that you want to achieve? I'm assuming that

>> your are the Administrator of a TS, and that you want to

>> prohibit users to install software, is that correct? Or do you

>> want to disable this for all users, including Administrators?

>>

>> If you just want to take away this possibility for normal

>> users, the answer is that they don't have the proper rights any

>> way, assuming that you run on Windows 2003 and have installed

>> Terminal Services with "Full Security". They can install

>> applications in their home folder, but can't add or replace

>> system files, dll's etc.

>>

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> *----------- Please reply in newsgroup -------------*

>>

>> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com>

>> wrote on 01 aug 2008:

>>

>> > Vera,

>> >

>> > I have disabled the windows installer but that only applies

>> > to software installations that use windows installer to

>> > install itself. There are other installs that dont use

>> > windows install. e.g. installing Mozilla Firefox. I have the

>> > GPO you mentioned for the windows installer enabled but i can

>> > still install firefox........what else can i try?

>> >

>> > "Vera Noest [MVP]" wrote:

>> >

>> >> OK, thanks for the feedback, I'm glad that your problem is

>> >> solved! It's a bit puzzeling though that the problem didn't

>> >> disappear by configuring the GPO setting in the domain-wide

>> >> GPO applied to the TS, since those settings override the

>> >> local policy.

>> >>

>> >> _________________________________________________________

>> >> Vera Noest

>> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> TS troubleshooting: http://ts.veranoest.net

>> >> ___ please respond in newsgroup, NOT by private email ___

>> >>

>> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 14

>> >> nov 2007 in microsoft.public.windows.terminal_services:

>> >>

>> >> > Thanks for your help it was the local policy that was

>> >> > still turned on.

>> >> >

>> >> >

>> >> > "Vera Noest [MVP]" wrote:

>> >> >

>> >> >> Did you run Resultant Set of Policies, as I suggested in

>> >> >> my previous post? That would tell you exactly which

>> >> >> policy has the setting configured.

>> >> >> You can edit the local policy with gpedit.msc

>> >> >>

>> >> >> If you get this error message even when you are logged in

>> >> >> at the physical console of the server, then it seems that

>> >> >> Windows Installer is disabled completely, not only for

>> >> >> installations from within a TS session. That setting can

>> >> >> be found in Computer Configuration - Administrative

>> >> >> Templates - Windows Components - Windows Installer

>> >> >> "Disable Windows Installer"

>> >> >>

>> >> >> Other troubleshooting tools could be:

>> >> >>

>> >> >> 223300 - How to Enable Windows Installer Logging

>> >> >> http://support.microsoft.com/?kbid=223300

>> >> >>

>> >> >> 221833 - How to enable user environment debug logging in

>> >> >> retail builds of Windows

>> >> >> http://support.microsoft.com/?kbid=221833

>> >> >> _________________________________________________________

>> >> >> Vera Noest

>> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> >> TS troubleshooting: http://ts.veranoest.net

>> >> >> ___ please respond in newsgroup, NOT by private email ___

>> >> >>

>> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on

>> >> >> 14 nov 2007 in

>> >> >> microsoft.public.windows.terminal_services:

>> >> >>

>> >> >> > Well I have went through on the domain controller and

>> >> >> > removed the group policy for that server.

>> >> >> > Even when consoled and logged in as Administrator it

>> >> >> > still gives that error.

>> >> >> >

>> >> >> > Is there any chance a setting could have been set

>> >> >> > locally on that server. If so where does a person look

>> >> >> > to find out if it has been reset?

>> >> >> >

>> >> >> > thanks for your response

>> >> >> >

>> >> >> > "Vera Noest [MVP]" wrote:

>> >> >> >

>> >> >> >> Given the error message that you get, I'm still

>> >> >> >> convinced it's a GPO setting. Have you tried resultant

>> >> >> >> set of Policies?

>> >> >> >>

>> >> >> >> _______________________________________________________

>> >> >> >> __ Vera Noest

>> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> >> >> TS troubleshooting: http://ts.veranoest.net

>> >> >> >> ___ please respond in newsgroup, NOT by private email

>> >> >> >> ___

>> >> >> >>

>> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote

>> >> >> >> on 08 nov 2007 in

>> >> >> >> microsoft.public.windows.terminal_services:

>> >> >> >>

>> >> >> >> > Thanks for the reply

>> >> >> >> >

>> >> >> >> > I found an article on doing that and it still isn't

>> >> >> >> > working. I have even restarted the terminal server

>> >> >> >> > to try and fix the issue.

>> >> >> >> >

>> >> >> >> > Could there be a registry setting on the server

>> >> >> >> > itself that would prevent installations?

>> >> >> >> >

>> >> >> >> >

>> >> >> >> > "Vera Noest [MVP]" wrote:

>> >> >> >> >

>> >> >> >> >> Sounds like you want to enable this GPO setting:

>> >> >> >> >>

>> >> >> >> >> Computer Configuration - Administrative Templates -

>> >> >> >> >> Windows Components - Windows Installer

>> >> >> >> >> "Allow admin to install from Terminal Services

>> >> >> >> >> session"

>> >> >> >> >> ____________________________________________________

>> >> >> >> >> ___ __ Vera Noest

>> >> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> >> >> >> TS troubleshooting: http://ts.veranoest.net

>> >> >> >> >> ___ please respond in newsgroup, NOT by private

>> >> >> >> >> email ___

>> >> >> >> >>

>> >> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com>

>> >> >> >> >> wrote on 08 nov 2007 in

>> >> >> >> >> microsoft.public.windows.terminal_services:

>> >> >> >> >>

>> >> >> >> >> > I am having an issue installing programs consoled

>> >> >> >> >> > in and logged in as admininstrator.

>> >> >> >> >> > It keeps giving the message of "The system

>> >> >> >> >> > administrator has set policies to prevent this

>> >> >> >> >> > installation"

>> >> >> >> >> >

>> >> >> >> >> > I don't know of any policy set to prevent this

>> >> >> >> >> > from even happening for the administrator. I have

>> >> >> >> >> > went to the lengths of removing the group policy

>> >> >> >> >> > for the users and trying it again without any

>> >> >> >> >> > luck.

>> >> >> >> >> >

>> >> >> >> >> > Does anyone know how to reset everything on that

>> >> >> >> >> > server or any suggestions.

>> >> >> >> >> >

>> >> >> >> >> > Thanks,

>> >> >> >> >> > TM

Guest Asif Shah

Guest Asif Shah

Posted
Posted

Re: Administrator Consoled in Can not install software

 

I am looking at the Terminal Services Configuration - Server Settings, which

setting do I change. I dont see anything that says "relaxed security".

 

"Vera Noest [MVP]" wrote:

> OK, seems like the Terminal Services was installed with relaxed

> security. It's a long time ago that I worked with W2K TS, so I'm

> unsure about the details, but I believe that you can check (and

> change?) this in Terminal Services Configuration - Server settings.

>

> You'll have to further secure the server with NTFS permissions on

> the file system. At the minimum, modify the NTFS permissions as

> follows:

> %SystemDrive%, %SystemRoot%, %ProgramFiles% and

> %SystemRoot%\system32 :

> System - Full Control

> Administrators - Full Control

> Authenticated Users - Read & Execute

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com>

> wrote on 01 aug 2008 in

> microsoft.public.windows.terminal_services:

>

> > Vera,

> >

> > My appoligies for adding to an older thread. I just thought

> > since you were dicussing a similiar problem I would post my

> > issue. I will keep in mind nex time.

> >

> > I am the administrator and I am trying to restrict all non-admin

> > users from installing software on the server. This is on a

> > Windows 2000 server. How can I check if I installed TS with full

> > security. Apprently something is not setup right, because few

> > days ago I discovered that new software were installed, some

> > games and Mozilla Firebox. I checked with my admins and they

> > didnt. So it had to have been a regular user. No other user has

> > right like us admins. I even did a test. I logged in as a normal

> > user whose password I knew and I was able to download and

> > install Firefox and other software.

> >

> > The only thing I have done is disable the windows installer but

> > seems like that only works for software that use windows

> > installer to install itself. The article I read from Microsoft

> > that talks about this GPO mentions this condition. What else can

> > I do? What else can I check?

> >

> > Thanks.

> >

> > "Vera Noest [MVP]" wrote:

> >

> >> Asif, you seem to append to an old thread which was about the

> >> opposite of your problem. That's very confusing. Next time,

> >> please start a new thread and clearly state your problem.

> >>

> >> What exactly is it that you want to achieve? I'm assuming that

> >> your are the Administrator of a TS, and that you want to

> >> prohibit users to install software, is that correct? Or do you

> >> want to disable this for all users, including Administrators?

> >>

> >> If you just want to take away this possibility for normal

> >> users, the answer is that they don't have the proper rights any

> >> way, assuming that you run on Windows 2003 and have installed

> >> Terminal Services with "Full Security". They can install

> >> applications in their home folder, but can't add or replace

> >> system files, dll's etc.

> >>

> >> _________________________________________________________

> >> Vera Noest

> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> TS troubleshooting: http://ts.veranoest.net

> >> *----------- Please reply in newsgroup -------------*

> >>

> >> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com>

> >> wrote on 01 aug 2008:

> >>

> >> > Vera,

> >> >

> >> > I have disabled the windows installer but that only applies

> >> > to software installations that use windows installer to

> >> > install itself. There are other installs that dont use

> >> > windows install. e.g. installing Mozilla Firefox. I have the

> >> > GPO you mentioned for the windows installer enabled but i can

> >> > still install firefox........what else can i try?

> >> >

> >> > "Vera Noest [MVP]" wrote:

> >> >

> >> >> OK, thanks for the feedback, I'm glad that your problem is

> >> >> solved! It's a bit puzzeling though that the problem didn't

> >> >> disappear by configuring the GPO setting in the domain-wide

> >> >> GPO applied to the TS, since those settings override the

> >> >> local policy.

> >> >>

> >> >> _________________________________________________________

> >> >> Vera Noest

> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> >> TS troubleshooting: http://ts.veranoest.net

> >> >> ___ please respond in newsgroup, NOT by private email ___

> >> >>

> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 14

> >> >> nov 2007 in microsoft.public.windows.terminal_services:

> >> >>

> >> >> > Thanks for your help it was the local policy that was

> >> >> > still turned on.

> >> >> >

> >> >> >

> >> >> > "Vera Noest [MVP]" wrote:

> >> >> >

> >> >> >> Did you run Resultant Set of Policies, as I suggested in

> >> >> >> my previous post? That would tell you exactly which

> >> >> >> policy has the setting configured.

> >> >> >> You can edit the local policy with gpedit.msc

> >> >> >>

> >> >> >> If you get this error message even when you are logged in

> >> >> >> at the physical console of the server, then it seems that

> >> >> >> Windows Installer is disabled completely, not only for

> >> >> >> installations from within a TS session. That setting can

> >> >> >> be found in Computer Configuration - Administrative

> >> >> >> Templates - Windows Components - Windows Installer

> >> >> >> "Disable Windows Installer"

> >> >> >>

> >> >> >> Other troubleshooting tools could be:

> >> >> >>

> >> >> >> 223300 - How to Enable Windows Installer Logging

> >> >> >> http://support.microsoft.com/?kbid=223300

> >> >> >>

> >> >> >> 221833 - How to enable user environment debug logging in

> >> >> >> retail builds of Windows

> >> >> >> http://support.microsoft.com/?kbid=221833

> >> >> >> _________________________________________________________

> >> >> >> Vera Noest

> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> >> >> TS troubleshooting: http://ts.veranoest.net

> >> >> >> ___ please respond in newsgroup, NOT by private email ___

> >> >> >>

> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on

> >> >> >> 14 nov 2007 in

> >> >> >> microsoft.public.windows.terminal_services:

> >> >> >>

> >> >> >> > Well I have went through on the domain controller and

> >> >> >> > removed the group policy for that server.

> >> >> >> > Even when consoled and logged in as Administrator it

> >> >> >> > still gives that error.

> >> >> >> >

> >> >> >> > Is there any chance a setting could have been set

> >> >> >> > locally on that server. If so where does a person look

> >> >> >> > to find out if it has been reset?

> >> >> >> >

> >> >> >> > thanks for your response

> >> >> >> >

> >> >> >> > "Vera Noest [MVP]" wrote:

> >> >> >> >

> >> >> >> >> Given the error message that you get, I'm still

> >> >> >> >> convinced it's a GPO setting. Have you tried resultant

> >> >> >> >> set of Policies?

> >> >> >> >>

> >> >> >> >> _______________________________________________________

> >> >> >> >> __ Vera Noest

> >> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> >> >> >> TS troubleshooting: http://ts.veranoest.net

> >> >> >> >> ___ please respond in newsgroup, NOT by private email

> >> >> >> >> ___

> >> >> >> >>

> >> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote

> >> >> >> >> on 08 nov 2007 in

> >> >> >> >> microsoft.public.windows.terminal_services:

> >> >> >> >>

> >> >> >> >> > Thanks for the reply

> >> >> >> >> >

> >> >> >> >> > I found an article on doing that and it still isn't

> >> >> >> >> > working. I have even restarted the terminal server

> >> >> >> >> > to try and fix the issue.

> >> >> >> >> >

> >> >> >> >> > Could there be a registry setting on the server

> >> >> >> >> > itself that would prevent installations?

> >> >> >> >> >

> >> >> >> >> >

> >> >> >> >> > "Vera Noest [MVP]" wrote:

> >> >> >> >> >

> >> >> >> >> >> Sounds like you want to enable this GPO setting:

> >> >> >> >> >>

> >> >> >> >> >> Computer Configuration - Administrative Templates -

> >> >> >> >> >> Windows Components - Windows Installer

> >> >> >> >> >> "Allow admin to install from Terminal Services

> >> >> >> >> >> session"

> >> >> >> >> >> ____________________________________________________

> >> >> >> >> >> ___ __ Vera Noest

> >> >> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> >> >> >> >> TS troubleshooting: http://ts.veranoest.net

> >> >> >> >> >> ___ please respond in newsgroup, NOT by private

> >> >> >> >> >> email ___

> >> >> >> >> >>

> >> >> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com>

> >> >> >> >> >> wrote on 08 nov 2007 in

> >> >> >> >> >> microsoft.public.windows.terminal_services:

> >> >> >> >> >>

> >> >> >> >> >> > I am having an issue installing programs consoled

> >> >> >> >> >> > in and logged in as admininstrator.

> >> >> >> >> >> > It keeps giving the message of "The system

> >> >> >> >> >> > administrator has set policies to prevent this

> >> >> >> >> >> > installation"

> >> >> >> >> >> >

> >> >> >> >> >> > I don't know of any policy set to prevent this

> >> >> >> >> >> > from even happening for the administrator. I have

> >> >> >> >> >> > went to the lengths of removing the group policy

> >> >> >> >> >> > for the users and trying it again without any

> >> >> >> >> >> > luck.

> >> >> >> >> >> >

> >> >> >> >> >> > Does anyone know how to reset everything on that

> >> >> >> >> >> > server or any suggestions.

> >> >> >> >> >> >

> >> >> >> >> >> > Thanks,

> >> >> >> >> >> > TM

>

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: Administrator Consoled in Can not install software

 

Well, as I wrote, I don't remember the details of a W2K TS. During

installation, you are asked to choose the "Compatibility mode". Is

there anyting in tscc which mentions that? If so, you chould choose

"Permissions compatible with Windows 2000 Users".

 

Anyone else maybe, who has access to a W2K TS?

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com>

wrote on 02 aug 2008 in

microsoft.public.windows.terminal_services:

> I am looking at the Terminal Services Configuration - Server

> Settings, which setting do I change. I dont see anything that

> says "relaxed security".

>

> "Vera Noest [MVP]" wrote:

>

>> OK, seems like the Terminal Services was installed with relaxed

>> security. It's a long time ago that I worked with W2K TS, so

>> I'm unsure about the details, but I believe that you can check

>> (and change?) this in Terminal Services Configuration - Server

>> settings.

>>

>> You'll have to further secure the server with NTFS permissions

>> on the file system. At the minimum, modify the NTFS permissions

>> as follows:

>> %SystemDrive%, %SystemRoot%, %ProgramFiles% and

>> %SystemRoot%\system32 :

>> System - Full Control

>> Administrators - Full Control

>> Authenticated Users - Read & Execute

>>

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com>

>> wrote on 01 aug 2008 in

>> microsoft.public.windows.terminal_services:

>>

>> > Vera,

>> >

>> > My appoligies for adding to an older thread. I just thought

>> > since you were dicussing a similiar problem I would post my

>> > issue. I will keep in mind nex time.

>> >

>> > I am the administrator and I am trying to restrict all

>> > non-admin users from installing software on the server. This

>> > is on a Windows 2000 server. How can I check if I installed

>> > TS with full security. Apprently something is not setup

>> > right, because few days ago I discovered that new software

>> > were installed, some games and Mozilla Firebox. I checked

>> > with my admins and they didnt. So it had to have been a

>> > regular user. No other user has right like us admins. I even

>> > did a test. I logged in as a normal user whose password I

>> > knew and I was able to download and install Firefox and other

>> > software.

>> >

>> > The only thing I have done is disable the windows installer

>> > but seems like that only works for software that use windows

>> > installer to install itself. The article I read from

>> > Microsoft that talks about this GPO mentions this condition.

>> > What else can I do? What else can I check?

>> >

>> > Thanks.

>> >

>> > "Vera Noest [MVP]" wrote:

>> >

>> >> Asif, you seem to append to an old thread which was about

>> >> the opposite of your problem. That's very confusing. Next

>> >> time, please start a new thread and clearly state your

>> >> problem.

>> >>

>> >> What exactly is it that you want to achieve? I'm assuming

>> >> that your are the Administrator of a TS, and that you want

>> >> to prohibit users to install software, is that correct? Or

>> >> do you want to disable this for all users, including

>> >> Administrators?

>> >>

>> >> If you just want to take away this possibility for normal

>> >> users, the answer is that they don't have the proper rights

>> >> any way, assuming that you run on Windows 2003 and have

>> >> installed Terminal Services with "Full Security". They can

>> >> install applications in their home folder, but can't add or

>> >> replace system files, dll's etc.

>> >>

>> >> _________________________________________________________

>> >> Vera Noest

>> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> TS troubleshooting: http://ts.veranoest.net

>> >> *----------- Please reply in newsgroup -------------*

>> >>

>> >> =?Utf-8?B?QXNpZiBTaGFo?=

>> >> <AsifShah@discussions.microsoft.com> wrote on 01 aug 2008:

>> >>

>> >> > Vera,

>> >> >

>> >> > I have disabled the windows installer but that only

>> >> > applies to software installations that use windows

>> >> > installer to install itself. There are other installs that

>> >> > dont use windows install. e.g. installing Mozilla Firefox.

>> >> > I have the GPO you mentioned for the windows installer

>> >> > enabled but i can still install firefox........what else

>> >> > can i try?

>> >> >

>> >> > "Vera Noest [MVP]" wrote:

>> >> >

>> >> >> OK, thanks for the feedback, I'm glad that your problem

>> >> >> is solved! It's a bit puzzeling though that the problem

>> >> >> didn't disappear by configuring the GPO setting in the

>> >> >> domain-wide GPO applied to the TS, since those settings

>> >> >> override the local policy.

>> >> >>

>> >> >> _________________________________________________________

>> >> >> Vera Noest

>> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> >> TS troubleshooting: http://ts.veranoest.net

>> >> >> ___ please respond in newsgroup, NOT by private email ___

>> >> >>

>> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on

>> >> >> 14 nov 2007 in

>> >> >> microsoft.public.windows.terminal_services:

>> >> >>

>> >> >> > Thanks for your help it was the local policy that was

>> >> >> > still turned on.

>> >> >> >

>> >> >> >

>> >> >> > "Vera Noest [MVP]" wrote:

>> >> >> >

>> >> >> >> Did you run Resultant Set of Policies, as I suggested

>> >> >> >> in my previous post? That would tell you exactly which

>> >> >> >> policy has the setting configured.

>> >> >> >> You can edit the local policy with gpedit.msc

>> >> >> >>

>> >> >> >> If you get this error message even when you are logged

>> >> >> >> in at the physical console of the server, then it

>> >> >> >> seems that Windows Installer is disabled completely,

>> >> >> >> not only for installations from within a TS session.

>> >> >> >> That setting can be found in Computer Configuration -

>> >> >> >> Administrative Templates - Windows Components -

>> >> >> >> Windows Installer "Disable Windows Installer"

>> >> >> >>

>> >> >> >> Other troubleshooting tools could be:

>> >> >> >>

>> >> >> >> 223300 - How to Enable Windows Installer Logging

>> >> >> >> http://support.microsoft.com/?kbid=223300

>> >> >> >>

>> >> >> >> 221833 - How to enable user environment debug logging

>> >> >> >> in retail builds of Windows

>> >> >> >> http://support.microsoft.com/?kbid=221833

>> >> >> >> _______________________________________________________

>> >> >> >> __ Vera Noest

>> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> >> >> TS troubleshooting: http://ts.veranoest.net

>> >> >> >> ___ please respond in newsgroup, NOT by private email

>> >> >> >> ___

>> >> >> >>

>> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote

>> >> >> >> on 14 nov 2007 in

>> >> >> >> microsoft.public.windows.terminal_services:

>> >> >> >>

>> >> >> >> > Well I have went through on the domain controller

>> >> >> >> > and removed the group policy for that server.

>> >> >> >> > Even when consoled and logged in as Administrator it

>> >> >> >> > still gives that error.

>> >> >> >> >

>> >> >> >> > Is there any chance a setting could have been set

>> >> >> >> > locally on that server. If so where does a person

>> >> >> >> > look to find out if it has been reset?

>> >> >> >> >

>> >> >> >> > thanks for your response

>> >> >> >> >

>> >> >> >> > "Vera Noest [MVP]" wrote:

>> >> >> >> >

>> >> >> >> >> Given the error message that you get, I'm still

>> >> >> >> >> convinced it's a GPO setting. Have you tried

>> >> >> >> >> resultant set of Policies?

>> >> >> >> >>

>> >> >> >> >> ____________________________________________________

>> >> >> >> >> ___ __ Vera Noest

>> >> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> >> >> >> TS troubleshooting: http://ts.veranoest.net

>> >> >> >> >> ___ please respond in newsgroup, NOT by private

>> >> >> >> >> email ___

>> >> >> >> >>

>> >> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com>

>> >> >> >> >> wrote on 08 nov 2007 in

>> >> >> >> >> microsoft.public.windows.terminal_services:

>> >> >> >> >>

>> >> >> >> >> > Thanks for the reply

>> >> >> >> >> >

>> >> >> >> >> > I found an article on doing that and it still

>> >> >> >> >> > isn't working. I have even restarted the terminal

>> >> >> >> >> > server to try and fix the issue.

>> >> >> >> >> >

>> >> >> >> >> > Could there be a registry setting on the server

>> >> >> >> >> > itself that would prevent installations?

>> >> >> >> >> >

>> >> >> >> >> >

>> >> >> >> >> > "Vera Noest [MVP]" wrote:

>> >> >> >> >> >

>> >> >> >> >> >> Sounds like you want to enable this GPO setting:

>> >> >> >> >> >>

>> >> >> >> >> >> Computer Configuration - Administrative

>> >> >> >> >> >> Templates - Windows Components - Windows

>> >> >> >> >> >> Installer "Allow admin to install from Terminal

>> >> >> >> >> >> Services session"

>> >> >> >> >> >> _________________________________________________

>> >> >> >> >> >> ___ ___ __ Vera Noest

>> >> >> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> >> >> >> >> TS troubleshooting: http://ts.veranoest.net

>> >> >> >> >> >> ___ please respond in newsgroup, NOT by private

>> >> >> >> >> >> email ___

>> >> >> >> >> >>

>> >> >> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com>

>> >> >> >> >> >> wrote on 08 nov 2007 in

>> >> >> >> >> >> microsoft.public.windows.terminal_services:

>> >> >> >> >> >>

>> >> >> >> >> >> > I am having an issue installing programs

>> >> >> >> >> >> > consoled in and logged in as admininstrator.

>> >> >> >> >> >> > It keeps giving the message of "The system

>> >> >> >> >> >> > administrator has set policies to prevent this

>> >> >> >> >> >> > installation"

>> >> >> >> >> >> >

>> >> >> >> >> >> > I don't know of any policy set to prevent this

>> >> >> >> >> >> > from even happening for the administrator. I

>> >> >> >> >> >> > have went to the lengths of removing the group

>> >> >> >> >> >> > policy for the users and trying it again

>> >> >> >> >> >> > without any luck.

>> >> >> >> >> >> >

>> >> >> >> >> >> > Does anyone know how to reset everything on

>> >> >> >> >> >> > that server or any suggestions.

>> >> >> >> >> >> >

>> >> >> >> >> >> > Thanks,

>> >> >> >> >> >> > TM

Guest Asif Shah

Guest Asif Shah

Posted
Posted

Re: Administrator Consoled in Can not install software

 

I saw that settings. I had a feeling you were talking about that. Permissions

compatible with Windows 2000 Users is already selected.

 

"Vera Noest [MVP]" wrote:

> Well, as I wrote, I don't remember the details of a W2K TS. During

> installation, you are asked to choose the "Compatibility mode". Is

> there anyting in tscc which mentions that? If so, you chould choose

> "Permissions compatible with Windows 2000 Users".

>

> Anyone else maybe, who has access to a W2K TS?

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com>

> wrote on 02 aug 2008 in

> microsoft.public.windows.terminal_services:

>

> > I am looking at the Terminal Services Configuration - Server

> > Settings, which setting do I change. I dont see anything that

> > says "relaxed security".

> >

> > "Vera Noest [MVP]" wrote:

> >

> >> OK, seems like the Terminal Services was installed with relaxed

> >> security. It's a long time ago that I worked with W2K TS, so

> >> I'm unsure about the details, but I believe that you can check

> >> (and change?) this in Terminal Services Configuration - Server

> >> settings.

> >>

> >> You'll have to further secure the server with NTFS permissions

> >> on the file system. At the minimum, modify the NTFS permissions

> >> as follows:

> >> %SystemDrive%, %SystemRoot%, %ProgramFiles% and

> >> %SystemRoot%\system32 :

> >> System - Full Control

> >> Administrators - Full Control

> >> Authenticated Users - Read & Execute

> >>

> >> _________________________________________________________

> >> Vera Noest

> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> TS troubleshooting: http://ts.veranoest.net

> >> ___ please respond in newsgroup, NOT by private email ___

> >>

> >> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com>

> >> wrote on 01 aug 2008 in

> >> microsoft.public.windows.terminal_services:

> >>

> >> > Vera,

> >> >

> >> > My appoligies for adding to an older thread. I just thought

> >> > since you were dicussing a similiar problem I would post my

> >> > issue. I will keep in mind nex time.

> >> >

> >> > I am the administrator and I am trying to restrict all

> >> > non-admin users from installing software on the server. This

> >> > is on a Windows 2000 server. How can I check if I installed

> >> > TS with full security. Apprently something is not setup

> >> > right, because few days ago I discovered that new software

> >> > were installed, some games and Mozilla Firebox. I checked

> >> > with my admins and they didnt. So it had to have been a

> >> > regular user. No other user has right like us admins. I even

> >> > did a test. I logged in as a normal user whose password I

> >> > knew and I was able to download and install Firefox and other

> >> > software.

> >> >

> >> > The only thing I have done is disable the windows installer

> >> > but seems like that only works for software that use windows

> >> > installer to install itself. The article I read from

> >> > Microsoft that talks about this GPO mentions this condition.

> >> > What else can I do? What else can I check?

> >> >

> >> > Thanks.

> >> >

> >> > "Vera Noest [MVP]" wrote:

> >> >

> >> >> Asif, you seem to append to an old thread which was about

> >> >> the opposite of your problem. That's very confusing. Next

> >> >> time, please start a new thread and clearly state your

> >> >> problem.

> >> >>

> >> >> What exactly is it that you want to achieve? I'm assuming

> >> >> that your are the Administrator of a TS, and that you want

> >> >> to prohibit users to install software, is that correct? Or

> >> >> do you want to disable this for all users, including

> >> >> Administrators?

> >> >>

> >> >> If you just want to take away this possibility for normal

> >> >> users, the answer is that they don't have the proper rights

> >> >> any way, assuming that you run on Windows 2003 and have

> >> >> installed Terminal Services with "Full Security". They can

> >> >> install applications in their home folder, but can't add or

> >> >> replace system files, dll's etc.

> >> >>

> >> >> _________________________________________________________

> >> >> Vera Noest

> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> >> TS troubleshooting: http://ts.veranoest.net

> >> >> *----------- Please reply in newsgroup -------------*

> >> >>

> >> >> =?Utf-8?B?QXNpZiBTaGFo?=

> >> >> <AsifShah@discussions.microsoft.com> wrote on 01 aug 2008:

> >> >>

> >> >> > Vera,

> >> >> >

> >> >> > I have disabled the windows installer but that only

> >> >> > applies to software installations that use windows

> >> >> > installer to install itself. There are other installs that

> >> >> > dont use windows install. e.g. installing Mozilla Firefox.

> >> >> > I have the GPO you mentioned for the windows installer

> >> >> > enabled but i can still install firefox........what else

> >> >> > can i try?

> >> >> >

> >> >> > "Vera Noest [MVP]" wrote:

> >> >> >

> >> >> >> OK, thanks for the feedback, I'm glad that your problem

> >> >> >> is solved! It's a bit puzzeling though that the problem

> >> >> >> didn't disappear by configuring the GPO setting in the

> >> >> >> domain-wide GPO applied to the TS, since those settings

> >> >> >> override the local policy.

> >> >> >>

> >> >> >> _________________________________________________________

> >> >> >> Vera Noest

> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> >> >> TS troubleshooting: http://ts.veranoest.net

> >> >> >> ___ please respond in newsgroup, NOT by private email ___

> >> >> >>

> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on

> >> >> >> 14 nov 2007 in

> >> >> >> microsoft.public.windows.terminal_services:

> >> >> >>

> >> >> >> > Thanks for your help it was the local policy that was

> >> >> >> > still turned on.

> >> >> >> >

> >> >> >> >

> >> >> >> > "Vera Noest [MVP]" wrote:

> >> >> >> >

> >> >> >> >> Did you run Resultant Set of Policies, as I suggested

> >> >> >> >> in my previous post? That would tell you exactly which

> >> >> >> >> policy has the setting configured.

> >> >> >> >> You can edit the local policy with gpedit.msc

> >> >> >> >>

> >> >> >> >> If you get this error message even when you are logged

> >> >> >> >> in at the physical console of the server, then it

> >> >> >> >> seems that Windows Installer is disabled completely,

> >> >> >> >> not only for installations from within a TS session.

> >> >> >> >> That setting can be found in Computer Configuration -

> >> >> >> >> Administrative Templates - Windows Components -

> >> >> >> >> Windows Installer "Disable Windows Installer"

> >> >> >> >>

> >> >> >> >> Other troubleshooting tools could be:

> >> >> >> >>

> >> >> >> >> 223300 - How to Enable Windows Installer Logging

> >> >> >> >> http://support.microsoft.com/?kbid=223300

> >> >> >> >>

> >> >> >> >> 221833 - How to enable user environment debug logging

> >> >> >> >> in retail builds of Windows

> >> >> >> >> http://support.microsoft.com/?kbid=221833

> >> >> >> >> _______________________________________________________

> >> >> >> >> __ Vera Noest

> >> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> >> >> >> TS troubleshooting: http://ts.veranoest.net

> >> >> >> >> ___ please respond in newsgroup, NOT by private email

> >> >> >> >> ___

> >> >> >> >>

> >> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote

> >> >> >> >> on 14 nov 2007 in

> >> >> >> >> microsoft.public.windows.terminal_services:

> >> >> >> >>

> >> >> >> >> > Well I have went through on the domain controller

> >> >> >> >> > and removed the group policy for that server.

> >> >> >> >> > Even when consoled and logged in as Administrator it

> >> >> >> >> > still gives that error.

> >> >> >> >> >

> >> >> >> >> > Is there any chance a setting could have been set

> >> >> >> >> > locally on that server. If so where does a person

> >> >> >> >> > look to find out if it has been reset?

> >> >> >> >> >

> >> >> >> >> > thanks for your response

> >> >> >> >> >

> >> >> >> >> > "Vera Noest [MVP]" wrote:

> >> >> >> >> >

> >> >> >> >> >> Given the error message that you get, I'm still

> >> >> >> >> >> convinced it's a GPO setting. Have you tried

> >> >> >> >> >> resultant set of Policies?

> >> >> >> >> >>

> >> >> >> >> >> ____________________________________________________

> >> >> >> >> >> ___ __ Vera Noest

> >> >> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> >> >> >> >> TS troubleshooting: http://ts.veranoest.net

> >> >> >> >> >> ___ please respond in newsgroup, NOT by private

> >> >> >> >> >> email ___

> >> >> >> >> >>

> >> >> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com>

> >> >> >> >> >> wrote on 08 nov 2007 in

> >> >> >> >> >> microsoft.public.windows.terminal_services:

> >> >> >> >> >>

> >> >> >> >> >> > Thanks for the reply

> >> >> >> >> >> >

> >> >> >> >> >> > I found an article on doing that and it still

> >> >> >> >> >> > isn't working. I have even restarted the terminal

> >> >> >> >> >> > server to try and fix the issue.

> >> >> >> >> >> >

> >> >> >> >> >> > Could there be a registry setting on the server

> >> >> >> >> >> > itself that would prevent installations?

> >> >> >> >> >> >

> >> >> >> >> >> >

> >> >> >> >> >> > "Vera Noest [MVP]" wrote:

> >> >> >> >> >> >

> >> >> >> >> >> >> Sounds like you want to enable this GPO setting:

> >> >> >> >> >> >>

> >> >> >> >> >> >> Computer Configuration - Administrative

> >> >> >> >> >> >> Templates - Windows Components - Windows

> >> >> >> >> >> >> Installer "Allow admin to install from Terminal

> >> >> >> >> >> >> Services session"

> >> >> >> >> >> >> _________________________________________________

> >> >> >> >> >> >> ___ ___ __ Vera Noest

> >> >> >> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> >> >> >> >> >> TS troubleshooting: http://ts.veranoest.net

> >> >> >> >> >> >> ___ please respond in newsgroup, NOT by private

> >> >> >> >> >> >> email ___

> >> >> >> >> >> >>

> >> >> >> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com>

> >> >> >> >> >> >> wrote on 08 nov 2007 in

> >> >> >> >> >> >> microsoft.public.windows.terminal_services:

> >> >> >> >> >> >>

> >> >> >> >> >> >> > I am having an issue installing programs

> >> >> >> >> >> >> > consoled in and logged in as admininstrator.

> >> >> >> >> >> >> > It keeps giving the message of "The system

> >> >> >> >> >> >> > administrator has set policies to prevent this

> >> >> >> >> >> >> > installation"

> >> >> >> >> >> >> >

> >> >> >> >> >> >> > I don't know of any policy set to prevent this

> >> >> >> >> >> >> > from even happening for the administrator. I

> >> >> >> >> >> >> > have went to the lengths of removing the group

> >> >> >> >> >> >> > policy for the users and trying it again

> >> >> >> >> >> >> > without any luck.

> >> >> >> >> >> >> >

> >> >> >> >> >> >> > Does anyone know how to reset everything on

> >> >> >> >> >> >> > that server or any suggestions.

> >> >> >> >> >> >> >

> >> >> >> >> >> >> > Thanks,

> >> >> >> >> >> >> > TM

>

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: Administrator Consoled in Can not install software

 

Then the next step is to make sure that your users are normal

users, not Administrators or Power Users, and apply the NTFS

permissions which I mentioned. Those will see to it that they

cannot install anything which includes dlls or other files which

must reside in the windows folder.

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com>

wrote on 03 aug 2008 in

microsoft.public.windows.terminal_services:

> I saw that settings. I had a feeling you were talking about

> that. Permissions compatible with Windows 2000 Users is already

> selected.

>

> "Vera Noest [MVP]" wrote:

>

>> Well, as I wrote, I don't remember the details of a W2K TS.

>> During installation, you are asked to choose the "Compatibility

>> mode". Is there anyting in tscc which mentions that? If so, you

>> chould choose "Permissions compatible with Windows 2000 Users".

>>

>> Anyone else maybe, who has access to a W2K TS?

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com>

>> wrote on 02 aug 2008 in

>> microsoft.public.windows.terminal_services:

>>

>> > I am looking at the Terminal Services Configuration - Server

>> > Settings, which setting do I change. I dont see anything that

>> > says "relaxed security".

>> >

>> > "Vera Noest [MVP]" wrote:

>> >

>> >> OK, seems like the Terminal Services was installed with

>> >> relaxed security. It's a long time ago that I worked with

>> >> W2K TS, so I'm unsure about the details, but I believe that

>> >> you can check (and change?) this in Terminal Services

>> >> Configuration - Server settings.

>> >>

>> >> You'll have to further secure the server with NTFS

>> >> permissions on the file system. At the minimum, modify the

>> >> NTFS permissions as follows:

>> >> %SystemDrive%, %SystemRoot%, %ProgramFiles% and

>> >> %SystemRoot%\system32 :

>> >> System - Full Control

>> >> Administrators - Full Control

>> >> Authenticated Users - Read & Execute

>> >>

>> >> _________________________________________________________

>> >> Vera Noest

>> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> TS troubleshooting: http://ts.veranoest.net

>> >> ___ please respond in newsgroup, NOT by private email ___

>> >>

>> >> =?Utf-8?B?QXNpZiBTaGFo?=

>> >> <AsifShah@discussions.microsoft.com> wrote on 01 aug 2008 in

>> >> microsoft.public.windows.terminal_services:

>> >>

>> >> > Vera,

>> >> >

>> >> > My appoligies for adding to an older thread. I just

>> >> > thought since you were dicussing a similiar problem I

>> >> > would post my issue. I will keep in mind nex time.

>> >> >

>> >> > I am the administrator and I am trying to restrict all

>> >> > non-admin users from installing software on the server.

>> >> > This is on a Windows 2000 server. How can I check if I

>> >> > installed TS with full security. Apprently something is

>> >> > not setup right, because few days ago I discovered that

>> >> > new software were installed, some games and Mozilla

>> >> > Firebox. I checked with my admins and they didnt. So it

>> >> > had to have been a regular user. No other user has right

>> >> > like us admins. I even did a test. I logged in as a normal

>> >> > user whose password I knew and I was able to download and

>> >> > install Firefox and other software.

>> >> >

>> >> > The only thing I have done is disable the windows

>> >> > installer but seems like that only works for software that

>> >> > use windows installer to install itself. The article I

>> >> > read from Microsoft that talks about this GPO mentions

>> >> > this condition. What else can I do? What else can I check?

>> >> >

>> >> > Thanks.

>> >> >

>> >> > "Vera Noest [MVP]" wrote:

>> >> >

>> >> >> Asif, you seem to append to an old thread which was about

>> >> >> the opposite of your problem. That's very confusing. Next

>> >> >> time, please start a new thread and clearly state your

>> >> >> problem.

>> >> >>

>> >> >> What exactly is it that you want to achieve? I'm assuming

>> >> >> that your are the Administrator of a TS, and that you

>> >> >> want to prohibit users to install software, is that

>> >> >> correct? Or do you want to disable this for all users,

>> >> >> including Administrators?

>> >> >>

>> >> >> If you just want to take away this possibility for normal

>> >> >> users, the answer is that they don't have the proper

>> >> >> rights any way, assuming that you run on Windows 2003 and

>> >> >> have installed Terminal Services with "Full Security".

>> >> >> They can install applications in their home folder, but

>> >> >> can't add or replace system files, dll's etc.

>> >> >>

>> >> >> _________________________________________________________

>> >> >> Vera Noest

>> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> >> TS troubleshooting: http://ts.veranoest.net

>> >> >> *----------- Please reply in newsgroup -------------*

>> >> >>

>> >> >> =?Utf-8?B?QXNpZiBTaGFo?=

>> >> >> <AsifShah@discussions.microsoft.com> wrote on 01 aug

>> >> >> 2008:

>> >> >>

>> >> >> > Vera,

>> >> >> >

>> >> >> > I have disabled the windows installer but that only

>> >> >> > applies to software installations that use windows

>> >> >> > installer to install itself. There are other installs

>> >> >> > that dont use windows install. e.g. installing Mozilla

>> >> >> > Firefox. I have the GPO you mentioned for the windows

>> >> >> > installer enabled but i can still install

>> >> >> > firefox........what else can i try?

Guest Asif Shah

Guest Asif Shah

Posted
Posted

Re: Administrator Consoled in Can not install software

 

You mean the permissions on C drive, WINNT folder, Program Files, and

WINNT/system32 folders?

 

"Vera Noest [MVP]" wrote:

> Then the next step is to make sure that your users are normal

> users, not Administrators or Power Users, and apply the NTFS

> permissions which I mentioned. Those will see to it that they

> cannot install anything which includes dlls or other files which

> must reside in the windows folder.

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com>

> wrote on 03 aug 2008 in

> microsoft.public.windows.terminal_services:

>

> > I saw that settings. I had a feeling you were talking about

> > that. Permissions compatible with Windows 2000 Users is already

> > selected.

> >

> > "Vera Noest [MVP]" wrote:

> >

> >> Well, as I wrote, I don't remember the details of a W2K TS.

> >> During installation, you are asked to choose the "Compatibility

> >> mode". Is there anyting in tscc which mentions that? If so, you

> >> chould choose "Permissions compatible with Windows 2000 Users".

> >>

> >> Anyone else maybe, who has access to a W2K TS?

> >> _________________________________________________________

> >> Vera Noest

> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> TS troubleshooting: http://ts.veranoest.net

> >> ___ please respond in newsgroup, NOT by private email ___

> >>

> >> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com>

> >> wrote on 02 aug 2008 in

> >> microsoft.public.windows.terminal_services:

> >>

> >> > I am looking at the Terminal Services Configuration - Server

> >> > Settings, which setting do I change. I dont see anything that

> >> > says "relaxed security".

> >> >

> >> > "Vera Noest [MVP]" wrote:

> >> >

> >> >> OK, seems like the Terminal Services was installed with

> >> >> relaxed security. It's a long time ago that I worked with

> >> >> W2K TS, so I'm unsure about the details, but I believe that

> >> >> you can check (and change?) this in Terminal Services

> >> >> Configuration - Server settings.

> >> >>

> >> >> You'll have to further secure the server with NTFS

> >> >> permissions on the file system. At the minimum, modify the

> >> >> NTFS permissions as follows:

> >> >> %SystemDrive%, %SystemRoot%, %ProgramFiles% and

> >> >> %SystemRoot%\system32 :

> >> >> System - Full Control

> >> >> Administrators - Full Control

> >> >> Authenticated Users - Read & Execute

> >> >>

> >> >> _________________________________________________________

> >> >> Vera Noest

> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> >> TS troubleshooting: http://ts.veranoest.net

> >> >> ___ please respond in newsgroup, NOT by private email ___

> >> >>

> >> >> =?Utf-8?B?QXNpZiBTaGFo?=

> >> >> <AsifShah@discussions.microsoft.com> wrote on 01 aug 2008 in

> >> >> microsoft.public.windows.terminal_services:

> >> >>

> >> >> > Vera,

> >> >> >

> >> >> > My appoligies for adding to an older thread. I just

> >> >> > thought since you were dicussing a similiar problem I

> >> >> > would post my issue. I will keep in mind nex time.

> >> >> >

> >> >> > I am the administrator and I am trying to restrict all

> >> >> > non-admin users from installing software on the server.

> >> >> > This is on a Windows 2000 server. How can I check if I

> >> >> > installed TS with full security. Apprently something is

> >> >> > not setup right, because few days ago I discovered that

> >> >> > new software were installed, some games and Mozilla

> >> >> > Firebox. I checked with my admins and they didnt. So it

> >> >> > had to have been a regular user. No other user has right

> >> >> > like us admins. I even did a test. I logged in as a normal

> >> >> > user whose password I knew and I was able to download and

> >> >> > install Firefox and other software.

> >> >> >

> >> >> > The only thing I have done is disable the windows

> >> >> > installer but seems like that only works for software that

> >> >> > use windows installer to install itself. The article I

> >> >> > read from Microsoft that talks about this GPO mentions

> >> >> > this condition. What else can I do? What else can I check?

> >> >> >

> >> >> > Thanks.

> >> >> >

> >> >> > "Vera Noest [MVP]" wrote:

> >> >> >

> >> >> >> Asif, you seem to append to an old thread which was about

> >> >> >> the opposite of your problem. That's very confusing. Next

> >> >> >> time, please start a new thread and clearly state your

> >> >> >> problem.

> >> >> >>

> >> >> >> What exactly is it that you want to achieve? I'm assuming

> >> >> >> that your are the Administrator of a TS, and that you

> >> >> >> want to prohibit users to install software, is that

> >> >> >> correct? Or do you want to disable this for all users,

> >> >> >> including Administrators?

> >> >> >>

> >> >> >> If you just want to take away this possibility for normal

> >> >> >> users, the answer is that they don't have the proper

> >> >> >> rights any way, assuming that you run on Windows 2003 and

> >> >> >> have installed Terminal Services with "Full Security".

> >> >> >> They can install applications in their home folder, but

> >> >> >> can't add or replace system files, dll's etc.

> >> >> >>

> >> >> >> _________________________________________________________

> >> >> >> Vera Noest

> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> >> >> TS troubleshooting: http://ts.veranoest.net

> >> >> >> *----------- Please reply in newsgroup -------------*

> >> >> >>

> >> >> >> =?Utf-8?B?QXNpZiBTaGFo?=

> >> >> >> <AsifShah@discussions.microsoft.com> wrote on 01 aug

> >> >> >> 2008:

> >> >> >>

> >> >> >> > Vera,

> >> >> >> >

> >> >> >> > I have disabled the windows installer but that only

> >> >> >> > applies to software installations that use windows

> >> >> >> > installer to install itself. There are other installs

> >> >> >> > that dont use windows install. e.g. installing Mozilla

> >> >> >> > Firefox. I have the GPO you mentioned for the windows

> >> >> >> > installer enabled but i can still install

> >> >> >> > firefox........what else can i try?

>

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: Administrator Consoled in Can not install software

 

Yes.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com>

wrote on 03 aug 2008 in

microsoft.public.windows.terminal_services:

> You mean the permissions on C drive, WINNT folder, Program

> Files, and WINNT/system32 folders?

>

> "Vera Noest [MVP]" wrote:

>

>> Then the next step is to make sure that your users are normal

>> users, not Administrators or Power Users, and apply the NTFS

>> permissions which I mentioned. Those will see to it that they

>> cannot install anything which includes dlls or other files

>> which must reside in the windows folder.

>>

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com>

>> wrote on 03 aug 2008 in

>> microsoft.public.windows.terminal_services:

>>

>> > I saw that settings. I had a feeling you were talking about

>> > that. Permissions compatible with Windows 2000 Users is

>> > already selected.

>> >

>> > "Vera Noest [MVP]" wrote:

>> >

>> >> Well, as I wrote, I don't remember the details of a W2K TS.

>> >> During installation, you are asked to choose the

>> >> "Compatibility mode". Is there anyting in tscc which

>> >> mentions that? If so, you chould choose "Permissions

>> >> compatible with Windows 2000 Users".

>> >>

>> >> Anyone else maybe, who has access to a W2K TS?

>> >> _________________________________________________________

>> >> Vera Noest

>> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> TS troubleshooting: http://ts.veranoest.net

>> >> ___ please respond in newsgroup, NOT by private email ___

>> >>

>> >> =?Utf-8?B?QXNpZiBTaGFo?=

>> >> <AsifShah@discussions.microsoft.com> wrote on 02 aug 2008 in

>> >> microsoft.public.windows.terminal_services:

>> >>

>> >> > I am looking at the Terminal Services Configuration -

>> >> > Server Settings, which setting do I change. I dont see

>> >> > anything that says "relaxed security".

>> >> >

>> >> > "Vera Noest [MVP]" wrote:

>> >> >

>> >> >> OK, seems like the Terminal Services was installed with

>> >> >> relaxed security. It's a long time ago that I worked with

>> >> >> W2K TS, so I'm unsure about the details, but I believe

>> >> >> that you can check (and change?) this in Terminal

>> >> >> Services Configuration - Server settings.

>> >> >>

>> >> >> You'll have to further secure the server with NTFS

>> >> >> permissions on the file system. At the minimum, modify

>> >> >> the NTFS permissions as follows:

>> >> >> %SystemDrive%, %SystemRoot%, %ProgramFiles% and

>> >> >> %SystemRoot%\system32 :

>> >> >> System - Full Control

>> >> >> Administrators - Full Control

>> >> >> Authenticated Users - Read & Execute

>> >> >>

>> >> >> _________________________________________________________

>> >> >> Vera Noest

>> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> >> TS troubleshooting: http://ts.veranoest.net

>> >> >> ___ please respond in newsgroup, NOT by private email ___

>> >> >>

>> >> >> =?Utf-8?B?QXNpZiBTaGFo?=

>> >> >> <AsifShah@discussions.microsoft.com> wrote on 01 aug 2008

>> >> >> in microsoft.public.windows.terminal_services:

>> >> >>

>> >> >> > Vera,

>> >> >> >

>> >> >> > My appoligies for adding to an older thread. I just

>> >> >> > thought since you were dicussing a similiar problem I

>> >> >> > would post my issue. I will keep in mind nex time.

>> >> >> >

>> >> >> > I am the administrator and I am trying to restrict all

>> >> >> > non-admin users from installing software on the server.

>> >> >> > This is on a Windows 2000 server. How can I check if I

>> >> >> > installed TS with full security. Apprently something is

>> >> >> > not setup right, because few days ago I discovered that

>> >> >> > new software were installed, some games and Mozilla

>> >> >> > Firebox. I checked with my admins and they didnt. So it

>> >> >> > had to have been a regular user. No other user has

>> >> >> > right like us admins. I even did a test. I logged in as

>> >> >> > a normal user whose password I knew and I was able to

>> >> >> > download and install Firefox and other software.

>> >> >> >

>> >> >> > The only thing I have done is disable the windows

>> >> >> > installer but seems like that only works for software

>> >> >> > that use windows installer to install itself. The

>> >> >> > article I read from Microsoft that talks about this GPO

>> >> >> > mentions this condition. What else can I do? What else

>> >> >> > can I check?

>> >> >> >

>> >> >> > Thanks.

>> >> >> >

>> >> >> > "Vera Noest [MVP]" wrote:

>> >> >> >

>> >> >> >> Asif, you seem to append to an old thread which was

>> >> >> >> about the opposite of your problem. That's very

>> >> >> >> confusing. Next time, please start a new thread and

>> >> >> >> clearly state your problem.

>> >> >> >>

>> >> >> >> What exactly is it that you want to achieve? I'm

>> >> >> >> assuming that your are the Administrator of a TS, and

>> >> >> >> that you want to prohibit users to install software,

>> >> >> >> is that correct? Or do you want to disable this for

>> >> >> >> all users, including Administrators?

>> >> >> >>

>> >> >> >> If you just want to take away this possibility for

>> >> >> >> normal users, the answer is that they don't have the

>> >> >> >> proper rights any way, assuming that you run on

>> >> >> >> Windows 2003 and have installed Terminal Services with

>> >> >> >> "Full Security". They can install applications in

>> >> >> >> their home folder, but can't add or replace system

>> >> >> >> files, dll's etc.

>> >> >> >>

>> >> >> >> _______________________________________________________

>> >> >> >> __ Vera Noest

>> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> >> >> TS troubleshooting: http://ts.veranoest.net

>> >> >> >> *----------- Please reply in newsgroup -------------*

>> >> >> >>

>> >> >> >> =?Utf-8?B?QXNpZiBTaGFo?=

>> >> >> >> <AsifShah@discussions.microsoft.com> wrote on 01 aug

>> >> >> >> 2008:

>> >> >> >>

>> >> >> >> > Vera,

>> >> >> >> >

>> >> >> >> > I have disabled the windows installer but that only

>> >> >> >> > applies to software installations that use windows

>> >> >> >> > installer to install itself. There are other

>> >> >> >> > installs that dont use windows install. e.g.

>> >> >> >> > installing Mozilla Firefox. I have the GPO you

>> >> >> >> > mentioned for the windows installer enabled but i

>> >> >> >> > can still install firefox........what else can i

>> >> >> >> > try?

Guest Hank Arnold (MVP)

Guest Hank Arnold (MVP)

Posted
Posted

Re: Administrator Consoled in Can not install software

 

I'm a little confused... We control the installation of software by GPO.

No one except someone in the Administrators group can install software

on *ANY* computer (server, workstation, laptop, etc.)....period. In

addition, we have a firewall (part of the Sophos End Point Security)

that will not allow *any* program to run that has not been added to the

firewall security.

 

We still have W2K servers with TS installed. I've never seen this

problem. I'm forwarding this to my work id and I'll see what I can find.

 

To be honest, I can't guarantee I'll get to it today (Monday). This is

typically my busiest day with several weekly reports due in the AM, I

have to deal with all the problems the nurses have had over the weekend

with their laptops and remote access as well as some major issues that

just came up due to a vendor telling us that we need to spend a

significant amount of $$ that is not in the budget. You haven't lived

until you work for a non-profit and try to get IT money that isn't in

the budget... :-(

 

--

 

Regards,

Hank Arnold

Microsoft MVP

Windows Server - Directory Services

 

Vera Noest [MVP] wrote:

> Well, as I wrote, I don't remember the details of a W2K TS. During

> installation, you are asked to choose the "Compatibility mode". Is

> there anyting in tscc which mentions that? If so, you chould choose

> "Permissions compatible with Windows 2000 Users".

>

> Anyone else maybe, who has access to a W2K TS?

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com>

> wrote on 02 aug 2008 in

> microsoft.public.windows.terminal_services:

>

>> I am looking at the Terminal Services Configuration - Server

>> Settings, which setting do I change. I dont see anything that

>> says "relaxed security".

>>

>> "Vera Noest [MVP]" wrote:

>>

>>> OK, seems like the Terminal Services was installed with relaxed

>>> security. It's a long time ago that I worked with W2K TS, so

>>> I'm unsure about the details, but I believe that you can check

>>> (and change?) this in Terminal Services Configuration - Server

>>> settings.

>>>

>>> You'll have to further secure the server with NTFS permissions

>>> on the file system. At the minimum, modify the NTFS permissions

>>> as follows:

>>> %SystemDrive%, %SystemRoot%, %ProgramFiles% and

>>> %SystemRoot%\system32 :

>>> System - Full Control

>>> Administrators - Full Control

>>> Authenticated Users - Read & Execute

>>>

>>> _________________________________________________________

>>> Vera Noest

>>> MCSE, CCEA, Microsoft MVP - Terminal Server

>>> TS troubleshooting: http://ts.veranoest.net

>>> ___ please respond in newsgroup, NOT by private email ___

>>>

>>> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com>

>>> wrote on 01 aug 2008 in

>>> microsoft.public.windows.terminal_services:

>>>

>>>> Vera,

>>>>

>>>> My appoligies for adding to an older thread. I just thought

>>>> since you were dicussing a similiar problem I would post my

>>>> issue. I will keep in mind nex time.

>>>>

>>>> I am the administrator and I am trying to restrict all

>>>> non-admin users from installing software on the server. This

>>>> is on a Windows 2000 server. How can I check if I installed

>>>> TS with full security. Apprently something is not setup

>>>> right, because few days ago I discovered that new software

>>>> were installed, some games and Mozilla Firebox. I checked

>>>> with my admins and they didnt. So it had to have been a

>>>> regular user. No other user has right like us admins. I even

>>>> did a test. I logged in as a normal user whose password I

>>>> knew and I was able to download and install Firefox and other

>>>> software.

>>>>

>>>> The only thing I have done is disable the windows installer

>>>> but seems like that only works for software that use windows

>>>> installer to install itself. The article I read from

>>>> Microsoft that talks about this GPO mentions this condition.

>>>> What else can I do? What else can I check?

>>>>

>>>> Thanks.

>>>>

>>>> "Vera Noest [MVP]" wrote:

>>>>

>>>>> Asif, you seem to append to an old thread which was about

>>>>> the opposite of your problem. That's very confusing. Next

>>>>> time, please start a new thread and clearly state your

>>>>> problem.

>>>>>

>>>>> What exactly is it that you want to achieve? I'm assuming

>>>>> that your are the Administrator of a TS, and that you want

>>>>> to prohibit users to install software, is that correct? Or

>>>>> do you want to disable this for all users, including

>>>>> Administrators?

>>>>>

>>>>> If you just want to take away this possibility for normal

>>>>> users, the answer is that they don't have the proper rights

>>>>> any way, assuming that you run on Windows 2003 and have

>>>>> installed Terminal Services with "Full Security". They can

>>>>> install applications in their home folder, but can't add or

>>>>> replace system files, dll's etc.

>>>>>

>>>>> _________________________________________________________

>>>>> Vera Noest

>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

>>>>> TS troubleshooting: http://ts.veranoest.net

>>>>> *----------- Please reply in newsgroup -------------*

>>>>>

>>>>> =?Utf-8?B?QXNpZiBTaGFo?=

>>>>> <AsifShah@discussions.microsoft.com> wrote on 01 aug 2008:

>>>>>

>>>>>> Vera,

>>>>>>

>>>>>> I have disabled the windows installer but that only

>>>>>> applies to software installations that use windows

>>>>>> installer to install itself. There are other installs that

>>>>>> dont use windows install. e.g. installing Mozilla Firefox.

>>>>>> I have the GPO you mentioned for the windows installer

>>>>>> enabled but i can still install firefox........what else

>>>>>> can i try?

>>>>>>

>>>>>> "Vera Noest [MVP]" wrote:

>>>>>>

>>>>>>> OK, thanks for the feedback, I'm glad that your problem

>>>>>>> is solved! It's a bit puzzeling though that the problem

>>>>>>> didn't disappear by configuring the GPO setting in the

>>>>>>> domain-wide GPO applied to the TS, since those settings

>>>>>>> override the local policy.

>>>>>>>

>>>>>>> _________________________________________________________

>>>>>>> Vera Noest

>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

>>>>>>> TS troubleshooting: http://ts.veranoest.net

>>>>>>> ___ please respond in newsgroup, NOT by private email ___

>>>>>>>

>>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on

>>>>>>> 14 nov 2007 in

>>>>>>> microsoft.public.windows.terminal_services:

>>>>>>>

>>>>>>>> Thanks for your help it was the local policy that was

>>>>>>>> still turned on.

>>>>>>>>

>>>>>>>>

>>>>>>>> "Vera Noest [MVP]" wrote:

>>>>>>>>

>>>>>>>>> Did you run Resultant Set of Policies, as I suggested

>>>>>>>>> in my previous post? That would tell you exactly which

>>>>>>>>> policy has the setting configured.

>>>>>>>>> You can edit the local policy with gpedit.msc

>>>>>>>>>

>>>>>>>>> If you get this error message even when you are logged

>>>>>>>>> in at the physical console of the server, then it

>>>>>>>>> seems that Windows Installer is disabled completely,

>>>>>>>>> not only for installations from within a TS session.

>>>>>>>>> That setting can be found in Computer Configuration -

>>>>>>>>> Administrative Templates - Windows Components -

>>>>>>>>> Windows Installer "Disable Windows Installer"

>>>>>>>>>

>>>>>>>>> Other troubleshooting tools could be:

>>>>>>>>>

>>>>>>>>> 223300 - How to Enable Windows Installer Logging

>>>>>>>>> http://support.microsoft.com/?kbid=223300

>>>>>>>>>

>>>>>>>>> 221833 - How to enable user environment debug logging

>>>>>>>>> in retail builds of Windows

>>>>>>>>> http://support.microsoft.com/?kbid=221833

>>>>>>>>> _______________________________________________________

>>>>>>>>> __ Vera Noest

>>>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

>>>>>>>>> TS troubleshooting: http://ts.veranoest.net

>>>>>>>>> ___ please respond in newsgroup, NOT by private email

>>>>>>>>> ___

>>>>>>>>>

>>>>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote

>>>>>>>>> on 14 nov 2007 in

>>>>>>>>> microsoft.public.windows.terminal_services:

>>>>>>>>>

>>>>>>>>>> Well I have went through on the domain controller

>>>>>>>>>> and removed the group policy for that server.

>>>>>>>>>> Even when consoled and logged in as Administrator it

>>>>>>>>>> still gives that error.

>>>>>>>>>>

>>>>>>>>>> Is there any chance a setting could have been set

>>>>>>>>>> locally on that server. If so where does a person

>>>>>>>>>> look to find out if it has been reset?

>>>>>>>>>>

>>>>>>>>>> thanks for your response

>>>>>>>>>>

>>>>>>>>>> "Vera Noest [MVP]" wrote:

>>>>>>>>>>

>>>>>>>>>>> Given the error message that you get, I'm still

>>>>>>>>>>> convinced it's a GPO setting. Have you tried

>>>>>>>>>>> resultant set of Policies?

>>>>>>>>>>>

>>>>>>>>>>> ____________________________________________________

>>>>>>>>>>> ___ __ Vera Noest

>>>>>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

>>>>>>>>>>> TS troubleshooting: http://ts.veranoest.net

>>>>>>>>>>> ___ please respond in newsgroup, NOT by private

>>>>>>>>>>> email ___

>>>>>>>>>>>

>>>>>>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com>

>>>>>>>>>>> wrote on 08 nov 2007 in

>>>>>>>>>>> microsoft.public.windows.terminal_services:

>>>>>>>>>>>

>>>>>>>>>>>> Thanks for the reply

>>>>>>>>>>>>

>>>>>>>>>>>> I found an article on doing that and it still

>>>>>>>>>>>> isn't working. I have even restarted the terminal

>>>>>>>>>>>> server to try and fix the issue.

>>>>>>>>>>>>

>>>>>>>>>>>> Could there be a registry setting on the server

>>>>>>>>>>>> itself that would prevent installations?

>>>>>>>>>>>>

>>>>>>>>>>>>

>>>>>>>>>>>> "Vera Noest [MVP]" wrote:

>>>>>>>>>>>>

>>>>>>>>>>>>> Sounds like you want to enable this GPO setting:

>>>>>>>>>>>>>

>>>>>>>>>>>>> Computer Configuration - Administrative

>>>>>>>>>>>>> Templates - Windows Components - Windows

>>>>>>>>>>>>> Installer "Allow admin to install from Terminal

>>>>>>>>>>>>> Services session"

>>>>>>>>>>>>> _________________________________________________

>>>>>>>>>>>>> ___ ___ __ Vera Noest

>>>>>>>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

>>>>>>>>>>>>> TS troubleshooting: http://ts.veranoest.net

>>>>>>>>>>>>> ___ please respond in newsgroup, NOT by private

>>>>>>>>>>>>> email ___

>>>>>>>>>>>>>

>>>>>>>>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com>

>>>>>>>>>>>>> wrote on 08 nov 2007 in

>>>>>>>>>>>>> microsoft.public.windows.terminal_services:

>>>>>>>>>>>>>

>>>>>>>>>>>>>> I am having an issue installing programs

>>>>>>>>>>>>>> consoled in and logged in as admininstrator.

>>>>>>>>>>>>>> It keeps giving the message of "The system

>>>>>>>>>>>>>> administrator has set policies to prevent this

>>>>>>>>>>>>>> installation"

>>>>>>>>>>>>>>

>>>>>>>>>>>>>> I don't know of any policy set to prevent this

>>>>>>>>>>>>>> from even happening for the administrator. I

>>>>>>>>>>>>>> have went to the lengths of removing the group

>>>>>>>>>>>>>> policy for the users and trying it again

>>>>>>>>>>>>>> without any luck.

>>>>>>>>>>>>>>

>>>>>>>>>>>>>> Does anyone know how to reset everything on

>>>>>>>>>>>>>> that server or any suggestions.

>>>>>>>>>>>>>>

>>>>>>>>>>>>>> Thanks,

>>>>>>>>>>>>>> TM

Guest Hank Arnold (MVP)

Guest Hank Arnold (MVP)

Posted
Posted

Re: Administrator Consoled in Can not install software

 

I'll ask again... Why isn't the OP using the GPO to control this?

 

--

 

Regards,

Hank Arnold

Microsoft MVP

Windows Server - Directory Services

 

Vera Noest [MVP] wrote:

> Then the next step is to make sure that your users are normal

> users, not Administrators or Power Users, and apply the NTFS

> permissions which I mentioned. Those will see to it that they

> cannot install anything which includes dlls or other files which

> must reside in the windows folder.

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com>

> wrote on 03 aug 2008 in

> microsoft.public.windows.terminal_services:

>

>> I saw that settings. I had a feeling you were talking about

>> that. Permissions compatible with Windows 2000 Users is already

>> selected.

>>

>> "Vera Noest [MVP]" wrote:

>>

>>> Well, as I wrote, I don't remember the details of a W2K TS.

>>> During installation, you are asked to choose the "Compatibility

>>> mode". Is there anyting in tscc which mentions that? If so, you

>>> chould choose "Permissions compatible with Windows 2000 Users".

>>>

>>> Anyone else maybe, who has access to a W2K TS?

Guest Asif Shah

Guest Asif Shah

Posted
Posted

Re: Administrator Consoled in Can not install software

 

Thanks for the insight Hank.

 

What GPO settings are talking about in particular? As Vera suggested I have

the "Permissions compatible with Windows 2000 Users" in TSC already selected.

I also have the windows installer GPO setting disabled. What other GPO can I

touch. I will be changing the NTFS permissions today like Vera suggested.

 

Thanks.

 

"Hank Arnold (MVP)" wrote:

> I'm a little confused... We control the installation of software by GPO.

> No one except someone in the Administrators group can install software

> on *ANY* computer (server, workstation, laptop, etc.)....period. In

> addition, we have a firewall (part of the Sophos End Point Security)

> that will not allow *any* program to run that has not been added to the

> firewall security.

>

> We still have W2K servers with TS installed. I've never seen this

> problem. I'm forwarding this to my work id and I'll see what I can find.

>

> To be honest, I can't guarantee I'll get to it today (Monday). This is

> typically my busiest day with several weekly reports due in the AM, I

> have to deal with all the problems the nurses have had over the weekend

> with their laptops and remote access as well as some major issues that

> just came up due to a vendor telling us that we need to spend a

> significant amount of $$ that is not in the budget. You haven't lived

> until you work for a non-profit and try to get IT money that isn't in

> the budget... :-(

>

> --

>

> Regards,

> Hank Arnold

> Microsoft MVP

> Windows Server - Directory Services

>

> Vera Noest [MVP] wrote:

> > Well, as I wrote, I don't remember the details of a W2K TS. During

> > installation, you are asked to choose the "Compatibility mode". Is

> > there anyting in tscc which mentions that? If so, you chould choose

> > "Permissions compatible with Windows 2000 Users".

> >

> > Anyone else maybe, who has access to a W2K TS?

> > _________________________________________________________

> > Vera Noest

> > MCSE, CCEA, Microsoft MVP - Terminal Server

> > TS troubleshooting: http://ts.veranoest.net

> > ___ please respond in newsgroup, NOT by private email ___

> >

> > =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com>

> > wrote on 02 aug 2008 in

> > microsoft.public.windows.terminal_services:

> >

> >> I am looking at the Terminal Services Configuration - Server

> >> Settings, which setting do I change. I dont see anything that

> >> says "relaxed security".

> >>

> >> "Vera Noest [MVP]" wrote:

> >>

> >>> OK, seems like the Terminal Services was installed with relaxed

> >>> security. It's a long time ago that I worked with W2K TS, so

> >>> I'm unsure about the details, but I believe that you can check

> >>> (and change?) this in Terminal Services Configuration - Server

> >>> settings.

> >>>

> >>> You'll have to further secure the server with NTFS permissions

> >>> on the file system. At the minimum, modify the NTFS permissions

> >>> as follows:

> >>> %SystemDrive%, %SystemRoot%, %ProgramFiles% and

> >>> %SystemRoot%\system32 :

> >>> System - Full Control

> >>> Administrators - Full Control

> >>> Authenticated Users - Read & Execute

> >>>

> >>> _________________________________________________________

> >>> Vera Noest

> >>> MCSE, CCEA, Microsoft MVP - Terminal Server

> >>> TS troubleshooting: http://ts.veranoest.net

> >>> ___ please respond in newsgroup, NOT by private email ___

> >>>

> >>> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com>

> >>> wrote on 01 aug 2008 in

> >>> microsoft.public.windows.terminal_services:

> >>>

> >>>> Vera,

> >>>>

> >>>> My appoligies for adding to an older thread. I just thought

> >>>> since you were dicussing a similiar problem I would post my

> >>>> issue. I will keep in mind nex time.

> >>>>

> >>>> I am the administrator and I am trying to restrict all

> >>>> non-admin users from installing software on the server. This

> >>>> is on a Windows 2000 server. How can I check if I installed

> >>>> TS with full security. Apprently something is not setup

> >>>> right, because few days ago I discovered that new software

> >>>> were installed, some games and Mozilla Firebox. I checked

> >>>> with my admins and they didnt. So it had to have been a

> >>>> regular user. No other user has right like us admins. I even

> >>>> did a test. I logged in as a normal user whose password I

> >>>> knew and I was able to download and install Firefox and other

> >>>> software.

> >>>>

> >>>> The only thing I have done is disable the windows installer

> >>>> but seems like that only works for software that use windows

> >>>> installer to install itself. The article I read from

> >>>> Microsoft that talks about this GPO mentions this condition.

> >>>> What else can I do? What else can I check?

> >>>>

> >>>> Thanks.

> >>>>

> >>>> "Vera Noest [MVP]" wrote:

> >>>>

> >>>>> Asif, you seem to append to an old thread which was about

> >>>>> the opposite of your problem. That's very confusing. Next

> >>>>> time, please start a new thread and clearly state your

> >>>>> problem.

> >>>>>

> >>>>> What exactly is it that you want to achieve? I'm assuming

> >>>>> that your are the Administrator of a TS, and that you want

> >>>>> to prohibit users to install software, is that correct? Or

> >>>>> do you want to disable this for all users, including

> >>>>> Administrators?

> >>>>>

> >>>>> If you just want to take away this possibility for normal

> >>>>> users, the answer is that they don't have the proper rights

> >>>>> any way, assuming that you run on Windows 2003 and have

> >>>>> installed Terminal Services with "Full Security". They can

> >>>>> install applications in their home folder, but can't add or

> >>>>> replace system files, dll's etc.

> >>>>>

> >>>>> _________________________________________________________

> >>>>> Vera Noest

> >>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

> >>>>> TS troubleshooting: http://ts.veranoest.net

> >>>>> *----------- Please reply in newsgroup -------------*

> >>>>>

> >>>>> =?Utf-8?B?QXNpZiBTaGFo?=

> >>>>> <AsifShah@discussions.microsoft.com> wrote on 01 aug 2008:

> >>>>>

> >>>>>> Vera,

> >>>>>>

> >>>>>> I have disabled the windows installer but that only

> >>>>>> applies to software installations that use windows

> >>>>>> installer to install itself. There are other installs that

> >>>>>> dont use windows install. e.g. installing Mozilla Firefox.

> >>>>>> I have the GPO you mentioned for the windows installer

> >>>>>> enabled but i can still install firefox........what else

> >>>>>> can i try?

> >>>>>>

> >>>>>> "Vera Noest [MVP]" wrote:

> >>>>>>

> >>>>>>> OK, thanks for the feedback, I'm glad that your problem

> >>>>>>> is solved! It's a bit puzzeling though that the problem

> >>>>>>> didn't disappear by configuring the GPO setting in the

> >>>>>>> domain-wide GPO applied to the TS, since those settings

> >>>>>>> override the local policy.

> >>>>>>>

> >>>>>>> _________________________________________________________

> >>>>>>> Vera Noest

> >>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

> >>>>>>> TS troubleshooting: http://ts.veranoest.net

> >>>>>>> ___ please respond in newsgroup, NOT by private email ___

> >>>>>>>

> >>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on

> >>>>>>> 14 nov 2007 in

> >>>>>>> microsoft.public.windows.terminal_services:

> >>>>>>>

> >>>>>>>> Thanks for your help it was the local policy that was

> >>>>>>>> still turned on.

> >>>>>>>>

> >>>>>>>>

> >>>>>>>> "Vera Noest [MVP]" wrote:

> >>>>>>>>

> >>>>>>>>> Did you run Resultant Set of Policies, as I suggested

> >>>>>>>>> in my previous post? That would tell you exactly which

> >>>>>>>>> policy has the setting configured.

> >>>>>>>>> You can edit the local policy with gpedit.msc

> >>>>>>>>>

> >>>>>>>>> If you get this error message even when you are logged

> >>>>>>>>> in at the physical console of the server, then it

> >>>>>>>>> seems that Windows Installer is disabled completely,

> >>>>>>>>> not only for installations from within a TS session.

> >>>>>>>>> That setting can be found in Computer Configuration -

> >>>>>>>>> Administrative Templates - Windows Components -

> >>>>>>>>> Windows Installer "Disable Windows Installer"

> >>>>>>>>>

> >>>>>>>>> Other troubleshooting tools could be:

> >>>>>>>>>

> >>>>>>>>> 223300 - How to Enable Windows Installer Logging

> >>>>>>>>> http://support.microsoft.com/?kbid=223300

> >>>>>>>>>

> >>>>>>>>> 221833 - How to enable user environment debug logging

> >>>>>>>>> in retail builds of Windows

> >>>>>>>>> http://support.microsoft.com/?kbid=221833

> >>>>>>>>> _______________________________________________________

> >>>>>>>>> __ Vera Noest

> >>>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

> >>>>>>>>> TS troubleshooting: http://ts.veranoest.net

> >>>>>>>>> ___ please respond in newsgroup, NOT by private email

> >>>>>>>>> ___

> >>>>>>>>>

> >>>>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote

> >>>>>>>>> on 14 nov 2007 in

> >>>>>>>>> microsoft.public.windows.terminal_services:

> >>>>>>>>>

> >>>>>>>>>> Well I have went through on the domain controller

> >>>>>>>>>> and removed the group policy for that server.

> >>>>>>>>>> Even when consoled and logged in as Administrator it

> >>>>>>>>>> still gives that error.

> >>>>>>>>>>

> >>>>>>>>>> Is there any chance a setting could have been set

> >>>>>>>>>> locally on that server. If so where does a person

> >>>>>>>>>> look to find out if it has been reset?

> >>>>>>>>>>

> >>>>>>>>>> thanks for your response

> >>>>>>>>>>

> >>>>>>>>>> "Vera Noest [MVP]" wrote:

> >>>>>>>>>>

> >>>>>>>>>>> Given the error message that you get, I'm still

> >>>>>>>>>>> convinced it's a GPO setting. Have you tried

> >>>>>>>>>>> resultant set of Policies?

> >>>>>>>>>>>

> >>>>>>>>>>> ____________________________________________________

> >>>>>>>>>>> ___ __ Vera Noest

> >>>>>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

> >>>>>>>>>>> TS troubleshooting: http://ts.veranoest.net

> >>>>>>>>>>> ___ please respond in newsgroup, NOT by private

> >>>>>>>>>>> email ___

> >>>>>>>>>>>

> >>>>>>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com>

> >>>>>>>>>>> wrote on 08 nov 2007 in

> >>>>>>>>>>> microsoft.public.windows.terminal_services:

> >>>>>>>>>>>

> >>>>>>>>>>>> Thanks for the reply

> >>>>>>>>>>>>

> >>>>>>>>>>>> I found an article on doing that and it still

> >>>>>>>>>>>> isn't working. I have even restarted the terminal

> >>>>>>>>>>>> server to try and fix the issue.

> >>>>>>>>>>>>

> >>>>>>>>>>>> Could there be a registry setting on the server

> >>>>>>>>>>>> itself that would prevent installations?

> >>>>>>>>>>>>

> >>>>>>>>>>>>

> >>>>>>>>>>>> "Vera Noest [MVP]" wrote:

> >>>>>>>>>>>>

> >>>>>>>>>>>>> Sounds like you want to enable this GPO setting:

> >>>>>>>>>>>>>

> >>>>>>>>>>>>> Computer Configuration - Administrative

> >>>>>>>>>>>>> Templates - Windows Components - Windows

> >>>>>>>>>>>>> Installer "Allow admin to install from Terminal

> >>>>>>>>>>>>> Services session"

> >>>>>>>>>>>>> _________________________________________________

> >>>>>>>>>>>>> ___ ___ __ Vera Noest

> >>>>>>>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

> >>>>>>>>>>>>> TS troubleshooting: http://ts.veranoest.net

> >>>>>>>>>>>>> ___ please respond in newsgroup, NOT by private

> >>>>>>>>>>>>> email ___

> >>>>>>>>>>>>>

> >>>>>>>>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com>

> >>>>>>>>>>>>> wrote on 08 nov 2007 in

> >>>>>>>>>>>>> microsoft.public.windows.terminal_services:

> >>>>>>>>>>>>>

> >>>>>>>>>>>>>> I am having an issue installing programs

> >>>>>>>>>>>>>> consoled in and logged in as admininstrator.

> >>>>>>>>>>>>>> It keeps giving the message of "The system

> >>>>>>>>>>>>>> administrator has set policies to prevent this

> >>>>>>>>>>>>>> installation"

> >>>>>>>>>>>>>>

> >>>>>>>>>>>>>> I don't know of any policy set to prevent this

> >>>>>>>>>>>>>> from even happening for the administrator. I

> >>>>>>>>>>>>>> have went to the lengths of removing the group

> >>>>>>>>>>>>>> policy for the users and trying it again

> >>>>>>>>>>>>>> without any luck.

> >>>>>>>>>>>>>>

> >>>>>>>>>>>>>> Does anyone know how to reset everything on

> >>>>>>>>>>>>>> that server or any suggestions.

> >>>>>>>>>>>>>>

> >>>>>>>>>>>>>> Thanks,

> >>>>>>>>>>>>>> TM

>

>

Guest Hank Arnold (MVP)

Guest Hank Arnold (MVP)

Posted
Posted

Re: Administrator Consoled in Can not install software

 

Asif Shah wrote:

> Thanks for the insight Hank.

>

> What GPO settings are talking about in particular? As Vera suggested I have

> the "Permissions compatible with Windows 2000 Users" in TSC already selected.

> I also have the windows installer GPO setting disabled. What other GPO can I

> touch. I will be changing the NTFS permissions today like Vera suggested.

>

> Thanks.

>

> "Hank Arnold (MVP)" wrote:

>

>> I'm a little confused... We control the installation of software by GPO.

>> No one except someone in the Administrators group can install software

>> on *ANY* computer (server, workstation, laptop, etc.)....period. In

>> addition, we have a firewall (part of the Sophos End Point Security)

>> that will not allow *any* program to run that has not been added to the

>> firewall security.

>>

>> We still have W2K servers with TS installed. I've never seen this

>> problem. I'm forwarding this to my work id and I'll see what I can find.

>>

>> To be honest, I can't guarantee I'll get to it today (Monday). This is

>> typically my busiest day with several weekly reports due in the AM, I

>> have to deal with all the problems the nurses have had over the weekend

>> with their laptops and remote access as well as some major issues that

>> just came up due to a vendor telling us that we need to spend a

>> significant amount of $$ that is not in the budget. You haven't lived

>> until you work for a non-profit and try to get IT money that isn't in

>> the budget... :-(

>>

>> --

>>

>> Regards,

>> Hank Arnold

>> Microsoft MVP

>> Windows Server - Directory Services

>>

>> Vera Noest [MVP] wrote:

>>> Well, as I wrote, I don't remember the details of a W2K TS. During

>>> installation, you are asked to choose the "Compatibility mode". Is

>>> there anyting in tscc which mentions that? If so, you chould choose

>>> "Permissions compatible with Windows 2000 Users".

>>>

>>> Anyone else maybe, who has access to a W2K TS?

>>> _________________________________________________________

>>> Vera Noest

>>> MCSE, CCEA, Microsoft MVP - Terminal Server

>>> TS troubleshooting: http://ts.veranoest.net

>>> ___ please respond in newsgroup, NOT by private email ___

>>>

>>> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com>

>>> wrote on 02 aug 2008 in

>>> microsoft.public.windows.terminal_services:

>>>

>>>> I am looking at the Terminal Services Configuration - Server

>>>> Settings, which setting do I change. I dont see anything that

>>>> says "relaxed security".

>>>>

>>>> "Vera Noest [MVP]" wrote:

>>>>

>>>>> OK, seems like the Terminal Services was installed with relaxed

>>>>> security. It's a long time ago that I worked with W2K TS, so

>>>>> I'm unsure about the details, but I believe that you can check

>>>>> (and change?) this in Terminal Services Configuration - Server

>>>>> settings.

>>>>>

>>>>> You'll have to further secure the server with NTFS permissions

>>>>> on the file system. At the minimum, modify the NTFS permissions

>>>>> as follows:

>>>>> %SystemDrive%, %SystemRoot%, %ProgramFiles% and

>>>>> %SystemRoot%\system32 :

>>>>> System - Full Control

>>>>> Administrators - Full Control

>>>>> Authenticated Users - Read & Execute

>>>>>

>>>>> _________________________________________________________

>>>>> Vera Noest

>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

>>>>> TS troubleshooting: http://ts.veranoest.net

>>>>> ___ please respond in newsgroup, NOT by private email ___

>>>>>

>>>>> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com>

>>>>> wrote on 01 aug 2008 in

>>>>> microsoft.public.windows.terminal_services:

>>>>>

>>>>>> Vera,

>>>>>>

>>>>>> My appoligies for adding to an older thread. I just thought

>>>>>> since you were dicussing a similiar problem I would post my

>>>>>> issue. I will keep in mind nex time.

>>>>>>

>>>>>> I am the administrator and I am trying to restrict all

>>>>>> non-admin users from installing software on the server. This

>>>>>> is on a Windows 2000 server. How can I check if I installed

>>>>>> TS with full security. Apprently something is not setup

>>>>>> right, because few days ago I discovered that new software

>>>>>> were installed, some games and Mozilla Firebox. I checked

>>>>>> with my admins and they didnt. So it had to have been a

>>>>>> regular user. No other user has right like us admins. I even

>>>>>> did a test. I logged in as a normal user whose password I

>>>>>> knew and I was able to download and install Firefox and other

>>>>>> software.

>>>>>>

>>>>>> The only thing I have done is disable the windows installer

>>>>>> but seems like that only works for software that use windows

>>>>>> installer to install itself. The article I read from

>>>>>> Microsoft that talks about this GPO mentions this condition.

>>>>>> What else can I do? What else can I check?

>>>>>>

>>>>>> Thanks.

>>>>>>

>>>>>> "Vera Noest [MVP]" wrote:

>>>>>>

>>>>>>> Asif, you seem to append to an old thread which was about

>>>>>>> the opposite of your problem. That's very confusing. Next

>>>>>>> time, please start a new thread and clearly state your

>>>>>>> problem.

>>>>>>>

>>>>>>> What exactly is it that you want to achieve? I'm assuming

>>>>>>> that your are the Administrator of a TS, and that you want

>>>>>>> to prohibit users to install software, is that correct? Or

>>>>>>> do you want to disable this for all users, including

>>>>>>> Administrators?

>>>>>>>

>>>>>>> If you just want to take away this possibility for normal

>>>>>>> users, the answer is that they don't have the proper rights

>>>>>>> any way, assuming that you run on Windows 2003 and have

>>>>>>> installed Terminal Services with "Full Security". They can

>>>>>>> install applications in their home folder, but can't add or

>>>>>>> replace system files, dll's etc.

>>>>>>>

>>>>>>> _________________________________________________________

>>>>>>> Vera Noest

>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

>>>>>>> TS troubleshooting: http://ts.veranoest.net

>>>>>>> *----------- Please reply in newsgroup -------------*

>>>>>>>

>>>>>>> =?Utf-8?B?QXNpZiBTaGFo?=

>>>>>>> <AsifShah@discussions.microsoft.com> wrote on 01 aug 2008:

>>>>>>>

>>>>>>>> Vera,

>>>>>>>>

>>>>>>>> I have disabled the windows installer but that only

>>>>>>>> applies to software installations that use windows

>>>>>>>> installer to install itself. There are other installs that

>>>>>>>> dont use windows install. e.g. installing Mozilla Firefox.

>>>>>>>> I have the GPO you mentioned for the windows installer

>>>>>>>> enabled but i can still install firefox........what else

>>>>>>>> can i try?

>>>>>>>>

>>>>>>>> "Vera Noest [MVP]" wrote:

>>>>>>>>

>>>>>>>>> OK, thanks for the feedback, I'm glad that your problem

>>>>>>>>> is solved! It's a bit puzzeling though that the problem

>>>>>>>>> didn't disappear by configuring the GPO setting in the

>>>>>>>>> domain-wide GPO applied to the TS, since those settings

>>>>>>>>> override the local policy.

>>>>>>>>>

>>>>>>>>> _________________________________________________________

>>>>>>>>> Vera Noest

>>>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

>>>>>>>>> TS troubleshooting: http://ts.veranoest.net

>>>>>>>>> ___ please respond in newsgroup, NOT by private email ___

>>>>>>>>>

>>>>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on

>>>>>>>>> 14 nov 2007 in

>>>>>>>>> microsoft.public.windows.terminal_services:

>>>>>>>>>

>>>>>>>>>> Thanks for your help it was the local policy that was

>>>>>>>>>> still turned on.

>>>>>>>>>>

>>>>>>>>>>

>>>>>>>>>> "Vera Noest [MVP]" wrote:

>>>>>>>>>>

>>>>>>>>>>> Did you run Resultant Set of Policies, as I suggested

>>>>>>>>>>> in my previous post? That would tell you exactly which

>>>>>>>>>>> policy has the setting configured.

>>>>>>>>>>> You can edit the local policy with gpedit.msc

>>>>>>>>>>>

>>>>>>>>>>> If you get this error message even when you are logged

>>>>>>>>>>> in at the physical console of the server, then it

>>>>>>>>>>> seems that Windows Installer is disabled completely,

>>>>>>>>>>> not only for installations from within a TS session.

>>>>>>>>>>> That setting can be found in Computer Configuration -

>>>>>>>>>>> Administrative Templates - Windows Components -

>>>>>>>>>>> Windows Installer "Disable Windows Installer"

>>>>>>>>>>>

>>>>>>>>>>> Other troubleshooting tools could be:

>>>>>>>>>>>

>>>>>>>>>>> 223300 - How to Enable Windows Installer Logging

>>>>>>>>>>> http://support.microsoft.com/?kbid=223300

>>>>>>>>>>>

>>>>>>>>>>> 221833 - How to enable user environment debug logging

>>>>>>>>>>> in retail builds of Windows

>>>>>>>>>>> http://support.microsoft.com/?kbid=221833

>>>>>>>>>>> _______________________________________________________

>>>>>>>>>>> __ Vera Noest

>>>>>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

>>>>>>>>>>> TS troubleshooting: http://ts.veranoest.net

>>>>>>>>>>> ___ please respond in newsgroup, NOT by private email

>>>>>>>>>>> ___

>>>>>>>>>>>

>>>>>>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote

>>>>>>>>>>> on 14 nov 2007 in

>>>>>>>>>>> microsoft.public.windows.terminal_services:

>>>>>>>>>>>

>>>>>>>>>>>> Well I have went through on the domain controller

>>>>>>>>>>>> and removed the group policy for that server.

>>>>>>>>>>>> Even when consoled and logged in as Administrator it

>>>>>>>>>>>> still gives that error.

>>>>>>>>>>>>

>>>>>>>>>>>> Is there any chance a setting could have been set

>>>>>>>>>>>> locally on that server. If so where does a person

>>>>>>>>>>>> look to find out if it has been reset?

>>>>>>>>>>>>

>>>>>>>>>>>> thanks for your response

>>>>>>>>>>>>

>>>>>>>>>>>> "Vera Noest [MVP]" wrote:

>>>>>>>>>>>>

>>>>>>>>>>>>> Given the error message that you get, I'm still

>>>>>>>>>>>>> convinced it's a GPO setting. Have you tried

>>>>>>>>>>>>> resultant set of Policies?

>>>>>>>>>>>>>

>>>>>>>>>>>>> ____________________________________________________

>>>>>>>>>>>>> ___ __ Vera Noest

>>>>>>>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

>>>>>>>>>>>>> TS troubleshooting: http://ts.veranoest.net

>>>>>>>>>>>>> ___ please respond in newsgroup, NOT by private

>>>>>>>>>>>>> email ___

>>>>>>>>>>>>>

>>>>>>>>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com>

>>>>>>>>>>>>> wrote on 08 nov 2007 in

>>>>>>>>>>>>> microsoft.public.windows.terminal_services:

>>>>>>>>>>>>>

>>>>>>>>>>>>>> Thanks for the reply

>>>>>>>>>>>>>>

>>>>>>>>>>>>>> I found an article on doing that and it still

>>>>>>>>>>>>>> isn't working. I have even restarted the terminal

>>>>>>>>>>>>>> server to try and fix the issue.

>>>>>>>>>>>>>>

>>>>>>>>>>>>>> Could there be a registry setting on the server

>>>>>>>>>>>>>> itself that would prevent installations?

>>>>>>>>>>>>>>

>>>>>>>>>>>>>>

>>>>>>>>>>>>>> "Vera Noest [MVP]" wrote:

>>>>>>>>>>>>>>

>>>>>>>>>>>>>>> Sounds like you want to enable this GPO setting:

>>>>>>>>>>>>>>>

>>>>>>>>>>>>>>> Computer Configuration - Administrative

>>>>>>>>>>>>>>> Templates - Windows Components - Windows

>>>>>>>>>>>>>>> Installer "Allow admin to install from Terminal

>>>>>>>>>>>>>>> Services session"

>>>>>>>>>>>>>>> _________________________________________________

>>>>>>>>>>>>>>> ___ ___ __ Vera Noest

>>>>>>>>>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

>>>>>>>>>>>>>>> TS troubleshooting: http://ts.veranoest.net

>>>>>>>>>>>>>>> ___ please respond in newsgroup, NOT by private

>>>>>>>>>>>>>>> email ___

>>>>>>>>>>>>>>>

>>>>>>>>>>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com>

>>>>>>>>>>>>>>> wrote on 08 nov 2007 in

>>>>>>>>>>>>>>> microsoft.public.windows.terminal_services:

>>>>>>>>>>>>>>>

>>>>>>>>>>>>>>>> I am having an issue installing programs

>>>>>>>>>>>>>>>> consoled in and logged in as admininstrator.

>>>>>>>>>>>>>>>> It keeps giving the message of "The system

>>>>>>>>>>>>>>>> administrator has set policies to prevent this

>>>>>>>>>>>>>>>> installation"

>>>>>>>>>>>>>>>>

>>>>>>>>>>>>>>>> I don't know of any policy set to prevent this

>>>>>>>>>>>>>>>> from even happening for the administrator. I

>>>>>>>>>>>>>>>> have went to the lengths of removing the group

>>>>>>>>>>>>>>>> policy for the users and trying it again

>>>>>>>>>>>>>>>> without any luck.

>>>>>>>>>>>>>>>>

>>>>>>>>>>>>>>>> Does anyone know how to reset everything on

>>>>>>>>>>>>>>>> that server or any suggestions.

>>>>>>>>>>>>>>>>

>>>>>>>>>>>>>>>> Thanks,

>>>>>>>>>>>>>>>> TM

>>

I'll have to look into it... Its been along time since I updated the

GPO............

 

 

 

--

 

Regards,

Hank Arnold

Microsoft MVP

Windows Server - Directory Services

Guest Asif Shah

Guest Asif Shah

Posted
Posted

Re: Administrator Consoled in Can not install software

 

OK. Let me know if you find something. Thanks.

 

"Hank Arnold (MVP)" wrote:

> Asif Shah wrote:

> > Thanks for the insight Hank.

> >

> > What GPO settings are talking about in particular? As Vera suggested I have

> > the "Permissions compatible with Windows 2000 Users" in TSC already selected.

> > I also have the windows installer GPO setting disabled. What other GPO can I

> > touch. I will be changing the NTFS permissions today like Vera suggested.

> >

> > Thanks.

> >

> > "Hank Arnold (MVP)" wrote:

> >

> >> I'm a little confused... We control the installation of software by GPO.

> >> No one except someone in the Administrators group can install software

> >> on *ANY* computer (server, workstation, laptop, etc.)....period. In

> >> addition, we have a firewall (part of the Sophos End Point Security)

> >> that will not allow *any* program to run that has not been added to the

> >> firewall security.

> >>

> >> We still have W2K servers with TS installed. I've never seen this

> >> problem. I'm forwarding this to my work id and I'll see what I can find.

> >>

> >> To be honest, I can't guarantee I'll get to it today (Monday). This is

> >> typically my busiest day with several weekly reports due in the AM, I

> >> have to deal with all the problems the nurses have had over the weekend

> >> with their laptops and remote access as well as some major issues that

> >> just came up due to a vendor telling us that we need to spend a

> >> significant amount of $$ that is not in the budget. You haven't lived

> >> until you work for a non-profit and try to get IT money that isn't in

> >> the budget... :-(

> >>

> >> --

> >>

> >> Regards,

> >> Hank Arnold

> >> Microsoft MVP

> >> Windows Server - Directory Services

> >>

> >> Vera Noest [MVP] wrote:

> >>> Well, as I wrote, I don't remember the details of a W2K TS. During

> >>> installation, you are asked to choose the "Compatibility mode". Is

> >>> there anyting in tscc which mentions that? If so, you chould choose

> >>> "Permissions compatible with Windows 2000 Users".

> >>>

> >>> Anyone else maybe, who has access to a W2K TS?

> >>> _________________________________________________________

> >>> Vera Noest

> >>> MCSE, CCEA, Microsoft MVP - Terminal Server

> >>> TS troubleshooting: http://ts.veranoest.net

> >>> ___ please respond in newsgroup, NOT by private email ___

> >>>

> >>> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com>

> >>> wrote on 02 aug 2008 in

> >>> microsoft.public.windows.terminal_services:

> >>>

> >>>> I am looking at the Terminal Services Configuration - Server

> >>>> Settings, which setting do I change. I dont see anything that

> >>>> says "relaxed security".

> >>>>

> >>>> "Vera Noest [MVP]" wrote:

> >>>>

> >>>>> OK, seems like the Terminal Services was installed with relaxed

> >>>>> security. It's a long time ago that I worked with W2K TS, so

> >>>>> I'm unsure about the details, but I believe that you can check

> >>>>> (and change?) this in Terminal Services Configuration - Server

> >>>>> settings.

> >>>>>

> >>>>> You'll have to further secure the server with NTFS permissions

> >>>>> on the file system. At the minimum, modify the NTFS permissions

> >>>>> as follows:

> >>>>> %SystemDrive%, %SystemRoot%, %ProgramFiles% and

> >>>>> %SystemRoot%\system32 :

> >>>>> System - Full Control

> >>>>> Administrators - Full Control

> >>>>> Authenticated Users - Read & Execute

> >>>>>

> >>>>> _________________________________________________________

> >>>>> Vera Noest

> >>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

> >>>>> TS troubleshooting: http://ts.veranoest.net

> >>>>> ___ please respond in newsgroup, NOT by private email ___

> >>>>>

> >>>>> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com>

> >>>>> wrote on 01 aug 2008 in

> >>>>> microsoft.public.windows.terminal_services:

> >>>>>

> >>>>>> Vera,

> >>>>>>

> >>>>>> My appoligies for adding to an older thread. I just thought

> >>>>>> since you were dicussing a similiar problem I would post my

> >>>>>> issue. I will keep in mind nex time.

> >>>>>>

> >>>>>> I am the administrator and I am trying to restrict all

> >>>>>> non-admin users from installing software on the server. This

> >>>>>> is on a Windows 2000 server. How can I check if I installed

> >>>>>> TS with full security. Apprently something is not setup

> >>>>>> right, because few days ago I discovered that new software

> >>>>>> were installed, some games and Mozilla Firebox. I checked

> >>>>>> with my admins and they didnt. So it had to have been a

> >>>>>> regular user. No other user has right like us admins. I even

> >>>>>> did a test. I logged in as a normal user whose password I

> >>>>>> knew and I was able to download and install Firefox and other

> >>>>>> software.

> >>>>>>

> >>>>>> The only thing I have done is disable the windows installer

> >>>>>> but seems like that only works for software that use windows

> >>>>>> installer to install itself. The article I read from

> >>>>>> Microsoft that talks about this GPO mentions this condition.

> >>>>>> What else can I do? What else can I check?

> >>>>>>

> >>>>>> Thanks.

> >>>>>>

> >>>>>> "Vera Noest [MVP]" wrote:

> >>>>>>

> >>>>>>> Asif, you seem to append to an old thread which was about

> >>>>>>> the opposite of your problem. That's very confusing. Next

> >>>>>>> time, please start a new thread and clearly state your

> >>>>>>> problem.

> >>>>>>>

> >>>>>>> What exactly is it that you want to achieve? I'm assuming

> >>>>>>> that your are the Administrator of a TS, and that you want

> >>>>>>> to prohibit users to install software, is that correct? Or

> >>>>>>> do you want to disable this for all users, including

> >>>>>>> Administrators?

> >>>>>>>

> >>>>>>> If you just want to take away this possibility for normal

> >>>>>>> users, the answer is that they don't have the proper rights

> >>>>>>> any way, assuming that you run on Windows 2003 and have

> >>>>>>> installed Terminal Services with "Full Security". They can

> >>>>>>> install applications in their home folder, but can't add or

> >>>>>>> replace system files, dll's etc.

> >>>>>>>

> >>>>>>> _________________________________________________________

> >>>>>>> Vera Noest

> >>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

> >>>>>>> TS troubleshooting: http://ts.veranoest.net

> >>>>>>> *----------- Please reply in newsgroup -------------*

> >>>>>>>

> >>>>>>> =?Utf-8?B?QXNpZiBTaGFo?=

> >>>>>>> <AsifShah@discussions.microsoft.com> wrote on 01 aug 2008:

> >>>>>>>

> >>>>>>>> Vera,

> >>>>>>>>

> >>>>>>>> I have disabled the windows installer but that only

> >>>>>>>> applies to software installations that use windows

> >>>>>>>> installer to install itself. There are other installs that

> >>>>>>>> dont use windows install. e.g. installing Mozilla Firefox.

> >>>>>>>> I have the GPO you mentioned for the windows installer

> >>>>>>>> enabled but i can still install firefox........what else

> >>>>>>>> can i try?

> >>>>>>>>

> >>>>>>>> "Vera Noest [MVP]" wrote:

> >>>>>>>>

> >>>>>>>>> OK, thanks for the feedback, I'm glad that your problem

> >>>>>>>>> is solved! It's a bit puzzeling though that the problem

> >>>>>>>>> didn't disappear by configuring the GPO setting in the

> >>>>>>>>> domain-wide GPO applied to the TS, since those settings

> >>>>>>>>> override the local policy.

> >>>>>>>>>

> >>>>>>>>> _________________________________________________________

> >>>>>>>>> Vera Noest

> >>>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

> >>>>>>>>> TS troubleshooting: http://ts.veranoest.net

> >>>>>>>>> ___ please respond in newsgroup, NOT by private email ___

> >>>>>>>>>

> >>>>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on

> >>>>>>>>> 14 nov 2007 in

> >>>>>>>>> microsoft.public.windows.terminal_services:

> >>>>>>>>>

> >>>>>>>>>> Thanks for your help it was the local policy that was

> >>>>>>>>>> still turned on.

> >>>>>>>>>>

> >>>>>>>>>>

> >>>>>>>>>> "Vera Noest [MVP]" wrote:

> >>>>>>>>>>

> >>>>>>>>>>> Did you run Resultant Set of Policies, as I suggested

> >>>>>>>>>>> in my previous post? That would tell you exactly which

> >>>>>>>>>>> policy has the setting configured.

> >>>>>>>>>>> You can edit the local policy with gpedit.msc

> >>>>>>>>>>>

> >>>>>>>>>>> If you get this error message even when you are logged

> >>>>>>>>>>> in at the physical console of the server, then it

> >>>>>>>>>>> seems that Windows Installer is disabled completely,

> >>>>>>>>>>> not only for installations from within a TS session.

> >>>>>>>>>>> That setting can be found in Computer Configuration -

> >>>>>>>>>>> Administrative Templates - Windows Components -

> >>>>>>>>>>> Windows Installer "Disable Windows Installer"

> >>>>>>>>>>>

> >>>>>>>>>>> Other troubleshooting tools could be:

> >>>>>>>>>>>

> >>>>>>>>>>> 223300 - How to Enable Windows Installer Logging

> >>>>>>>>>>> http://support.microsoft.com/?kbid=223300

> >>>>>>>>>>>

> >>>>>>>>>>> 221833 - How to enable user environment debug logging

> >>>>>>>>>>> in retail builds of Windows

> >>>>>>>>>>> http://support.microsoft.com/?kbid=221833

> >>>>>>>>>>> _______________________________________________________

> >>>>>>>>>>> __ Vera Noest

> >>>>>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

> >>>>>>>>>>> TS troubleshooting: http://ts.veranoest.net

> >>>>>>>>>>> ___ please respond in newsgroup, NOT by private email

> >>>>>>>>>>> ___

> >>>>>>>>>>>

> >>>>>>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote

> >>>>>>>>>>> on 14 nov 2007 in

> >>>>>>>>>>> microsoft.public.windows.terminal_services:

> >>>>>>>>>>>

> >>>>>>>>>>>> Well I have went through on the domain controller

> >>>>>>>>>>>> and removed the group policy for that server.

> >>>>>>>>>>>> Even when consoled and logged in as Administrator it

> >>>>>>>>>>>> still gives that error.

> >>>>>>>>>>>>

> >>>>>>>>>>>> Is there any chance a setting could have been set

> >>>>>>>>>>>> locally on that server. If so where does a person

> >>>>>>>>>>>> look to find out if it has been reset?

> >>>>>>>>>>>>

> >>>>>>>>>>>> thanks for your response

> >>>>>>>>>>>>

> >>>>>>>>>>>> "Vera Noest [MVP]" wrote:

> >>>>>>>>>>>>

> >>>>>>>>>>>>> Given the error message that you get, I'm still

> >>>>>>>>>>>>> convinced it's a GPO setting. Have you tried

> >>>>>>>>>>>>> resultant set of Policies?

> >>>>>>>>>>>>>

> >>>>>>>>>>>>> ____________________________________________________

> >>>>>>>>>>>>> ___ __ Vera Noest

> >>>>>>>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

> >>>>>>>>>>>>> TS troubleshooting: http://ts.veranoest.net

> >>>>>>>>>>>>> ___ please respond in newsgroup, NOT by private

> >>>>>>>>>>>>> email ___

> >>>>>>>>>>>>>

> >>>>>>>>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com>

> >>>>>>>>>>>>> wrote on 08 nov 2007 in

> >>>>>>>>>>>>> microsoft.public.windows.terminal_services:

> >>>>>>>>>>>>>

> >>>>>>>>>>>>>> Thanks for the reply

> >>>>>>>>>>>>>>

> >>>>>>>>>>>>>> I found an article on doing that and it still

> >>>>>>>>>>>>>> isn't working. I have even restarted the terminal

> >>>>>>>>>>>>>> server to try and fix the issue.

> >>>>>>>>>>>>>>

> >>>>>>>>>>>>>> Could there be a registry setting on the server

> >>>>>>>>>>>>>> itself that would prevent installations?

> >>>>>>>>>>>>>>

> >>>>>>>>>>>>>>

> >>>>>>>>>>>>>> "Vera Noest [MVP]" wrote:

> >>>>>>>>>>>>>>

> >>>>>>>>>>>>>>> Sounds like you want to enable this GPO setting:

> >>>>>>>>>>>>>>>

> >>>>>>>>>>>>>>> Computer Configuration - Administrative

> >>>>>>>>>>>>>>> Templates - Windows Components - Windows

> >>>>>>>>>>>>>>> Installer "Allow admin to install from Terminal

> >>>>>>>>>>>>>>> Services session"

> >>>>>>>>>>>>>>> _________________________________________________

> >>>>>>>>>>>>>>> ___ ___ __ Vera Noest

> >>>>>>>>>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

> >>>>>>>>>>>>>>> TS troubleshooting: http://ts.veranoest.net

> >>>>>>>>>>>>>>> ___ please respond in newsgroup, NOT by private

> >>>>>>>>>>>>>>> email ___

> >>>>>>>>>>>>>>>

> >>>>>>>>>>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com>

> >>>>>>>>>>>>>>> wrote on 08 nov 2007 in

> >>>>>>>>>>>>>>> microsoft.public.windows.terminal_services:

> >>>>>>>>>>>>>>>

> >>>>>>>>>>>>>>>> I am having an issue installing programs

> >>>>>>>>>>>>>>>> consoled in and logged in as admininstrator.

> >>>>>>>>>>>>>>>> It keeps giving the message of "The system

> >>>>>>>>>>>>>>>> administrator has set policies to prevent this

> >>>>>>>>>>>>>>>> installation"

> >>>>>>>>>>>>>>>>

> >>>>>>>>>>>>>>>> I don't know of any policy set to prevent this

> >>>>>>>>>>>>>>>> from even happening for the administrator. I

> >>>>>>>>>>>>>>>> have went to the lengths of removing the group

> >>>>>>>>>>>>>>>> policy for the users and trying it again

> >>>>>>>>>>>>>>>> without any luck.

> >>>>>>>>>>>>>>>>

> >>>>>>>>>>>>>>>> Does anyone know how to reset everything on

> >>>>>>>>>>>>>>>> that server or any suggestions.

> >>>>>>>>>>>>>>>>

> >>>>>>>>>>>>>>>> Thanks,

> >>>>>>>>>>>>>>>> TM

> >>

> I'll have to look into it... Its been along time since I updated the

> GPO............

>

>

>

> --

>

> Regards,

> Hank Arnold

> Microsoft MVP

> Windows Server - Directory Services

>

 Share
Go to topic listing
×
×
  • Create New...