Guest TM Posted November 8, 2007 Posted November 8, 2007 I am having an issue installing programs consoled in and logged in as admininstrator. It keeps giving the message of "The system administrator has set policies to prevent this installation" I don't know of any policy set to prevent this from even happening for the administrator. I have went to the lengths of removing the group policy for the users and trying it again without any luck. Does anyone know how to reset everything on that server or any suggestions. Thanks, TM
Guest Vera Noest [MVP] Posted November 8, 2007 Posted November 8, 2007 Re: Administrator Consoled in Can not install software Sounds like you want to enable this GPO setting: Computer Configuration - Administrative Templates - Windows Components - Windows Installer "Allow admin to install from Terminal Services session" _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 08 nov 2007 in microsoft.public.windows.terminal_services: > I am having an issue installing programs consoled in and logged > in as admininstrator. > It keeps giving the message of "The system administrator has set > policies to prevent this installation" > > I don't know of any policy set to prevent this from even > happening for the administrator. I have went to the lengths of > removing the group policy for the users and trying it again > without any luck. > > Does anyone know how to reset everything on that server or any > suggestions. > > Thanks, > TM
Guest TM Posted November 8, 2007 Posted November 8, 2007 Re: Administrator Consoled in Can not install software Thanks for the reply I found an article on doing that and it still isn't working. I have even restarted the terminal server to try and fix the issue. Could there be a registry setting on the server itself that would prevent installations? "Vera Noest [MVP]" wrote: > Sounds like you want to enable this GPO setting: > > Computer Configuration - Administrative Templates - Windows > Components - Windows Installer > "Allow admin to install from Terminal Services session" > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 08 nov > 2007 in microsoft.public.windows.terminal_services: > > > I am having an issue installing programs consoled in and logged > > in as admininstrator. > > It keeps giving the message of "The system administrator has set > > policies to prevent this installation" > > > > I don't know of any policy set to prevent this from even > > happening for the administrator. I have went to the lengths of > > removing the group policy for the users and trying it again > > without any luck. > > > > Does anyone know how to reset everything on that server or any > > suggestions. > > > > Thanks, > > TM >
Guest Vera Noest [MVP] Posted November 8, 2007 Posted November 8, 2007 Re: Administrator Consoled in Can not install software Given the error message that you get, I'm still convinced it's a GPO setting. Have you tried resultant set of Policies? _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 08 nov 2007 in microsoft.public.windows.terminal_services: > Thanks for the reply > > I found an article on doing that and it still isn't working. I > have even restarted the terminal server to try and fix the > issue. > > Could there be a registry setting on the server itself that > would prevent installations? > > > "Vera Noest [MVP]" wrote: > >> Sounds like you want to enable this GPO setting: >> >> Computer Configuration - Administrative Templates - Windows >> Components - Windows Installer >> "Allow admin to install from Terminal Services session" >> _________________________________________________________ >> Vera Noest >> MCSE, CCEA, Microsoft MVP - Terminal Server >> TS troubleshooting: http://ts.veranoest.net >> ___ please respond in newsgroup, NOT by private email ___ >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 08 nov >> 2007 in microsoft.public.windows.terminal_services: >> >> > I am having an issue installing programs consoled in and >> > logged in as admininstrator. >> > It keeps giving the message of "The system administrator has >> > set policies to prevent this installation" >> > >> > I don't know of any policy set to prevent this from even >> > happening for the administrator. I have went to the lengths >> > of removing the group policy for the users and trying it >> > again without any luck. >> > >> > Does anyone know how to reset everything on that server or >> > any suggestions. >> > >> > Thanks, >> > TM
Guest TM Posted November 14, 2007 Posted November 14, 2007 Re: Administrator Consoled in Can not install software Well I have went through on the domain controller and removed the group policy for that server. Even when consoled and logged in as Administrator it still gives that error. Is there any chance a setting could have been set locally on that server. If so where does a person look to find out if it has been reset? thanks for your response "Vera Noest [MVP]" wrote: > Given the error message that you get, I'm still convinced it's a > GPO setting. Have you tried resultant set of Policies? > > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 08 nov > 2007 in microsoft.public.windows.terminal_services: > > > Thanks for the reply > > > > I found an article on doing that and it still isn't working. I > > have even restarted the terminal server to try and fix the > > issue. > > > > Could there be a registry setting on the server itself that > > would prevent installations? > > > > > > "Vera Noest [MVP]" wrote: > > > >> Sounds like you want to enable this GPO setting: > >> > >> Computer Configuration - Administrative Templates - Windows > >> Components - Windows Installer > >> "Allow admin to install from Terminal Services session" > >> _________________________________________________________ > >> Vera Noest > >> MCSE, CCEA, Microsoft MVP - Terminal Server > >> TS troubleshooting: http://ts.veranoest.net > >> ___ please respond in newsgroup, NOT by private email ___ > >> > >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 08 nov > >> 2007 in microsoft.public.windows.terminal_services: > >> > >> > I am having an issue installing programs consoled in and > >> > logged in as admininstrator. > >> > It keeps giving the message of "The system administrator has > >> > set policies to prevent this installation" > >> > > >> > I don't know of any policy set to prevent this from even > >> > happening for the administrator. I have went to the lengths > >> > of removing the group policy for the users and trying it > >> > again without any luck. > >> > > >> > Does anyone know how to reset everything on that server or > >> > any suggestions. > >> > > >> > Thanks, > >> > TM >
Guest Vera Noest [MVP] Posted November 14, 2007 Posted November 14, 2007 Re: Administrator Consoled in Can not install software Did you run Resultant Set of Policies, as I suggested in my previous post? That would tell you exactly which policy has the setting configured. You can edit the local policy with gpedit.msc If you get this error message even when you are logged in at the physical console of the server, then it seems that Windows Installer is disabled completely, not only for installations from within a TS session. That setting can be found in Computer Configuration - Administrative Templates - Windows Components - Windows Installer "Disable Windows Installer" Other troubleshooting tools could be: 223300 - How to Enable Windows Installer Logging http://support.microsoft.com/?kbid=223300 221833 - How to enable user environment debug logging in retail builds of Windows http://support.microsoft.com/?kbid=221833 _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 14 nov 2007 in microsoft.public.windows.terminal_services: > Well I have went through on the domain controller and removed > the group policy for that server. > Even when consoled and logged in as Administrator it still gives > that error. > > Is there any chance a setting could have been set locally on > that server. If so where does a person look to find out if it > has been reset? > > thanks for your response > > "Vera Noest [MVP]" wrote: > >> Given the error message that you get, I'm still convinced it's >> a GPO setting. Have you tried resultant set of Policies? >> >> _________________________________________________________ >> Vera Noest >> MCSE, CCEA, Microsoft MVP - Terminal Server >> TS troubleshooting: http://ts.veranoest.net >> ___ please respond in newsgroup, NOT by private email ___ >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 08 nov >> 2007 in microsoft.public.windows.terminal_services: >> >> > Thanks for the reply >> > >> > I found an article on doing that and it still isn't working. >> > I have even restarted the terminal server to try and fix the >> > issue. >> > >> > Could there be a registry setting on the server itself that >> > would prevent installations? >> > >> > >> > "Vera Noest [MVP]" wrote: >> > >> >> Sounds like you want to enable this GPO setting: >> >> >> >> Computer Configuration - Administrative Templates - Windows >> >> Components - Windows Installer >> >> "Allow admin to install from Terminal Services session" >> >> _________________________________________________________ >> >> Vera Noest >> >> MCSE, CCEA, Microsoft MVP - Terminal Server >> >> TS troubleshooting: http://ts.veranoest.net >> >> ___ please respond in newsgroup, NOT by private email ___ >> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 08 >> >> nov 2007 in microsoft.public.windows.terminal_services: >> >> >> >> > I am having an issue installing programs consoled in and >> >> > logged in as admininstrator. >> >> > It keeps giving the message of "The system administrator >> >> > has set policies to prevent this installation" >> >> > >> >> > I don't know of any policy set to prevent this from even >> >> > happening for the administrator. I have went to the >> >> > lengths of removing the group policy for the users and >> >> > trying it again without any luck. >> >> > >> >> > Does anyone know how to reset everything on that server or >> >> > any suggestions. >> >> > >> >> > Thanks, >> >> > TM
Guest TM Posted November 14, 2007 Posted November 14, 2007 Re: Administrator Consoled in Can not install software Thanks for your help it was the local policy that was still turned on. "Vera Noest [MVP]" wrote: > Did you run Resultant Set of Policies, as I suggested in my > previous post? That would tell you exactly which policy has the > setting configured. > You can edit the local policy with gpedit.msc > > If you get this error message even when you are logged in at the > physical console of the server, then it seems that Windows > Installer is disabled completely, not only for installations from > within a TS session. That setting can be found in > Computer Configuration - Administrative Templates - Windows > Components - Windows Installer > "Disable Windows Installer" > > Other troubleshooting tools could be: > > 223300 - How to Enable Windows Installer Logging > http://support.microsoft.com/?kbid=223300 > > 221833 - How to enable user environment debug logging in retail > builds of Windows > http://support.microsoft.com/?kbid=221833 > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 14 nov > 2007 in microsoft.public.windows.terminal_services: > > > Well I have went through on the domain controller and removed > > the group policy for that server. > > Even when consoled and logged in as Administrator it still gives > > that error. > > > > Is there any chance a setting could have been set locally on > > that server. If so where does a person look to find out if it > > has been reset? > > > > thanks for your response > > > > "Vera Noest [MVP]" wrote: > > > >> Given the error message that you get, I'm still convinced it's > >> a GPO setting. Have you tried resultant set of Policies? > >> > >> _________________________________________________________ > >> Vera Noest > >> MCSE, CCEA, Microsoft MVP - Terminal Server > >> TS troubleshooting: http://ts.veranoest.net > >> ___ please respond in newsgroup, NOT by private email ___ > >> > >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 08 nov > >> 2007 in microsoft.public.windows.terminal_services: > >> > >> > Thanks for the reply > >> > > >> > I found an article on doing that and it still isn't working. > >> > I have even restarted the terminal server to try and fix the > >> > issue. > >> > > >> > Could there be a registry setting on the server itself that > >> > would prevent installations? > >> > > >> > > >> > "Vera Noest [MVP]" wrote: > >> > > >> >> Sounds like you want to enable this GPO setting: > >> >> > >> >> Computer Configuration - Administrative Templates - Windows > >> >> Components - Windows Installer > >> >> "Allow admin to install from Terminal Services session" > >> >> _________________________________________________________ > >> >> Vera Noest > >> >> MCSE, CCEA, Microsoft MVP - Terminal Server > >> >> TS troubleshooting: http://ts.veranoest.net > >> >> ___ please respond in newsgroup, NOT by private email ___ > >> >> > >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 08 > >> >> nov 2007 in microsoft.public.windows.terminal_services: > >> >> > >> >> > I am having an issue installing programs consoled in and > >> >> > logged in as admininstrator. > >> >> > It keeps giving the message of "The system administrator > >> >> > has set policies to prevent this installation" > >> >> > > >> >> > I don't know of any policy set to prevent this from even > >> >> > happening for the administrator. I have went to the > >> >> > lengths of removing the group policy for the users and > >> >> > trying it again without any luck. > >> >> > > >> >> > Does anyone know how to reset everything on that server or > >> >> > any suggestions. > >> >> > > >> >> > Thanks, > >> >> > TM >
Guest Vera Noest [MVP] Posted November 14, 2007 Posted November 14, 2007 Re: Administrator Consoled in Can not install software OK, thanks for the feedback, I'm glad that your problem is solved! It's a bit puzzeling though that the problem didn't disappear by configuring the GPO setting in the domain-wide GPO applied to the TS, since those settings override the local policy. _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 14 nov 2007 in microsoft.public.windows.terminal_services: > Thanks for your help it was the local policy that was still > turned on. > > > "Vera Noest [MVP]" wrote: > >> Did you run Resultant Set of Policies, as I suggested in my >> previous post? That would tell you exactly which policy has the >> setting configured. >> You can edit the local policy with gpedit.msc >> >> If you get this error message even when you are logged in at >> the physical console of the server, then it seems that Windows >> Installer is disabled completely, not only for installations >> from within a TS session. That setting can be found in >> Computer Configuration - Administrative Templates - Windows >> Components - Windows Installer >> "Disable Windows Installer" >> >> Other troubleshooting tools could be: >> >> 223300 - How to Enable Windows Installer Logging >> http://support.microsoft.com/?kbid=223300 >> >> 221833 - How to enable user environment debug logging in retail >> builds of Windows >> http://support.microsoft.com/?kbid=221833 >> _________________________________________________________ >> Vera Noest >> MCSE, CCEA, Microsoft MVP - Terminal Server >> TS troubleshooting: http://ts.veranoest.net >> ___ please respond in newsgroup, NOT by private email ___ >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 14 nov >> 2007 in microsoft.public.windows.terminal_services: >> >> > Well I have went through on the domain controller and removed >> > the group policy for that server. >> > Even when consoled and logged in as Administrator it still >> > gives that error. >> > >> > Is there any chance a setting could have been set locally on >> > that server. If so where does a person look to find out if it >> > has been reset? >> > >> > thanks for your response >> > >> > "Vera Noest [MVP]" wrote: >> > >> >> Given the error message that you get, I'm still convinced >> >> it's a GPO setting. Have you tried resultant set of >> >> Policies? >> >> >> >> _________________________________________________________ >> >> Vera Noest >> >> MCSE, CCEA, Microsoft MVP - Terminal Server >> >> TS troubleshooting: http://ts.veranoest.net >> >> ___ please respond in newsgroup, NOT by private email ___ >> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 08 >> >> nov 2007 in microsoft.public.windows.terminal_services: >> >> >> >> > Thanks for the reply >> >> > >> >> > I found an article on doing that and it still isn't >> >> > working. I have even restarted the terminal server to try >> >> > and fix the issue. >> >> > >> >> > Could there be a registry setting on the server itself >> >> > that would prevent installations? >> >> > >> >> > >> >> > "Vera Noest [MVP]" wrote: >> >> > >> >> >> Sounds like you want to enable this GPO setting: >> >> >> >> >> >> Computer Configuration - Administrative Templates - >> >> >> Windows Components - Windows Installer >> >> >> "Allow admin to install from Terminal Services session" >> >> >> _________________________________________________________ >> >> >> Vera Noest >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server >> >> >> TS troubleshooting: http://ts.veranoest.net >> >> >> ___ please respond in newsgroup, NOT by private email ___ >> >> >> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on >> >> >> 08 nov 2007 in >> >> >> microsoft.public.windows.terminal_services: >> >> >> >> >> >> > I am having an issue installing programs consoled in >> >> >> > and logged in as admininstrator. >> >> >> > It keeps giving the message of "The system >> >> >> > administrator has set policies to prevent this >> >> >> > installation" >> >> >> > >> >> >> > I don't know of any policy set to prevent this from >> >> >> > even happening for the administrator. I have went to >> >> >> > the lengths of removing the group policy for the users >> >> >> > and trying it again without any luck. >> >> >> > >> >> >> > Does anyone know how to reset everything on that server >> >> >> > or any suggestions. >> >> >> > >> >> >> > Thanks, >> >> >> > TM
Guest Asif Shah Posted July 31, 2008 Posted July 31, 2008 Re: Administrator Consoled in Can not install software Vera, I have disabled the windows installer but that only applies to software installations that use windows installer to install itself. There are other installs that dont use windows install. e.g. installing Mozilla Firefox. I have the GPO you mentioned for the windows installer enabled but i can still install firefox........what else can i try? "Vera Noest [MVP]" wrote: > OK, thanks for the feedback, I'm glad that your problem is solved! > It's a bit puzzeling though that the problem didn't disappear by > configuring the GPO setting in the domain-wide GPO applied to the > TS, since those settings override the local policy. > > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 14 nov > 2007 in microsoft.public.windows.terminal_services: > > > Thanks for your help it was the local policy that was still > > turned on. > > > > > > "Vera Noest [MVP]" wrote: > > > >> Did you run Resultant Set of Policies, as I suggested in my > >> previous post? That would tell you exactly which policy has the > >> setting configured. > >> You can edit the local policy with gpedit.msc > >> > >> If you get this error message even when you are logged in at > >> the physical console of the server, then it seems that Windows > >> Installer is disabled completely, not only for installations > >> from within a TS session. That setting can be found in > >> Computer Configuration - Administrative Templates - Windows > >> Components - Windows Installer > >> "Disable Windows Installer" > >> > >> Other troubleshooting tools could be: > >> > >> 223300 - How to Enable Windows Installer Logging > >> http://support.microsoft.com/?kbid=223300 > >> > >> 221833 - How to enable user environment debug logging in retail > >> builds of Windows > >> http://support.microsoft.com/?kbid=221833 > >> _________________________________________________________ > >> Vera Noest > >> MCSE, CCEA, Microsoft MVP - Terminal Server > >> TS troubleshooting: http://ts.veranoest.net > >> ___ please respond in newsgroup, NOT by private email ___ > >> > >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 14 nov > >> 2007 in microsoft.public.windows.terminal_services: > >> > >> > Well I have went through on the domain controller and removed > >> > the group policy for that server. > >> > Even when consoled and logged in as Administrator it still > >> > gives that error. > >> > > >> > Is there any chance a setting could have been set locally on > >> > that server. If so where does a person look to find out if it > >> > has been reset? > >> > > >> > thanks for your response > >> > > >> > "Vera Noest [MVP]" wrote: > >> > > >> >> Given the error message that you get, I'm still convinced > >> >> it's a GPO setting. Have you tried resultant set of > >> >> Policies? > >> >> > >> >> _________________________________________________________ > >> >> Vera Noest > >> >> MCSE, CCEA, Microsoft MVP - Terminal Server > >> >> TS troubleshooting: http://ts.veranoest.net > >> >> ___ please respond in newsgroup, NOT by private email ___ > >> >> > >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 08 > >> >> nov 2007 in microsoft.public.windows.terminal_services: > >> >> > >> >> > Thanks for the reply > >> >> > > >> >> > I found an article on doing that and it still isn't > >> >> > working. I have even restarted the terminal server to try > >> >> > and fix the issue. > >> >> > > >> >> > Could there be a registry setting on the server itself > >> >> > that would prevent installations? > >> >> > > >> >> > > >> >> > "Vera Noest [MVP]" wrote: > >> >> > > >> >> >> Sounds like you want to enable this GPO setting: > >> >> >> > >> >> >> Computer Configuration - Administrative Templates - > >> >> >> Windows Components - Windows Installer > >> >> >> "Allow admin to install from Terminal Services session" > >> >> >> _________________________________________________________ > >> >> >> Vera Noest > >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server > >> >> >> TS troubleshooting: http://ts.veranoest.net > >> >> >> ___ please respond in newsgroup, NOT by private email ___ > >> >> >> > >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on > >> >> >> 08 nov 2007 in > >> >> >> microsoft.public.windows.terminal_services: > >> >> >> > >> >> >> > I am having an issue installing programs consoled in > >> >> >> > and logged in as admininstrator. > >> >> >> > It keeps giving the message of "The system > >> >> >> > administrator has set policies to prevent this > >> >> >> > installation" > >> >> >> > > >> >> >> > I don't know of any policy set to prevent this from > >> >> >> > even happening for the administrator. I have went to > >> >> >> > the lengths of removing the group policy for the users > >> >> >> > and trying it again without any luck. > >> >> >> > > >> >> >> > Does anyone know how to reset everything on that server > >> >> >> > or any suggestions. > >> >> >> > > >> >> >> > Thanks, > >> >> >> > TM >
Guest Vera Noest [MVP] Posted August 1, 2008 Posted August 1, 2008 Re: Administrator Consoled in Can not install software Asif, you seem to append to an old thread which was about the opposite of your problem. That's very confusing. Next time, please start a new thread and clearly state your problem. What exactly is it that you want to achieve? I'm assuming that your are the Administrator of a TS, and that you want to prohibit users to install software, is that correct? Or do you want to disable this for all users, including Administrators? If you just want to take away this possibility for normal users, the answer is that they don't have the proper rights any way, assuming that you run on Windows 2003 and have installed Terminal Services with "Full Security". They can install applications in their home folder, but can't add or replace system files, dll's etc. _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net *----------- Please reply in newsgroup -------------* =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com> wrote on 01 aug 2008: > Vera, > > I have disabled the windows installer but that only applies to > software installations that use windows installer to install > itself. There are other installs that dont use windows install. > e.g. installing Mozilla Firefox. I have the GPO you mentioned > for the windows installer enabled but i can still install > firefox........what else can i try? > > "Vera Noest [MVP]" wrote: > >> OK, thanks for the feedback, I'm glad that your problem is >> solved! It's a bit puzzeling though that the problem didn't >> disappear by configuring the GPO setting in the domain-wide GPO >> applied to the TS, since those settings override the local >> policy. >> >> _________________________________________________________ >> Vera Noest >> MCSE, CCEA, Microsoft MVP - Terminal Server >> TS troubleshooting: http://ts.veranoest.net >> ___ please respond in newsgroup, NOT by private email ___ >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 14 nov >> 2007 in microsoft.public.windows.terminal_services: >> >> > Thanks for your help it was the local policy that was still >> > turned on. >> > >> > >> > "Vera Noest [MVP]" wrote: >> > >> >> Did you run Resultant Set of Policies, as I suggested in my >> >> previous post? That would tell you exactly which policy has >> >> the setting configured. >> >> You can edit the local policy with gpedit.msc >> >> >> >> If you get this error message even when you are logged in at >> >> the physical console of the server, then it seems that >> >> Windows Installer is disabled completely, not only for >> >> installations from within a TS session. That setting can be >> >> found in Computer Configuration - Administrative Templates - >> >> Windows Components - Windows Installer >> >> "Disable Windows Installer" >> >> >> >> Other troubleshooting tools could be: >> >> >> >> 223300 - How to Enable Windows Installer Logging >> >> http://support.microsoft.com/?kbid=223300 >> >> >> >> 221833 - How to enable user environment debug logging in >> >> retail builds of Windows >> >> http://support.microsoft.com/?kbid=221833 >> >> _________________________________________________________ >> >> Vera Noest >> >> MCSE, CCEA, Microsoft MVP - Terminal Server >> >> TS troubleshooting: http://ts.veranoest.net >> >> ___ please respond in newsgroup, NOT by private email ___ >> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 14 >> >> nov 2007 in microsoft.public.windows.terminal_services: >> >> >> >> > Well I have went through on the domain controller and >> >> > removed the group policy for that server. >> >> > Even when consoled and logged in as Administrator it still >> >> > gives that error. >> >> > >> >> > Is there any chance a setting could have been set locally >> >> > on that server. If so where does a person look to find out >> >> > if it has been reset? >> >> > >> >> > thanks for your response >> >> > >> >> > "Vera Noest [MVP]" wrote: >> >> > >> >> >> Given the error message that you get, I'm still convinced >> >> >> it's a GPO setting. Have you tried resultant set of >> >> >> Policies? >> >> >> >> >> >> _________________________________________________________ >> >> >> Vera Noest >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server >> >> >> TS troubleshooting: http://ts.veranoest.net >> >> >> ___ please respond in newsgroup, NOT by private email ___ >> >> >> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on >> >> >> 08 nov 2007 in >> >> >> microsoft.public.windows.terminal_services: >> >> >> >> >> >> > Thanks for the reply >> >> >> > >> >> >> > I found an article on doing that and it still isn't >> >> >> > working. I have even restarted the terminal server to >> >> >> > try and fix the issue. >> >> >> > >> >> >> > Could there be a registry setting on the server itself >> >> >> > that would prevent installations? >> >> >> > >> >> >> > >> >> >> > "Vera Noest [MVP]" wrote: >> >> >> > >> >> >> >> Sounds like you want to enable this GPO setting: >> >> >> >> >> >> >> >> Computer Configuration - Administrative Templates - >> >> >> >> Windows Components - Windows Installer >> >> >> >> "Allow admin to install from Terminal Services >> >> >> >> session" >> >> >> >> _______________________________________________________ >> >> >> >> __ Vera Noest >> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server >> >> >> >> TS troubleshooting: http://ts.veranoest.net >> >> >> >> ___ please respond in newsgroup, NOT by private email >> >> >> >> ___ >> >> >> >> >> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote >> >> >> >> on 08 nov 2007 in >> >> >> >> microsoft.public.windows.terminal_services: >> >> >> >> >> >> >> >> > I am having an issue installing programs consoled in >> >> >> >> > and logged in as admininstrator. >> >> >> >> > It keeps giving the message of "The system >> >> >> >> > administrator has set policies to prevent this >> >> >> >> > installation" >> >> >> >> > >> >> >> >> > I don't know of any policy set to prevent this from >> >> >> >> > even happening for the administrator. I have went to >> >> >> >> > the lengths of removing the group policy for the >> >> >> >> > users and trying it again without any luck. >> >> >> >> > >> >> >> >> > Does anyone know how to reset everything on that >> >> >> >> > server or any suggestions. >> >> >> >> > >> >> >> >> > Thanks, >> >> >> >> > TM
Guest Asif Shah Posted August 1, 2008 Posted August 1, 2008 Re: Administrator Consoled in Can not install software Vera, My appoligies for adding to an older thread. I just thought since you were dicussing a similiar problem I would post my issue. I will keep in mind nex time. I am the administrator and I am trying to restrict all non-admin users from installing software on the server. This is on a Windows 2000 server. How can I check if I installed TS with full security. Apprently something is not setup right, because few days ago I discovered that new software were installed, some games and Mozilla Firebox. I checked with my admins and they didnt. So it had to have been a regular user. No other user has right like us admins. I even did a test. I logged in as a normal user whose password I knew and I was able to download and install Firefox and other software. The only thing I have done is disable the windows installer but seems like that only works for software that use windows installer to install itself. The article I read from Microsoft that talks about this GPO mentions this condition. What else can I do? What else can I check? Thanks. "Vera Noest [MVP]" wrote: > Asif, you seem to append to an old thread which was about the > opposite of your problem. That's very confusing. Next time, please > start a new thread and clearly state your problem. > > What exactly is it that you want to achieve? I'm assuming that your > are the Administrator of a TS, and that you want to prohibit users > to install software, is that correct? Or do you want to disable > this for all users, including Administrators? > > If you just want to take away this possibility for normal users, > the answer is that they don't have the proper rights any way, > assuming that you run on Windows 2003 and have installed Terminal > Services with "Full Security". They can install applications in > their home folder, but can't add or replace system files, dll's > etc. > > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > *----------- Please reply in newsgroup -------------* > > =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com> > wrote on 01 aug 2008: > > > Vera, > > > > I have disabled the windows installer but that only applies to > > software installations that use windows installer to install > > itself. There are other installs that dont use windows install. > > e.g. installing Mozilla Firefox. I have the GPO you mentioned > > for the windows installer enabled but i can still install > > firefox........what else can i try? > > > > "Vera Noest [MVP]" wrote: > > > >> OK, thanks for the feedback, I'm glad that your problem is > >> solved! It's a bit puzzeling though that the problem didn't > >> disappear by configuring the GPO setting in the domain-wide GPO > >> applied to the TS, since those settings override the local > >> policy. > >> > >> _________________________________________________________ > >> Vera Noest > >> MCSE, CCEA, Microsoft MVP - Terminal Server > >> TS troubleshooting: http://ts.veranoest.net > >> ___ please respond in newsgroup, NOT by private email ___ > >> > >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 14 nov > >> 2007 in microsoft.public.windows.terminal_services: > >> > >> > Thanks for your help it was the local policy that was still > >> > turned on. > >> > > >> > > >> > "Vera Noest [MVP]" wrote: > >> > > >> >> Did you run Resultant Set of Policies, as I suggested in my > >> >> previous post? That would tell you exactly which policy has > >> >> the setting configured. > >> >> You can edit the local policy with gpedit.msc > >> >> > >> >> If you get this error message even when you are logged in at > >> >> the physical console of the server, then it seems that > >> >> Windows Installer is disabled completely, not only for > >> >> installations from within a TS session. That setting can be > >> >> found in Computer Configuration - Administrative Templates - > >> >> Windows Components - Windows Installer > >> >> "Disable Windows Installer" > >> >> > >> >> Other troubleshooting tools could be: > >> >> > >> >> 223300 - How to Enable Windows Installer Logging > >> >> http://support.microsoft.com/?kbid=223300 > >> >> > >> >> 221833 - How to enable user environment debug logging in > >> >> retail builds of Windows > >> >> http://support.microsoft.com/?kbid=221833 > >> >> _________________________________________________________ > >> >> Vera Noest > >> >> MCSE, CCEA, Microsoft MVP - Terminal Server > >> >> TS troubleshooting: http://ts.veranoest.net > >> >> ___ please respond in newsgroup, NOT by private email ___ > >> >> > >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 14 > >> >> nov 2007 in microsoft.public.windows.terminal_services: > >> >> > >> >> > Well I have went through on the domain controller and > >> >> > removed the group policy for that server. > >> >> > Even when consoled and logged in as Administrator it still > >> >> > gives that error. > >> >> > > >> >> > Is there any chance a setting could have been set locally > >> >> > on that server. If so where does a person look to find out > >> >> > if it has been reset? > >> >> > > >> >> > thanks for your response > >> >> > > >> >> > "Vera Noest [MVP]" wrote: > >> >> > > >> >> >> Given the error message that you get, I'm still convinced > >> >> >> it's a GPO setting. Have you tried resultant set of > >> >> >> Policies? > >> >> >> > >> >> >> _________________________________________________________ > >> >> >> Vera Noest > >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server > >> >> >> TS troubleshooting: http://ts.veranoest.net > >> >> >> ___ please respond in newsgroup, NOT by private email ___ > >> >> >> > >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on > >> >> >> 08 nov 2007 in > >> >> >> microsoft.public.windows.terminal_services: > >> >> >> > >> >> >> > Thanks for the reply > >> >> >> > > >> >> >> > I found an article on doing that and it still isn't > >> >> >> > working. I have even restarted the terminal server to > >> >> >> > try and fix the issue. > >> >> >> > > >> >> >> > Could there be a registry setting on the server itself > >> >> >> > that would prevent installations? > >> >> >> > > >> >> >> > > >> >> >> > "Vera Noest [MVP]" wrote: > >> >> >> > > >> >> >> >> Sounds like you want to enable this GPO setting: > >> >> >> >> > >> >> >> >> Computer Configuration - Administrative Templates - > >> >> >> >> Windows Components - Windows Installer > >> >> >> >> "Allow admin to install from Terminal Services > >> >> >> >> session" > >> >> >> >> _______________________________________________________ > >> >> >> >> __ Vera Noest > >> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server > >> >> >> >> TS troubleshooting: http://ts.veranoest.net > >> >> >> >> ___ please respond in newsgroup, NOT by private email > >> >> >> >> ___ > >> >> >> >> > >> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote > >> >> >> >> on 08 nov 2007 in > >> >> >> >> microsoft.public.windows.terminal_services: > >> >> >> >> > >> >> >> >> > I am having an issue installing programs consoled in > >> >> >> >> > and logged in as admininstrator. > >> >> >> >> > It keeps giving the message of "The system > >> >> >> >> > administrator has set policies to prevent this > >> >> >> >> > installation" > >> >> >> >> > > >> >> >> >> > I don't know of any policy set to prevent this from > >> >> >> >> > even happening for the administrator. I have went to > >> >> >> >> > the lengths of removing the group policy for the > >> >> >> >> > users and trying it again without any luck. > >> >> >> >> > > >> >> >> >> > Does anyone know how to reset everything on that > >> >> >> >> > server or any suggestions. > >> >> >> >> > > >> >> >> >> > Thanks, > >> >> >> >> > TM >
Guest Vera Noest [MVP] Posted August 2, 2008 Posted August 2, 2008 Re: Administrator Consoled in Can not install software OK, seems like the Terminal Services was installed with relaxed security. It's a long time ago that I worked with W2K TS, so I'm unsure about the details, but I believe that you can check (and change?) this in Terminal Services Configuration - Server settings. You'll have to further secure the server with NTFS permissions on the file system. At the minimum, modify the NTFS permissions as follows: %SystemDrive%, %SystemRoot%, %ProgramFiles% and %SystemRoot%\system32 : System - Full Control Administrators - Full Control Authenticated Users - Read & Execute _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com> wrote on 01 aug 2008 in microsoft.public.windows.terminal_services: > Vera, > > My appoligies for adding to an older thread. I just thought > since you were dicussing a similiar problem I would post my > issue. I will keep in mind nex time. > > I am the administrator and I am trying to restrict all non-admin > users from installing software on the server. This is on a > Windows 2000 server. How can I check if I installed TS with full > security. Apprently something is not setup right, because few > days ago I discovered that new software were installed, some > games and Mozilla Firebox. I checked with my admins and they > didnt. So it had to have been a regular user. No other user has > right like us admins. I even did a test. I logged in as a normal > user whose password I knew and I was able to download and > install Firefox and other software. > > The only thing I have done is disable the windows installer but > seems like that only works for software that use windows > installer to install itself. The article I read from Microsoft > that talks about this GPO mentions this condition. What else can > I do? What else can I check? > > Thanks. > > "Vera Noest [MVP]" wrote: > >> Asif, you seem to append to an old thread which was about the >> opposite of your problem. That's very confusing. Next time, >> please start a new thread and clearly state your problem. >> >> What exactly is it that you want to achieve? I'm assuming that >> your are the Administrator of a TS, and that you want to >> prohibit users to install software, is that correct? Or do you >> want to disable this for all users, including Administrators? >> >> If you just want to take away this possibility for normal >> users, the answer is that they don't have the proper rights any >> way, assuming that you run on Windows 2003 and have installed >> Terminal Services with "Full Security". They can install >> applications in their home folder, but can't add or replace >> system files, dll's etc. >> >> _________________________________________________________ >> Vera Noest >> MCSE, CCEA, Microsoft MVP - Terminal Server >> TS troubleshooting: http://ts.veranoest.net >> *----------- Please reply in newsgroup -------------* >> >> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com> >> wrote on 01 aug 2008: >> >> > Vera, >> > >> > I have disabled the windows installer but that only applies >> > to software installations that use windows installer to >> > install itself. There are other installs that dont use >> > windows install. e.g. installing Mozilla Firefox. I have the >> > GPO you mentioned for the windows installer enabled but i can >> > still install firefox........what else can i try? >> > >> > "Vera Noest [MVP]" wrote: >> > >> >> OK, thanks for the feedback, I'm glad that your problem is >> >> solved! It's a bit puzzeling though that the problem didn't >> >> disappear by configuring the GPO setting in the domain-wide >> >> GPO applied to the TS, since those settings override the >> >> local policy. >> >> >> >> _________________________________________________________ >> >> Vera Noest >> >> MCSE, CCEA, Microsoft MVP - Terminal Server >> >> TS troubleshooting: http://ts.veranoest.net >> >> ___ please respond in newsgroup, NOT by private email ___ >> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 14 >> >> nov 2007 in microsoft.public.windows.terminal_services: >> >> >> >> > Thanks for your help it was the local policy that was >> >> > still turned on. >> >> > >> >> > >> >> > "Vera Noest [MVP]" wrote: >> >> > >> >> >> Did you run Resultant Set of Policies, as I suggested in >> >> >> my previous post? That would tell you exactly which >> >> >> policy has the setting configured. >> >> >> You can edit the local policy with gpedit.msc >> >> >> >> >> >> If you get this error message even when you are logged in >> >> >> at the physical console of the server, then it seems that >> >> >> Windows Installer is disabled completely, not only for >> >> >> installations from within a TS session. That setting can >> >> >> be found in Computer Configuration - Administrative >> >> >> Templates - Windows Components - Windows Installer >> >> >> "Disable Windows Installer" >> >> >> >> >> >> Other troubleshooting tools could be: >> >> >> >> >> >> 223300 - How to Enable Windows Installer Logging >> >> >> http://support.microsoft.com/?kbid=223300 >> >> >> >> >> >> 221833 - How to enable user environment debug logging in >> >> >> retail builds of Windows >> >> >> http://support.microsoft.com/?kbid=221833 >> >> >> _________________________________________________________ >> >> >> Vera Noest >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server >> >> >> TS troubleshooting: http://ts.veranoest.net >> >> >> ___ please respond in newsgroup, NOT by private email ___ >> >> >> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on >> >> >> 14 nov 2007 in >> >> >> microsoft.public.windows.terminal_services: >> >> >> >> >> >> > Well I have went through on the domain controller and >> >> >> > removed the group policy for that server. >> >> >> > Even when consoled and logged in as Administrator it >> >> >> > still gives that error. >> >> >> > >> >> >> > Is there any chance a setting could have been set >> >> >> > locally on that server. If so where does a person look >> >> >> > to find out if it has been reset? >> >> >> > >> >> >> > thanks for your response >> >> >> > >> >> >> > "Vera Noest [MVP]" wrote: >> >> >> > >> >> >> >> Given the error message that you get, I'm still >> >> >> >> convinced it's a GPO setting. Have you tried resultant >> >> >> >> set of Policies? >> >> >> >> >> >> >> >> _______________________________________________________ >> >> >> >> __ Vera Noest >> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server >> >> >> >> TS troubleshooting: http://ts.veranoest.net >> >> >> >> ___ please respond in newsgroup, NOT by private email >> >> >> >> ___ >> >> >> >> >> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote >> >> >> >> on 08 nov 2007 in >> >> >> >> microsoft.public.windows.terminal_services: >> >> >> >> >> >> >> >> > Thanks for the reply >> >> >> >> > >> >> >> >> > I found an article on doing that and it still isn't >> >> >> >> > working. I have even restarted the terminal server >> >> >> >> > to try and fix the issue. >> >> >> >> > >> >> >> >> > Could there be a registry setting on the server >> >> >> >> > itself that would prevent installations? >> >> >> >> > >> >> >> >> > >> >> >> >> > "Vera Noest [MVP]" wrote: >> >> >> >> > >> >> >> >> >> Sounds like you want to enable this GPO setting: >> >> >> >> >> >> >> >> >> >> Computer Configuration - Administrative Templates - >> >> >> >> >> Windows Components - Windows Installer >> >> >> >> >> "Allow admin to install from Terminal Services >> >> >> >> >> session" >> >> >> >> >> ____________________________________________________ >> >> >> >> >> ___ __ Vera Noest >> >> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server >> >> >> >> >> TS troubleshooting: http://ts.veranoest.net >> >> >> >> >> ___ please respond in newsgroup, NOT by private >> >> >> >> >> email ___ >> >> >> >> >> >> >> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> >> >> >> >> >> wrote on 08 nov 2007 in >> >> >> >> >> microsoft.public.windows.terminal_services: >> >> >> >> >> >> >> >> >> >> > I am having an issue installing programs consoled >> >> >> >> >> > in and logged in as admininstrator. >> >> >> >> >> > It keeps giving the message of "The system >> >> >> >> >> > administrator has set policies to prevent this >> >> >> >> >> > installation" >> >> >> >> >> > >> >> >> >> >> > I don't know of any policy set to prevent this >> >> >> >> >> > from even happening for the administrator. I have >> >> >> >> >> > went to the lengths of removing the group policy >> >> >> >> >> > for the users and trying it again without any >> >> >> >> >> > luck. >> >> >> >> >> > >> >> >> >> >> > Does anyone know how to reset everything on that >> >> >> >> >> > server or any suggestions. >> >> >> >> >> > >> >> >> >> >> > Thanks, >> >> >> >> >> > TM
Guest Asif Shah Posted August 2, 2008 Posted August 2, 2008 Re: Administrator Consoled in Can not install software I am looking at the Terminal Services Configuration - Server Settings, which setting do I change. I dont see anything that says "relaxed security". "Vera Noest [MVP]" wrote: > OK, seems like the Terminal Services was installed with relaxed > security. It's a long time ago that I worked with W2K TS, so I'm > unsure about the details, but I believe that you can check (and > change?) this in Terminal Services Configuration - Server settings. > > You'll have to further secure the server with NTFS permissions on > the file system. At the minimum, modify the NTFS permissions as > follows: > %SystemDrive%, %SystemRoot%, %ProgramFiles% and > %SystemRoot%\system32 : > System - Full Control > Administrators - Full Control > Authenticated Users - Read & Execute > > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com> > wrote on 01 aug 2008 in > microsoft.public.windows.terminal_services: > > > Vera, > > > > My appoligies for adding to an older thread. I just thought > > since you were dicussing a similiar problem I would post my > > issue. I will keep in mind nex time. > > > > I am the administrator and I am trying to restrict all non-admin > > users from installing software on the server. This is on a > > Windows 2000 server. How can I check if I installed TS with full > > security. Apprently something is not setup right, because few > > days ago I discovered that new software were installed, some > > games and Mozilla Firebox. I checked with my admins and they > > didnt. So it had to have been a regular user. No other user has > > right like us admins. I even did a test. I logged in as a normal > > user whose password I knew and I was able to download and > > install Firefox and other software. > > > > The only thing I have done is disable the windows installer but > > seems like that only works for software that use windows > > installer to install itself. The article I read from Microsoft > > that talks about this GPO mentions this condition. What else can > > I do? What else can I check? > > > > Thanks. > > > > "Vera Noest [MVP]" wrote: > > > >> Asif, you seem to append to an old thread which was about the > >> opposite of your problem. That's very confusing. Next time, > >> please start a new thread and clearly state your problem. > >> > >> What exactly is it that you want to achieve? I'm assuming that > >> your are the Administrator of a TS, and that you want to > >> prohibit users to install software, is that correct? Or do you > >> want to disable this for all users, including Administrators? > >> > >> If you just want to take away this possibility for normal > >> users, the answer is that they don't have the proper rights any > >> way, assuming that you run on Windows 2003 and have installed > >> Terminal Services with "Full Security". They can install > >> applications in their home folder, but can't add or replace > >> system files, dll's etc. > >> > >> _________________________________________________________ > >> Vera Noest > >> MCSE, CCEA, Microsoft MVP - Terminal Server > >> TS troubleshooting: http://ts.veranoest.net > >> *----------- Please reply in newsgroup -------------* > >> > >> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com> > >> wrote on 01 aug 2008: > >> > >> > Vera, > >> > > >> > I have disabled the windows installer but that only applies > >> > to software installations that use windows installer to > >> > install itself. There are other installs that dont use > >> > windows install. e.g. installing Mozilla Firefox. I have the > >> > GPO you mentioned for the windows installer enabled but i can > >> > still install firefox........what else can i try? > >> > > >> > "Vera Noest [MVP]" wrote: > >> > > >> >> OK, thanks for the feedback, I'm glad that your problem is > >> >> solved! It's a bit puzzeling though that the problem didn't > >> >> disappear by configuring the GPO setting in the domain-wide > >> >> GPO applied to the TS, since those settings override the > >> >> local policy. > >> >> > >> >> _________________________________________________________ > >> >> Vera Noest > >> >> MCSE, CCEA, Microsoft MVP - Terminal Server > >> >> TS troubleshooting: http://ts.veranoest.net > >> >> ___ please respond in newsgroup, NOT by private email ___ > >> >> > >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on 14 > >> >> nov 2007 in microsoft.public.windows.terminal_services: > >> >> > >> >> > Thanks for your help it was the local policy that was > >> >> > still turned on. > >> >> > > >> >> > > >> >> > "Vera Noest [MVP]" wrote: > >> >> > > >> >> >> Did you run Resultant Set of Policies, as I suggested in > >> >> >> my previous post? That would tell you exactly which > >> >> >> policy has the setting configured. > >> >> >> You can edit the local policy with gpedit.msc > >> >> >> > >> >> >> If you get this error message even when you are logged in > >> >> >> at the physical console of the server, then it seems that > >> >> >> Windows Installer is disabled completely, not only for > >> >> >> installations from within a TS session. That setting can > >> >> >> be found in Computer Configuration - Administrative > >> >> >> Templates - Windows Components - Windows Installer > >> >> >> "Disable Windows Installer" > >> >> >> > >> >> >> Other troubleshooting tools could be: > >> >> >> > >> >> >> 223300 - How to Enable Windows Installer Logging > >> >> >> http://support.microsoft.com/?kbid=223300 > >> >> >> > >> >> >> 221833 - How to enable user environment debug logging in > >> >> >> retail builds of Windows > >> >> >> http://support.microsoft.com/?kbid=221833 > >> >> >> _________________________________________________________ > >> >> >> Vera Noest > >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server > >> >> >> TS troubleshooting: http://ts.veranoest.net > >> >> >> ___ please respond in newsgroup, NOT by private email ___ > >> >> >> > >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on > >> >> >> 14 nov 2007 in > >> >> >> microsoft.public.windows.terminal_services: > >> >> >> > >> >> >> > Well I have went through on the domain controller and > >> >> >> > removed the group policy for that server. > >> >> >> > Even when consoled and logged in as Administrator it > >> >> >> > still gives that error. > >> >> >> > > >> >> >> > Is there any chance a setting could have been set > >> >> >> > locally on that server. If so where does a person look > >> >> >> > to find out if it has been reset? > >> >> >> > > >> >> >> > thanks for your response > >> >> >> > > >> >> >> > "Vera Noest [MVP]" wrote: > >> >> >> > > >> >> >> >> Given the error message that you get, I'm still > >> >> >> >> convinced it's a GPO setting. Have you tried resultant > >> >> >> >> set of Policies? > >> >> >> >> > >> >> >> >> _______________________________________________________ > >> >> >> >> __ Vera Noest > >> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server > >> >> >> >> TS troubleshooting: http://ts.veranoest.net > >> >> >> >> ___ please respond in newsgroup, NOT by private email > >> >> >> >> ___ > >> >> >> >> > >> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote > >> >> >> >> on 08 nov 2007 in > >> >> >> >> microsoft.public.windows.terminal_services: > >> >> >> >> > >> >> >> >> > Thanks for the reply > >> >> >> >> > > >> >> >> >> > I found an article on doing that and it still isn't > >> >> >> >> > working. I have even restarted the terminal server > >> >> >> >> > to try and fix the issue. > >> >> >> >> > > >> >> >> >> > Could there be a registry setting on the server > >> >> >> >> > itself that would prevent installations? > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > "Vera Noest [MVP]" wrote: > >> >> >> >> > > >> >> >> >> >> Sounds like you want to enable this GPO setting: > >> >> >> >> >> > >> >> >> >> >> Computer Configuration - Administrative Templates - > >> >> >> >> >> Windows Components - Windows Installer > >> >> >> >> >> "Allow admin to install from Terminal Services > >> >> >> >> >> session" > >> >> >> >> >> ____________________________________________________ > >> >> >> >> >> ___ __ Vera Noest > >> >> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server > >> >> >> >> >> TS troubleshooting: http://ts.veranoest.net > >> >> >> >> >> ___ please respond in newsgroup, NOT by private > >> >> >> >> >> email ___ > >> >> >> >> >> > >> >> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> > >> >> >> >> >> wrote on 08 nov 2007 in > >> >> >> >> >> microsoft.public.windows.terminal_services: > >> >> >> >> >> > >> >> >> >> >> > I am having an issue installing programs consoled > >> >> >> >> >> > in and logged in as admininstrator. > >> >> >> >> >> > It keeps giving the message of "The system > >> >> >> >> >> > administrator has set policies to prevent this > >> >> >> >> >> > installation" > >> >> >> >> >> > > >> >> >> >> >> > I don't know of any policy set to prevent this > >> >> >> >> >> > from even happening for the administrator. I have > >> >> >> >> >> > went to the lengths of removing the group policy > >> >> >> >> >> > for the users and trying it again without any > >> >> >> >> >> > luck. > >> >> >> >> >> > > >> >> >> >> >> > Does anyone know how to reset everything on that > >> >> >> >> >> > server or any suggestions. > >> >> >> >> >> > > >> >> >> >> >> > Thanks, > >> >> >> >> >> > TM >
Guest Vera Noest [MVP] Posted August 3, 2008 Posted August 3, 2008 Re: Administrator Consoled in Can not install software Well, as I wrote, I don't remember the details of a W2K TS. During installation, you are asked to choose the "Compatibility mode". Is there anyting in tscc which mentions that? If so, you chould choose "Permissions compatible with Windows 2000 Users". Anyone else maybe, who has access to a W2K TS? _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com> wrote on 02 aug 2008 in microsoft.public.windows.terminal_services: > I am looking at the Terminal Services Configuration - Server > Settings, which setting do I change. I dont see anything that > says "relaxed security". > > "Vera Noest [MVP]" wrote: > >> OK, seems like the Terminal Services was installed with relaxed >> security. It's a long time ago that I worked with W2K TS, so >> I'm unsure about the details, but I believe that you can check >> (and change?) this in Terminal Services Configuration - Server >> settings. >> >> You'll have to further secure the server with NTFS permissions >> on the file system. At the minimum, modify the NTFS permissions >> as follows: >> %SystemDrive%, %SystemRoot%, %ProgramFiles% and >> %SystemRoot%\system32 : >> System - Full Control >> Administrators - Full Control >> Authenticated Users - Read & Execute >> >> _________________________________________________________ >> Vera Noest >> MCSE, CCEA, Microsoft MVP - Terminal Server >> TS troubleshooting: http://ts.veranoest.net >> ___ please respond in newsgroup, NOT by private email ___ >> >> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com> >> wrote on 01 aug 2008 in >> microsoft.public.windows.terminal_services: >> >> > Vera, >> > >> > My appoligies for adding to an older thread. I just thought >> > since you were dicussing a similiar problem I would post my >> > issue. I will keep in mind nex time. >> > >> > I am the administrator and I am trying to restrict all >> > non-admin users from installing software on the server. This >> > is on a Windows 2000 server. How can I check if I installed >> > TS with full security. Apprently something is not setup >> > right, because few days ago I discovered that new software >> > were installed, some games and Mozilla Firebox. I checked >> > with my admins and they didnt. So it had to have been a >> > regular user. No other user has right like us admins. I even >> > did a test. I logged in as a normal user whose password I >> > knew and I was able to download and install Firefox and other >> > software. >> > >> > The only thing I have done is disable the windows installer >> > but seems like that only works for software that use windows >> > installer to install itself. The article I read from >> > Microsoft that talks about this GPO mentions this condition. >> > What else can I do? What else can I check? >> > >> > Thanks. >> > >> > "Vera Noest [MVP]" wrote: >> > >> >> Asif, you seem to append to an old thread which was about >> >> the opposite of your problem. That's very confusing. Next >> >> time, please start a new thread and clearly state your >> >> problem. >> >> >> >> What exactly is it that you want to achieve? I'm assuming >> >> that your are the Administrator of a TS, and that you want >> >> to prohibit users to install software, is that correct? Or >> >> do you want to disable this for all users, including >> >> Administrators? >> >> >> >> If you just want to take away this possibility for normal >> >> users, the answer is that they don't have the proper rights >> >> any way, assuming that you run on Windows 2003 and have >> >> installed Terminal Services with "Full Security". They can >> >> install applications in their home folder, but can't add or >> >> replace system files, dll's etc. >> >> >> >> _________________________________________________________ >> >> Vera Noest >> >> MCSE, CCEA, Microsoft MVP - Terminal Server >> >> TS troubleshooting: http://ts.veranoest.net >> >> *----------- Please reply in newsgroup -------------* >> >> >> >> =?Utf-8?B?QXNpZiBTaGFo?= >> >> <AsifShah@discussions.microsoft.com> wrote on 01 aug 2008: >> >> >> >> > Vera, >> >> > >> >> > I have disabled the windows installer but that only >> >> > applies to software installations that use windows >> >> > installer to install itself. There are other installs that >> >> > dont use windows install. e.g. installing Mozilla Firefox. >> >> > I have the GPO you mentioned for the windows installer >> >> > enabled but i can still install firefox........what else >> >> > can i try? >> >> > >> >> > "Vera Noest [MVP]" wrote: >> >> > >> >> >> OK, thanks for the feedback, I'm glad that your problem >> >> >> is solved! It's a bit puzzeling though that the problem >> >> >> didn't disappear by configuring the GPO setting in the >> >> >> domain-wide GPO applied to the TS, since those settings >> >> >> override the local policy. >> >> >> >> >> >> _________________________________________________________ >> >> >> Vera Noest >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server >> >> >> TS troubleshooting: http://ts.veranoest.net >> >> >> ___ please respond in newsgroup, NOT by private email ___ >> >> >> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on >> >> >> 14 nov 2007 in >> >> >> microsoft.public.windows.terminal_services: >> >> >> >> >> >> > Thanks for your help it was the local policy that was >> >> >> > still turned on. >> >> >> > >> >> >> > >> >> >> > "Vera Noest [MVP]" wrote: >> >> >> > >> >> >> >> Did you run Resultant Set of Policies, as I suggested >> >> >> >> in my previous post? That would tell you exactly which >> >> >> >> policy has the setting configured. >> >> >> >> You can edit the local policy with gpedit.msc >> >> >> >> >> >> >> >> If you get this error message even when you are logged >> >> >> >> in at the physical console of the server, then it >> >> >> >> seems that Windows Installer is disabled completely, >> >> >> >> not only for installations from within a TS session. >> >> >> >> That setting can be found in Computer Configuration - >> >> >> >> Administrative Templates - Windows Components - >> >> >> >> Windows Installer "Disable Windows Installer" >> >> >> >> >> >> >> >> Other troubleshooting tools could be: >> >> >> >> >> >> >> >> 223300 - How to Enable Windows Installer Logging >> >> >> >> http://support.microsoft.com/?kbid=223300 >> >> >> >> >> >> >> >> 221833 - How to enable user environment debug logging >> >> >> >> in retail builds of Windows >> >> >> >> http://support.microsoft.com/?kbid=221833 >> >> >> >> _______________________________________________________ >> >> >> >> __ Vera Noest >> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server >> >> >> >> TS troubleshooting: http://ts.veranoest.net >> >> >> >> ___ please respond in newsgroup, NOT by private email >> >> >> >> ___ >> >> >> >> >> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote >> >> >> >> on 14 nov 2007 in >> >> >> >> microsoft.public.windows.terminal_services: >> >> >> >> >> >> >> >> > Well I have went through on the domain controller >> >> >> >> > and removed the group policy for that server. >> >> >> >> > Even when consoled and logged in as Administrator it >> >> >> >> > still gives that error. >> >> >> >> > >> >> >> >> > Is there any chance a setting could have been set >> >> >> >> > locally on that server. If so where does a person >> >> >> >> > look to find out if it has been reset? >> >> >> >> > >> >> >> >> > thanks for your response >> >> >> >> > >> >> >> >> > "Vera Noest [MVP]" wrote: >> >> >> >> > >> >> >> >> >> Given the error message that you get, I'm still >> >> >> >> >> convinced it's a GPO setting. Have you tried >> >> >> >> >> resultant set of Policies? >> >> >> >> >> >> >> >> >> >> ____________________________________________________ >> >> >> >> >> ___ __ Vera Noest >> >> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server >> >> >> >> >> TS troubleshooting: http://ts.veranoest.net >> >> >> >> >> ___ please respond in newsgroup, NOT by private >> >> >> >> >> email ___ >> >> >> >> >> >> >> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> >> >> >> >> >> wrote on 08 nov 2007 in >> >> >> >> >> microsoft.public.windows.terminal_services: >> >> >> >> >> >> >> >> >> >> > Thanks for the reply >> >> >> >> >> > >> >> >> >> >> > I found an article on doing that and it still >> >> >> >> >> > isn't working. I have even restarted the terminal >> >> >> >> >> > server to try and fix the issue. >> >> >> >> >> > >> >> >> >> >> > Could there be a registry setting on the server >> >> >> >> >> > itself that would prevent installations? >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > "Vera Noest [MVP]" wrote: >> >> >> >> >> > >> >> >> >> >> >> Sounds like you want to enable this GPO setting: >> >> >> >> >> >> >> >> >> >> >> >> Computer Configuration - Administrative >> >> >> >> >> >> Templates - Windows Components - Windows >> >> >> >> >> >> Installer "Allow admin to install from Terminal >> >> >> >> >> >> Services session" >> >> >> >> >> >> _________________________________________________ >> >> >> >> >> >> ___ ___ __ Vera Noest >> >> >> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server >> >> >> >> >> >> TS troubleshooting: http://ts.veranoest.net >> >> >> >> >> >> ___ please respond in newsgroup, NOT by private >> >> >> >> >> >> email ___ >> >> >> >> >> >> >> >> >> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> >> >> >> >> >> >> wrote on 08 nov 2007 in >> >> >> >> >> >> microsoft.public.windows.terminal_services: >> >> >> >> >> >> >> >> >> >> >> >> > I am having an issue installing programs >> >> >> >> >> >> > consoled in and logged in as admininstrator. >> >> >> >> >> >> > It keeps giving the message of "The system >> >> >> >> >> >> > administrator has set policies to prevent this >> >> >> >> >> >> > installation" >> >> >> >> >> >> > >> >> >> >> >> >> > I don't know of any policy set to prevent this >> >> >> >> >> >> > from even happening for the administrator. I >> >> >> >> >> >> > have went to the lengths of removing the group >> >> >> >> >> >> > policy for the users and trying it again >> >> >> >> >> >> > without any luck. >> >> >> >> >> >> > >> >> >> >> >> >> > Does anyone know how to reset everything on >> >> >> >> >> >> > that server or any suggestions. >> >> >> >> >> >> > >> >> >> >> >> >> > Thanks, >> >> >> >> >> >> > TM
Guest Asif Shah Posted August 3, 2008 Posted August 3, 2008 Re: Administrator Consoled in Can not install software I saw that settings. I had a feeling you were talking about that. Permissions compatible with Windows 2000 Users is already selected. "Vera Noest [MVP]" wrote: > Well, as I wrote, I don't remember the details of a W2K TS. During > installation, you are asked to choose the "Compatibility mode". Is > there anyting in tscc which mentions that? If so, you chould choose > "Permissions compatible with Windows 2000 Users". > > Anyone else maybe, who has access to a W2K TS? > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com> > wrote on 02 aug 2008 in > microsoft.public.windows.terminal_services: > > > I am looking at the Terminal Services Configuration - Server > > Settings, which setting do I change. I dont see anything that > > says "relaxed security". > > > > "Vera Noest [MVP]" wrote: > > > >> OK, seems like the Terminal Services was installed with relaxed > >> security. It's a long time ago that I worked with W2K TS, so > >> I'm unsure about the details, but I believe that you can check > >> (and change?) this in Terminal Services Configuration - Server > >> settings. > >> > >> You'll have to further secure the server with NTFS permissions > >> on the file system. At the minimum, modify the NTFS permissions > >> as follows: > >> %SystemDrive%, %SystemRoot%, %ProgramFiles% and > >> %SystemRoot%\system32 : > >> System - Full Control > >> Administrators - Full Control > >> Authenticated Users - Read & Execute > >> > >> _________________________________________________________ > >> Vera Noest > >> MCSE, CCEA, Microsoft MVP - Terminal Server > >> TS troubleshooting: http://ts.veranoest.net > >> ___ please respond in newsgroup, NOT by private email ___ > >> > >> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com> > >> wrote on 01 aug 2008 in > >> microsoft.public.windows.terminal_services: > >> > >> > Vera, > >> > > >> > My appoligies for adding to an older thread. I just thought > >> > since you were dicussing a similiar problem I would post my > >> > issue. I will keep in mind nex time. > >> > > >> > I am the administrator and I am trying to restrict all > >> > non-admin users from installing software on the server. This > >> > is on a Windows 2000 server. How can I check if I installed > >> > TS with full security. Apprently something is not setup > >> > right, because few days ago I discovered that new software > >> > were installed, some games and Mozilla Firebox. I checked > >> > with my admins and they didnt. So it had to have been a > >> > regular user. No other user has right like us admins. I even > >> > did a test. I logged in as a normal user whose password I > >> > knew and I was able to download and install Firefox and other > >> > software. > >> > > >> > The only thing I have done is disable the windows installer > >> > but seems like that only works for software that use windows > >> > installer to install itself. The article I read from > >> > Microsoft that talks about this GPO mentions this condition. > >> > What else can I do? What else can I check? > >> > > >> > Thanks. > >> > > >> > "Vera Noest [MVP]" wrote: > >> > > >> >> Asif, you seem to append to an old thread which was about > >> >> the opposite of your problem. That's very confusing. Next > >> >> time, please start a new thread and clearly state your > >> >> problem. > >> >> > >> >> What exactly is it that you want to achieve? I'm assuming > >> >> that your are the Administrator of a TS, and that you want > >> >> to prohibit users to install software, is that correct? Or > >> >> do you want to disable this for all users, including > >> >> Administrators? > >> >> > >> >> If you just want to take away this possibility for normal > >> >> users, the answer is that they don't have the proper rights > >> >> any way, assuming that you run on Windows 2003 and have > >> >> installed Terminal Services with "Full Security". They can > >> >> install applications in their home folder, but can't add or > >> >> replace system files, dll's etc. > >> >> > >> >> _________________________________________________________ > >> >> Vera Noest > >> >> MCSE, CCEA, Microsoft MVP - Terminal Server > >> >> TS troubleshooting: http://ts.veranoest.net > >> >> *----------- Please reply in newsgroup -------------* > >> >> > >> >> =?Utf-8?B?QXNpZiBTaGFo?= > >> >> <AsifShah@discussions.microsoft.com> wrote on 01 aug 2008: > >> >> > >> >> > Vera, > >> >> > > >> >> > I have disabled the windows installer but that only > >> >> > applies to software installations that use windows > >> >> > installer to install itself. There are other installs that > >> >> > dont use windows install. e.g. installing Mozilla Firefox. > >> >> > I have the GPO you mentioned for the windows installer > >> >> > enabled but i can still install firefox........what else > >> >> > can i try? > >> >> > > >> >> > "Vera Noest [MVP]" wrote: > >> >> > > >> >> >> OK, thanks for the feedback, I'm glad that your problem > >> >> >> is solved! It's a bit puzzeling though that the problem > >> >> >> didn't disappear by configuring the GPO setting in the > >> >> >> domain-wide GPO applied to the TS, since those settings > >> >> >> override the local policy. > >> >> >> > >> >> >> _________________________________________________________ > >> >> >> Vera Noest > >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server > >> >> >> TS troubleshooting: http://ts.veranoest.net > >> >> >> ___ please respond in newsgroup, NOT by private email ___ > >> >> >> > >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on > >> >> >> 14 nov 2007 in > >> >> >> microsoft.public.windows.terminal_services: > >> >> >> > >> >> >> > Thanks for your help it was the local policy that was > >> >> >> > still turned on. > >> >> >> > > >> >> >> > > >> >> >> > "Vera Noest [MVP]" wrote: > >> >> >> > > >> >> >> >> Did you run Resultant Set of Policies, as I suggested > >> >> >> >> in my previous post? That would tell you exactly which > >> >> >> >> policy has the setting configured. > >> >> >> >> You can edit the local policy with gpedit.msc > >> >> >> >> > >> >> >> >> If you get this error message even when you are logged > >> >> >> >> in at the physical console of the server, then it > >> >> >> >> seems that Windows Installer is disabled completely, > >> >> >> >> not only for installations from within a TS session. > >> >> >> >> That setting can be found in Computer Configuration - > >> >> >> >> Administrative Templates - Windows Components - > >> >> >> >> Windows Installer "Disable Windows Installer" > >> >> >> >> > >> >> >> >> Other troubleshooting tools could be: > >> >> >> >> > >> >> >> >> 223300 - How to Enable Windows Installer Logging > >> >> >> >> http://support.microsoft.com/?kbid=223300 > >> >> >> >> > >> >> >> >> 221833 - How to enable user environment debug logging > >> >> >> >> in retail builds of Windows > >> >> >> >> http://support.microsoft.com/?kbid=221833 > >> >> >> >> _______________________________________________________ > >> >> >> >> __ Vera Noest > >> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server > >> >> >> >> TS troubleshooting: http://ts.veranoest.net > >> >> >> >> ___ please respond in newsgroup, NOT by private email > >> >> >> >> ___ > >> >> >> >> > >> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote > >> >> >> >> on 14 nov 2007 in > >> >> >> >> microsoft.public.windows.terminal_services: > >> >> >> >> > >> >> >> >> > Well I have went through on the domain controller > >> >> >> >> > and removed the group policy for that server. > >> >> >> >> > Even when consoled and logged in as Administrator it > >> >> >> >> > still gives that error. > >> >> >> >> > > >> >> >> >> > Is there any chance a setting could have been set > >> >> >> >> > locally on that server. If so where does a person > >> >> >> >> > look to find out if it has been reset? > >> >> >> >> > > >> >> >> >> > thanks for your response > >> >> >> >> > > >> >> >> >> > "Vera Noest [MVP]" wrote: > >> >> >> >> > > >> >> >> >> >> Given the error message that you get, I'm still > >> >> >> >> >> convinced it's a GPO setting. Have you tried > >> >> >> >> >> resultant set of Policies? > >> >> >> >> >> > >> >> >> >> >> ____________________________________________________ > >> >> >> >> >> ___ __ Vera Noest > >> >> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server > >> >> >> >> >> TS troubleshooting: http://ts.veranoest.net > >> >> >> >> >> ___ please respond in newsgroup, NOT by private > >> >> >> >> >> email ___ > >> >> >> >> >> > >> >> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> > >> >> >> >> >> wrote on 08 nov 2007 in > >> >> >> >> >> microsoft.public.windows.terminal_services: > >> >> >> >> >> > >> >> >> >> >> > Thanks for the reply > >> >> >> >> >> > > >> >> >> >> >> > I found an article on doing that and it still > >> >> >> >> >> > isn't working. I have even restarted the terminal > >> >> >> >> >> > server to try and fix the issue. > >> >> >> >> >> > > >> >> >> >> >> > Could there be a registry setting on the server > >> >> >> >> >> > itself that would prevent installations? > >> >> >> >> >> > > >> >> >> >> >> > > >> >> >> >> >> > "Vera Noest [MVP]" wrote: > >> >> >> >> >> > > >> >> >> >> >> >> Sounds like you want to enable this GPO setting: > >> >> >> >> >> >> > >> >> >> >> >> >> Computer Configuration - Administrative > >> >> >> >> >> >> Templates - Windows Components - Windows > >> >> >> >> >> >> Installer "Allow admin to install from Terminal > >> >> >> >> >> >> Services session" > >> >> >> >> >> >> _________________________________________________ > >> >> >> >> >> >> ___ ___ __ Vera Noest > >> >> >> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server > >> >> >> >> >> >> TS troubleshooting: http://ts.veranoest.net > >> >> >> >> >> >> ___ please respond in newsgroup, NOT by private > >> >> >> >> >> >> email ___ > >> >> >> >> >> >> > >> >> >> >> >> >> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> > >> >> >> >> >> >> wrote on 08 nov 2007 in > >> >> >> >> >> >> microsoft.public.windows.terminal_services: > >> >> >> >> >> >> > >> >> >> >> >> >> > I am having an issue installing programs > >> >> >> >> >> >> > consoled in and logged in as admininstrator. > >> >> >> >> >> >> > It keeps giving the message of "The system > >> >> >> >> >> >> > administrator has set policies to prevent this > >> >> >> >> >> >> > installation" > >> >> >> >> >> >> > > >> >> >> >> >> >> > I don't know of any policy set to prevent this > >> >> >> >> >> >> > from even happening for the administrator. I > >> >> >> >> >> >> > have went to the lengths of removing the group > >> >> >> >> >> >> > policy for the users and trying it again > >> >> >> >> >> >> > without any luck. > >> >> >> >> >> >> > > >> >> >> >> >> >> > Does anyone know how to reset everything on > >> >> >> >> >> >> > that server or any suggestions. > >> >> >> >> >> >> > > >> >> >> >> >> >> > Thanks, > >> >> >> >> >> >> > TM >
Guest Vera Noest [MVP] Posted August 3, 2008 Posted August 3, 2008 Re: Administrator Consoled in Can not install software Then the next step is to make sure that your users are normal users, not Administrators or Power Users, and apply the NTFS permissions which I mentioned. Those will see to it that they cannot install anything which includes dlls or other files which must reside in the windows folder. _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com> wrote on 03 aug 2008 in microsoft.public.windows.terminal_services: > I saw that settings. I had a feeling you were talking about > that. Permissions compatible with Windows 2000 Users is already > selected. > > "Vera Noest [MVP]" wrote: > >> Well, as I wrote, I don't remember the details of a W2K TS. >> During installation, you are asked to choose the "Compatibility >> mode". Is there anyting in tscc which mentions that? If so, you >> chould choose "Permissions compatible with Windows 2000 Users". >> >> Anyone else maybe, who has access to a W2K TS? >> _________________________________________________________ >> Vera Noest >> MCSE, CCEA, Microsoft MVP - Terminal Server >> TS troubleshooting: http://ts.veranoest.net >> ___ please respond in newsgroup, NOT by private email ___ >> >> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com> >> wrote on 02 aug 2008 in >> microsoft.public.windows.terminal_services: >> >> > I am looking at the Terminal Services Configuration - Server >> > Settings, which setting do I change. I dont see anything that >> > says "relaxed security". >> > >> > "Vera Noest [MVP]" wrote: >> > >> >> OK, seems like the Terminal Services was installed with >> >> relaxed security. It's a long time ago that I worked with >> >> W2K TS, so I'm unsure about the details, but I believe that >> >> you can check (and change?) this in Terminal Services >> >> Configuration - Server settings. >> >> >> >> You'll have to further secure the server with NTFS >> >> permissions on the file system. At the minimum, modify the >> >> NTFS permissions as follows: >> >> %SystemDrive%, %SystemRoot%, %ProgramFiles% and >> >> %SystemRoot%\system32 : >> >> System - Full Control >> >> Administrators - Full Control >> >> Authenticated Users - Read & Execute >> >> >> >> _________________________________________________________ >> >> Vera Noest >> >> MCSE, CCEA, Microsoft MVP - Terminal Server >> >> TS troubleshooting: http://ts.veranoest.net >> >> ___ please respond in newsgroup, NOT by private email ___ >> >> >> >> =?Utf-8?B?QXNpZiBTaGFo?= >> >> <AsifShah@discussions.microsoft.com> wrote on 01 aug 2008 in >> >> microsoft.public.windows.terminal_services: >> >> >> >> > Vera, >> >> > >> >> > My appoligies for adding to an older thread. I just >> >> > thought since you were dicussing a similiar problem I >> >> > would post my issue. I will keep in mind nex time. >> >> > >> >> > I am the administrator and I am trying to restrict all >> >> > non-admin users from installing software on the server. >> >> > This is on a Windows 2000 server. How can I check if I >> >> > installed TS with full security. Apprently something is >> >> > not setup right, because few days ago I discovered that >> >> > new software were installed, some games and Mozilla >> >> > Firebox. I checked with my admins and they didnt. So it >> >> > had to have been a regular user. No other user has right >> >> > like us admins. I even did a test. I logged in as a normal >> >> > user whose password I knew and I was able to download and >> >> > install Firefox and other software. >> >> > >> >> > The only thing I have done is disable the windows >> >> > installer but seems like that only works for software that >> >> > use windows installer to install itself. The article I >> >> > read from Microsoft that talks about this GPO mentions >> >> > this condition. What else can I do? What else can I check? >> >> > >> >> > Thanks. >> >> > >> >> > "Vera Noest [MVP]" wrote: >> >> > >> >> >> Asif, you seem to append to an old thread which was about >> >> >> the opposite of your problem. That's very confusing. Next >> >> >> time, please start a new thread and clearly state your >> >> >> problem. >> >> >> >> >> >> What exactly is it that you want to achieve? I'm assuming >> >> >> that your are the Administrator of a TS, and that you >> >> >> want to prohibit users to install software, is that >> >> >> correct? Or do you want to disable this for all users, >> >> >> including Administrators? >> >> >> >> >> >> If you just want to take away this possibility for normal >> >> >> users, the answer is that they don't have the proper >> >> >> rights any way, assuming that you run on Windows 2003 and >> >> >> have installed Terminal Services with "Full Security". >> >> >> They can install applications in their home folder, but >> >> >> can't add or replace system files, dll's etc. >> >> >> >> >> >> _________________________________________________________ >> >> >> Vera Noest >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server >> >> >> TS troubleshooting: http://ts.veranoest.net >> >> >> *----------- Please reply in newsgroup -------------* >> >> >> >> >> >> =?Utf-8?B?QXNpZiBTaGFo?= >> >> >> <AsifShah@discussions.microsoft.com> wrote on 01 aug >> >> >> 2008: >> >> >> >> >> >> > Vera, >> >> >> > >> >> >> > I have disabled the windows installer but that only >> >> >> > applies to software installations that use windows >> >> >> > installer to install itself. There are other installs >> >> >> > that dont use windows install. e.g. installing Mozilla >> >> >> > Firefox. I have the GPO you mentioned for the windows >> >> >> > installer enabled but i can still install >> >> >> > firefox........what else can i try?
Guest Asif Shah Posted August 3, 2008 Posted August 3, 2008 Re: Administrator Consoled in Can not install software You mean the permissions on C drive, WINNT folder, Program Files, and WINNT/system32 folders? "Vera Noest [MVP]" wrote: > Then the next step is to make sure that your users are normal > users, not Administrators or Power Users, and apply the NTFS > permissions which I mentioned. Those will see to it that they > cannot install anything which includes dlls or other files which > must reside in the windows folder. > > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com> > wrote on 03 aug 2008 in > microsoft.public.windows.terminal_services: > > > I saw that settings. I had a feeling you were talking about > > that. Permissions compatible with Windows 2000 Users is already > > selected. > > > > "Vera Noest [MVP]" wrote: > > > >> Well, as I wrote, I don't remember the details of a W2K TS. > >> During installation, you are asked to choose the "Compatibility > >> mode". Is there anyting in tscc which mentions that? If so, you > >> chould choose "Permissions compatible with Windows 2000 Users". > >> > >> Anyone else maybe, who has access to a W2K TS? > >> _________________________________________________________ > >> Vera Noest > >> MCSE, CCEA, Microsoft MVP - Terminal Server > >> TS troubleshooting: http://ts.veranoest.net > >> ___ please respond in newsgroup, NOT by private email ___ > >> > >> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com> > >> wrote on 02 aug 2008 in > >> microsoft.public.windows.terminal_services: > >> > >> > I am looking at the Terminal Services Configuration - Server > >> > Settings, which setting do I change. I dont see anything that > >> > says "relaxed security". > >> > > >> > "Vera Noest [MVP]" wrote: > >> > > >> >> OK, seems like the Terminal Services was installed with > >> >> relaxed security. It's a long time ago that I worked with > >> >> W2K TS, so I'm unsure about the details, but I believe that > >> >> you can check (and change?) this in Terminal Services > >> >> Configuration - Server settings. > >> >> > >> >> You'll have to further secure the server with NTFS > >> >> permissions on the file system. At the minimum, modify the > >> >> NTFS permissions as follows: > >> >> %SystemDrive%, %SystemRoot%, %ProgramFiles% and > >> >> %SystemRoot%\system32 : > >> >> System - Full Control > >> >> Administrators - Full Control > >> >> Authenticated Users - Read & Execute > >> >> > >> >> _________________________________________________________ > >> >> Vera Noest > >> >> MCSE, CCEA, Microsoft MVP - Terminal Server > >> >> TS troubleshooting: http://ts.veranoest.net > >> >> ___ please respond in newsgroup, NOT by private email ___ > >> >> > >> >> =?Utf-8?B?QXNpZiBTaGFo?= > >> >> <AsifShah@discussions.microsoft.com> wrote on 01 aug 2008 in > >> >> microsoft.public.windows.terminal_services: > >> >> > >> >> > Vera, > >> >> > > >> >> > My appoligies for adding to an older thread. I just > >> >> > thought since you were dicussing a similiar problem I > >> >> > would post my issue. I will keep in mind nex time. > >> >> > > >> >> > I am the administrator and I am trying to restrict all > >> >> > non-admin users from installing software on the server. > >> >> > This is on a Windows 2000 server. How can I check if I > >> >> > installed TS with full security. Apprently something is > >> >> > not setup right, because few days ago I discovered that > >> >> > new software were installed, some games and Mozilla > >> >> > Firebox. I checked with my admins and they didnt. So it > >> >> > had to have been a regular user. No other user has right > >> >> > like us admins. I even did a test. I logged in as a normal > >> >> > user whose password I knew and I was able to download and > >> >> > install Firefox and other software. > >> >> > > >> >> > The only thing I have done is disable the windows > >> >> > installer but seems like that only works for software that > >> >> > use windows installer to install itself. The article I > >> >> > read from Microsoft that talks about this GPO mentions > >> >> > this condition. What else can I do? What else can I check? > >> >> > > >> >> > Thanks. > >> >> > > >> >> > "Vera Noest [MVP]" wrote: > >> >> > > >> >> >> Asif, you seem to append to an old thread which was about > >> >> >> the opposite of your problem. That's very confusing. Next > >> >> >> time, please start a new thread and clearly state your > >> >> >> problem. > >> >> >> > >> >> >> What exactly is it that you want to achieve? I'm assuming > >> >> >> that your are the Administrator of a TS, and that you > >> >> >> want to prohibit users to install software, is that > >> >> >> correct? Or do you want to disable this for all users, > >> >> >> including Administrators? > >> >> >> > >> >> >> If you just want to take away this possibility for normal > >> >> >> users, the answer is that they don't have the proper > >> >> >> rights any way, assuming that you run on Windows 2003 and > >> >> >> have installed Terminal Services with "Full Security". > >> >> >> They can install applications in their home folder, but > >> >> >> can't add or replace system files, dll's etc. > >> >> >> > >> >> >> _________________________________________________________ > >> >> >> Vera Noest > >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server > >> >> >> TS troubleshooting: http://ts.veranoest.net > >> >> >> *----------- Please reply in newsgroup -------------* > >> >> >> > >> >> >> =?Utf-8?B?QXNpZiBTaGFo?= > >> >> >> <AsifShah@discussions.microsoft.com> wrote on 01 aug > >> >> >> 2008: > >> >> >> > >> >> >> > Vera, > >> >> >> > > >> >> >> > I have disabled the windows installer but that only > >> >> >> > applies to software installations that use windows > >> >> >> > installer to install itself. There are other installs > >> >> >> > that dont use windows install. e.g. installing Mozilla > >> >> >> > Firefox. I have the GPO you mentioned for the windows > >> >> >> > installer enabled but i can still install > >> >> >> > firefox........what else can i try? >
Guest Vera Noest [MVP] Posted August 3, 2008 Posted August 3, 2008 Re: Administrator Consoled in Can not install software Yes. _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com> wrote on 03 aug 2008 in microsoft.public.windows.terminal_services: > You mean the permissions on C drive, WINNT folder, Program > Files, and WINNT/system32 folders? > > "Vera Noest [MVP]" wrote: > >> Then the next step is to make sure that your users are normal >> users, not Administrators or Power Users, and apply the NTFS >> permissions which I mentioned. Those will see to it that they >> cannot install anything which includes dlls or other files >> which must reside in the windows folder. >> >> _________________________________________________________ >> Vera Noest >> MCSE, CCEA, Microsoft MVP - Terminal Server >> TS troubleshooting: http://ts.veranoest.net >> ___ please respond in newsgroup, NOT by private email ___ >> >> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com> >> wrote on 03 aug 2008 in >> microsoft.public.windows.terminal_services: >> >> > I saw that settings. I had a feeling you were talking about >> > that. Permissions compatible with Windows 2000 Users is >> > already selected. >> > >> > "Vera Noest [MVP]" wrote: >> > >> >> Well, as I wrote, I don't remember the details of a W2K TS. >> >> During installation, you are asked to choose the >> >> "Compatibility mode". Is there anyting in tscc which >> >> mentions that? If so, you chould choose "Permissions >> >> compatible with Windows 2000 Users". >> >> >> >> Anyone else maybe, who has access to a W2K TS? >> >> _________________________________________________________ >> >> Vera Noest >> >> MCSE, CCEA, Microsoft MVP - Terminal Server >> >> TS troubleshooting: http://ts.veranoest.net >> >> ___ please respond in newsgroup, NOT by private email ___ >> >> >> >> =?Utf-8?B?QXNpZiBTaGFo?= >> >> <AsifShah@discussions.microsoft.com> wrote on 02 aug 2008 in >> >> microsoft.public.windows.terminal_services: >> >> >> >> > I am looking at the Terminal Services Configuration - >> >> > Server Settings, which setting do I change. I dont see >> >> > anything that says "relaxed security". >> >> > >> >> > "Vera Noest [MVP]" wrote: >> >> > >> >> >> OK, seems like the Terminal Services was installed with >> >> >> relaxed security. It's a long time ago that I worked with >> >> >> W2K TS, so I'm unsure about the details, but I believe >> >> >> that you can check (and change?) this in Terminal >> >> >> Services Configuration - Server settings. >> >> >> >> >> >> You'll have to further secure the server with NTFS >> >> >> permissions on the file system. At the minimum, modify >> >> >> the NTFS permissions as follows: >> >> >> %SystemDrive%, %SystemRoot%, %ProgramFiles% and >> >> >> %SystemRoot%\system32 : >> >> >> System - Full Control >> >> >> Administrators - Full Control >> >> >> Authenticated Users - Read & Execute >> >> >> >> >> >> _________________________________________________________ >> >> >> Vera Noest >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server >> >> >> TS troubleshooting: http://ts.veranoest.net >> >> >> ___ please respond in newsgroup, NOT by private email ___ >> >> >> >> >> >> =?Utf-8?B?QXNpZiBTaGFo?= >> >> >> <AsifShah@discussions.microsoft.com> wrote on 01 aug 2008 >> >> >> in microsoft.public.windows.terminal_services: >> >> >> >> >> >> > Vera, >> >> >> > >> >> >> > My appoligies for adding to an older thread. I just >> >> >> > thought since you were dicussing a similiar problem I >> >> >> > would post my issue. I will keep in mind nex time. >> >> >> > >> >> >> > I am the administrator and I am trying to restrict all >> >> >> > non-admin users from installing software on the server. >> >> >> > This is on a Windows 2000 server. How can I check if I >> >> >> > installed TS with full security. Apprently something is >> >> >> > not setup right, because few days ago I discovered that >> >> >> > new software were installed, some games and Mozilla >> >> >> > Firebox. I checked with my admins and they didnt. So it >> >> >> > had to have been a regular user. No other user has >> >> >> > right like us admins. I even did a test. I logged in as >> >> >> > a normal user whose password I knew and I was able to >> >> >> > download and install Firefox and other software. >> >> >> > >> >> >> > The only thing I have done is disable the windows >> >> >> > installer but seems like that only works for software >> >> >> > that use windows installer to install itself. The >> >> >> > article I read from Microsoft that talks about this GPO >> >> >> > mentions this condition. What else can I do? What else >> >> >> > can I check? >> >> >> > >> >> >> > Thanks. >> >> >> > >> >> >> > "Vera Noest [MVP]" wrote: >> >> >> > >> >> >> >> Asif, you seem to append to an old thread which was >> >> >> >> about the opposite of your problem. That's very >> >> >> >> confusing. Next time, please start a new thread and >> >> >> >> clearly state your problem. >> >> >> >> >> >> >> >> What exactly is it that you want to achieve? I'm >> >> >> >> assuming that your are the Administrator of a TS, and >> >> >> >> that you want to prohibit users to install software, >> >> >> >> is that correct? Or do you want to disable this for >> >> >> >> all users, including Administrators? >> >> >> >> >> >> >> >> If you just want to take away this possibility for >> >> >> >> normal users, the answer is that they don't have the >> >> >> >> proper rights any way, assuming that you run on >> >> >> >> Windows 2003 and have installed Terminal Services with >> >> >> >> "Full Security". They can install applications in >> >> >> >> their home folder, but can't add or replace system >> >> >> >> files, dll's etc. >> >> >> >> >> >> >> >> _______________________________________________________ >> >> >> >> __ Vera Noest >> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server >> >> >> >> TS troubleshooting: http://ts.veranoest.net >> >> >> >> *----------- Please reply in newsgroup -------------* >> >> >> >> >> >> >> >> =?Utf-8?B?QXNpZiBTaGFo?= >> >> >> >> <AsifShah@discussions.microsoft.com> wrote on 01 aug >> >> >> >> 2008: >> >> >> >> >> >> >> >> > Vera, >> >> >> >> > >> >> >> >> > I have disabled the windows installer but that only >> >> >> >> > applies to software installations that use windows >> >> >> >> > installer to install itself. There are other >> >> >> >> > installs that dont use windows install. e.g. >> >> >> >> > installing Mozilla Firefox. I have the GPO you >> >> >> >> > mentioned for the windows installer enabled but i >> >> >> >> > can still install firefox........what else can i >> >> >> >> > try?
Guest Hank Arnold (MVP) Posted August 4, 2008 Posted August 4, 2008 Re: Administrator Consoled in Can not install software I'm a little confused... We control the installation of software by GPO. No one except someone in the Administrators group can install software on *ANY* computer (server, workstation, laptop, etc.)....period. In addition, we have a firewall (part of the Sophos End Point Security) that will not allow *any* program to run that has not been added to the firewall security. We still have W2K servers with TS installed. I've never seen this problem. I'm forwarding this to my work id and I'll see what I can find. To be honest, I can't guarantee I'll get to it today (Monday). This is typically my busiest day with several weekly reports due in the AM, I have to deal with all the problems the nurses have had over the weekend with their laptops and remote access as well as some major issues that just came up due to a vendor telling us that we need to spend a significant amount of $$ that is not in the budget. You haven't lived until you work for a non-profit and try to get IT money that isn't in the budget... :-( -- Regards, Hank Arnold Microsoft MVP Windows Server - Directory Services Vera Noest [MVP] wrote: > Well, as I wrote, I don't remember the details of a W2K TS. During > installation, you are asked to choose the "Compatibility mode". Is > there anyting in tscc which mentions that? If so, you chould choose > "Permissions compatible with Windows 2000 Users". > > Anyone else maybe, who has access to a W2K TS? > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com> > wrote on 02 aug 2008 in > microsoft.public.windows.terminal_services: > >> I am looking at the Terminal Services Configuration - Server >> Settings, which setting do I change. I dont see anything that >> says "relaxed security". >> >> "Vera Noest [MVP]" wrote: >> >>> OK, seems like the Terminal Services was installed with relaxed >>> security. It's a long time ago that I worked with W2K TS, so >>> I'm unsure about the details, but I believe that you can check >>> (and change?) this in Terminal Services Configuration - Server >>> settings. >>> >>> You'll have to further secure the server with NTFS permissions >>> on the file system. At the minimum, modify the NTFS permissions >>> as follows: >>> %SystemDrive%, %SystemRoot%, %ProgramFiles% and >>> %SystemRoot%\system32 : >>> System - Full Control >>> Administrators - Full Control >>> Authenticated Users - Read & Execute >>> >>> _________________________________________________________ >>> Vera Noest >>> MCSE, CCEA, Microsoft MVP - Terminal Server >>> TS troubleshooting: http://ts.veranoest.net >>> ___ please respond in newsgroup, NOT by private email ___ >>> >>> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com> >>> wrote on 01 aug 2008 in >>> microsoft.public.windows.terminal_services: >>> >>>> Vera, >>>> >>>> My appoligies for adding to an older thread. I just thought >>>> since you were dicussing a similiar problem I would post my >>>> issue. I will keep in mind nex time. >>>> >>>> I am the administrator and I am trying to restrict all >>>> non-admin users from installing software on the server. This >>>> is on a Windows 2000 server. How can I check if I installed >>>> TS with full security. Apprently something is not setup >>>> right, because few days ago I discovered that new software >>>> were installed, some games and Mozilla Firebox. I checked >>>> with my admins and they didnt. So it had to have been a >>>> regular user. No other user has right like us admins. I even >>>> did a test. I logged in as a normal user whose password I >>>> knew and I was able to download and install Firefox and other >>>> software. >>>> >>>> The only thing I have done is disable the windows installer >>>> but seems like that only works for software that use windows >>>> installer to install itself. The article I read from >>>> Microsoft that talks about this GPO mentions this condition. >>>> What else can I do? What else can I check? >>>> >>>> Thanks. >>>> >>>> "Vera Noest [MVP]" wrote: >>>> >>>>> Asif, you seem to append to an old thread which was about >>>>> the opposite of your problem. That's very confusing. Next >>>>> time, please start a new thread and clearly state your >>>>> problem. >>>>> >>>>> What exactly is it that you want to achieve? I'm assuming >>>>> that your are the Administrator of a TS, and that you want >>>>> to prohibit users to install software, is that correct? Or >>>>> do you want to disable this for all users, including >>>>> Administrators? >>>>> >>>>> If you just want to take away this possibility for normal >>>>> users, the answer is that they don't have the proper rights >>>>> any way, assuming that you run on Windows 2003 and have >>>>> installed Terminal Services with "Full Security". They can >>>>> install applications in their home folder, but can't add or >>>>> replace system files, dll's etc. >>>>> >>>>> _________________________________________________________ >>>>> Vera Noest >>>>> MCSE, CCEA, Microsoft MVP - Terminal Server >>>>> TS troubleshooting: http://ts.veranoest.net >>>>> *----------- Please reply in newsgroup -------------* >>>>> >>>>> =?Utf-8?B?QXNpZiBTaGFo?= >>>>> <AsifShah@discussions.microsoft.com> wrote on 01 aug 2008: >>>>> >>>>>> Vera, >>>>>> >>>>>> I have disabled the windows installer but that only >>>>>> applies to software installations that use windows >>>>>> installer to install itself. There are other installs that >>>>>> dont use windows install. e.g. installing Mozilla Firefox. >>>>>> I have the GPO you mentioned for the windows installer >>>>>> enabled but i can still install firefox........what else >>>>>> can i try? >>>>>> >>>>>> "Vera Noest [MVP]" wrote: >>>>>> >>>>>>> OK, thanks for the feedback, I'm glad that your problem >>>>>>> is solved! It's a bit puzzeling though that the problem >>>>>>> didn't disappear by configuring the GPO setting in the >>>>>>> domain-wide GPO applied to the TS, since those settings >>>>>>> override the local policy. >>>>>>> >>>>>>> _________________________________________________________ >>>>>>> Vera Noest >>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server >>>>>>> TS troubleshooting: http://ts.veranoest.net >>>>>>> ___ please respond in newsgroup, NOT by private email ___ >>>>>>> >>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on >>>>>>> 14 nov 2007 in >>>>>>> microsoft.public.windows.terminal_services: >>>>>>> >>>>>>>> Thanks for your help it was the local policy that was >>>>>>>> still turned on. >>>>>>>> >>>>>>>> >>>>>>>> "Vera Noest [MVP]" wrote: >>>>>>>> >>>>>>>>> Did you run Resultant Set of Policies, as I suggested >>>>>>>>> in my previous post? That would tell you exactly which >>>>>>>>> policy has the setting configured. >>>>>>>>> You can edit the local policy with gpedit.msc >>>>>>>>> >>>>>>>>> If you get this error message even when you are logged >>>>>>>>> in at the physical console of the server, then it >>>>>>>>> seems that Windows Installer is disabled completely, >>>>>>>>> not only for installations from within a TS session. >>>>>>>>> That setting can be found in Computer Configuration - >>>>>>>>> Administrative Templates - Windows Components - >>>>>>>>> Windows Installer "Disable Windows Installer" >>>>>>>>> >>>>>>>>> Other troubleshooting tools could be: >>>>>>>>> >>>>>>>>> 223300 - How to Enable Windows Installer Logging >>>>>>>>> http://support.microsoft.com/?kbid=223300 >>>>>>>>> >>>>>>>>> 221833 - How to enable user environment debug logging >>>>>>>>> in retail builds of Windows >>>>>>>>> http://support.microsoft.com/?kbid=221833 >>>>>>>>> _______________________________________________________ >>>>>>>>> __ Vera Noest >>>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server >>>>>>>>> TS troubleshooting: http://ts.veranoest.net >>>>>>>>> ___ please respond in newsgroup, NOT by private email >>>>>>>>> ___ >>>>>>>>> >>>>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote >>>>>>>>> on 14 nov 2007 in >>>>>>>>> microsoft.public.windows.terminal_services: >>>>>>>>> >>>>>>>>>> Well I have went through on the domain controller >>>>>>>>>> and removed the group policy for that server. >>>>>>>>>> Even when consoled and logged in as Administrator it >>>>>>>>>> still gives that error. >>>>>>>>>> >>>>>>>>>> Is there any chance a setting could have been set >>>>>>>>>> locally on that server. If so where does a person >>>>>>>>>> look to find out if it has been reset? >>>>>>>>>> >>>>>>>>>> thanks for your response >>>>>>>>>> >>>>>>>>>> "Vera Noest [MVP]" wrote: >>>>>>>>>> >>>>>>>>>>> Given the error message that you get, I'm still >>>>>>>>>>> convinced it's a GPO setting. Have you tried >>>>>>>>>>> resultant set of Policies? >>>>>>>>>>> >>>>>>>>>>> ____________________________________________________ >>>>>>>>>>> ___ __ Vera Noest >>>>>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server >>>>>>>>>>> TS troubleshooting: http://ts.veranoest.net >>>>>>>>>>> ___ please respond in newsgroup, NOT by private >>>>>>>>>>> email ___ >>>>>>>>>>> >>>>>>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> >>>>>>>>>>> wrote on 08 nov 2007 in >>>>>>>>>>> microsoft.public.windows.terminal_services: >>>>>>>>>>> >>>>>>>>>>>> Thanks for the reply >>>>>>>>>>>> >>>>>>>>>>>> I found an article on doing that and it still >>>>>>>>>>>> isn't working. I have even restarted the terminal >>>>>>>>>>>> server to try and fix the issue. >>>>>>>>>>>> >>>>>>>>>>>> Could there be a registry setting on the server >>>>>>>>>>>> itself that would prevent installations? >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> "Vera Noest [MVP]" wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Sounds like you want to enable this GPO setting: >>>>>>>>>>>>> >>>>>>>>>>>>> Computer Configuration - Administrative >>>>>>>>>>>>> Templates - Windows Components - Windows >>>>>>>>>>>>> Installer "Allow admin to install from Terminal >>>>>>>>>>>>> Services session" >>>>>>>>>>>>> _________________________________________________ >>>>>>>>>>>>> ___ ___ __ Vera Noest >>>>>>>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server >>>>>>>>>>>>> TS troubleshooting: http://ts.veranoest.net >>>>>>>>>>>>> ___ please respond in newsgroup, NOT by private >>>>>>>>>>>>> email ___ >>>>>>>>>>>>> >>>>>>>>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> >>>>>>>>>>>>> wrote on 08 nov 2007 in >>>>>>>>>>>>> microsoft.public.windows.terminal_services: >>>>>>>>>>>>> >>>>>>>>>>>>>> I am having an issue installing programs >>>>>>>>>>>>>> consoled in and logged in as admininstrator. >>>>>>>>>>>>>> It keeps giving the message of "The system >>>>>>>>>>>>>> administrator has set policies to prevent this >>>>>>>>>>>>>> installation" >>>>>>>>>>>>>> >>>>>>>>>>>>>> I don't know of any policy set to prevent this >>>>>>>>>>>>>> from even happening for the administrator. I >>>>>>>>>>>>>> have went to the lengths of removing the group >>>>>>>>>>>>>> policy for the users and trying it again >>>>>>>>>>>>>> without any luck. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Does anyone know how to reset everything on >>>>>>>>>>>>>> that server or any suggestions. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>> TM
Guest Hank Arnold (MVP) Posted August 4, 2008 Posted August 4, 2008 Re: Administrator Consoled in Can not install software I'll ask again... Why isn't the OP using the GPO to control this? -- Regards, Hank Arnold Microsoft MVP Windows Server - Directory Services Vera Noest [MVP] wrote: > Then the next step is to make sure that your users are normal > users, not Administrators or Power Users, and apply the NTFS > permissions which I mentioned. Those will see to it that they > cannot install anything which includes dlls or other files which > must reside in the windows folder. > > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com> > wrote on 03 aug 2008 in > microsoft.public.windows.terminal_services: > >> I saw that settings. I had a feeling you were talking about >> that. Permissions compatible with Windows 2000 Users is already >> selected. >> >> "Vera Noest [MVP]" wrote: >> >>> Well, as I wrote, I don't remember the details of a W2K TS. >>> During installation, you are asked to choose the "Compatibility >>> mode". Is there anyting in tscc which mentions that? If so, you >>> chould choose "Permissions compatible with Windows 2000 Users". >>> >>> Anyone else maybe, who has access to a W2K TS?
Guest Asif Shah Posted August 4, 2008 Posted August 4, 2008 Re: Administrator Consoled in Can not install software Thanks for the insight Hank. What GPO settings are talking about in particular? As Vera suggested I have the "Permissions compatible with Windows 2000 Users" in TSC already selected. I also have the windows installer GPO setting disabled. What other GPO can I touch. I will be changing the NTFS permissions today like Vera suggested. Thanks. "Hank Arnold (MVP)" wrote: > I'm a little confused... We control the installation of software by GPO. > No one except someone in the Administrators group can install software > on *ANY* computer (server, workstation, laptop, etc.)....period. In > addition, we have a firewall (part of the Sophos End Point Security) > that will not allow *any* program to run that has not been added to the > firewall security. > > We still have W2K servers with TS installed. I've never seen this > problem. I'm forwarding this to my work id and I'll see what I can find. > > To be honest, I can't guarantee I'll get to it today (Monday). This is > typically my busiest day with several weekly reports due in the AM, I > have to deal with all the problems the nurses have had over the weekend > with their laptops and remote access as well as some major issues that > just came up due to a vendor telling us that we need to spend a > significant amount of $$ that is not in the budget. You haven't lived > until you work for a non-profit and try to get IT money that isn't in > the budget... :-( > > -- > > Regards, > Hank Arnold > Microsoft MVP > Windows Server - Directory Services > > Vera Noest [MVP] wrote: > > Well, as I wrote, I don't remember the details of a W2K TS. During > > installation, you are asked to choose the "Compatibility mode". Is > > there anyting in tscc which mentions that? If so, you chould choose > > "Permissions compatible with Windows 2000 Users". > > > > Anyone else maybe, who has access to a W2K TS? > > _________________________________________________________ > > Vera Noest > > MCSE, CCEA, Microsoft MVP - Terminal Server > > TS troubleshooting: http://ts.veranoest.net > > ___ please respond in newsgroup, NOT by private email ___ > > > > =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com> > > wrote on 02 aug 2008 in > > microsoft.public.windows.terminal_services: > > > >> I am looking at the Terminal Services Configuration - Server > >> Settings, which setting do I change. I dont see anything that > >> says "relaxed security". > >> > >> "Vera Noest [MVP]" wrote: > >> > >>> OK, seems like the Terminal Services was installed with relaxed > >>> security. It's a long time ago that I worked with W2K TS, so > >>> I'm unsure about the details, but I believe that you can check > >>> (and change?) this in Terminal Services Configuration - Server > >>> settings. > >>> > >>> You'll have to further secure the server with NTFS permissions > >>> on the file system. At the minimum, modify the NTFS permissions > >>> as follows: > >>> %SystemDrive%, %SystemRoot%, %ProgramFiles% and > >>> %SystemRoot%\system32 : > >>> System - Full Control > >>> Administrators - Full Control > >>> Authenticated Users - Read & Execute > >>> > >>> _________________________________________________________ > >>> Vera Noest > >>> MCSE, CCEA, Microsoft MVP - Terminal Server > >>> TS troubleshooting: http://ts.veranoest.net > >>> ___ please respond in newsgroup, NOT by private email ___ > >>> > >>> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com> > >>> wrote on 01 aug 2008 in > >>> microsoft.public.windows.terminal_services: > >>> > >>>> Vera, > >>>> > >>>> My appoligies for adding to an older thread. I just thought > >>>> since you were dicussing a similiar problem I would post my > >>>> issue. I will keep in mind nex time. > >>>> > >>>> I am the administrator and I am trying to restrict all > >>>> non-admin users from installing software on the server. This > >>>> is on a Windows 2000 server. How can I check if I installed > >>>> TS with full security. Apprently something is not setup > >>>> right, because few days ago I discovered that new software > >>>> were installed, some games and Mozilla Firebox. I checked > >>>> with my admins and they didnt. So it had to have been a > >>>> regular user. No other user has right like us admins. I even > >>>> did a test. I logged in as a normal user whose password I > >>>> knew and I was able to download and install Firefox and other > >>>> software. > >>>> > >>>> The only thing I have done is disable the windows installer > >>>> but seems like that only works for software that use windows > >>>> installer to install itself. The article I read from > >>>> Microsoft that talks about this GPO mentions this condition. > >>>> What else can I do? What else can I check? > >>>> > >>>> Thanks. > >>>> > >>>> "Vera Noest [MVP]" wrote: > >>>> > >>>>> Asif, you seem to append to an old thread which was about > >>>>> the opposite of your problem. That's very confusing. Next > >>>>> time, please start a new thread and clearly state your > >>>>> problem. > >>>>> > >>>>> What exactly is it that you want to achieve? I'm assuming > >>>>> that your are the Administrator of a TS, and that you want > >>>>> to prohibit users to install software, is that correct? Or > >>>>> do you want to disable this for all users, including > >>>>> Administrators? > >>>>> > >>>>> If you just want to take away this possibility for normal > >>>>> users, the answer is that they don't have the proper rights > >>>>> any way, assuming that you run on Windows 2003 and have > >>>>> installed Terminal Services with "Full Security". They can > >>>>> install applications in their home folder, but can't add or > >>>>> replace system files, dll's etc. > >>>>> > >>>>> _________________________________________________________ > >>>>> Vera Noest > >>>>> MCSE, CCEA, Microsoft MVP - Terminal Server > >>>>> TS troubleshooting: http://ts.veranoest.net > >>>>> *----------- Please reply in newsgroup -------------* > >>>>> > >>>>> =?Utf-8?B?QXNpZiBTaGFo?= > >>>>> <AsifShah@discussions.microsoft.com> wrote on 01 aug 2008: > >>>>> > >>>>>> Vera, > >>>>>> > >>>>>> I have disabled the windows installer but that only > >>>>>> applies to software installations that use windows > >>>>>> installer to install itself. There are other installs that > >>>>>> dont use windows install. e.g. installing Mozilla Firefox. > >>>>>> I have the GPO you mentioned for the windows installer > >>>>>> enabled but i can still install firefox........what else > >>>>>> can i try? > >>>>>> > >>>>>> "Vera Noest [MVP]" wrote: > >>>>>> > >>>>>>> OK, thanks for the feedback, I'm glad that your problem > >>>>>>> is solved! It's a bit puzzeling though that the problem > >>>>>>> didn't disappear by configuring the GPO setting in the > >>>>>>> domain-wide GPO applied to the TS, since those settings > >>>>>>> override the local policy. > >>>>>>> > >>>>>>> _________________________________________________________ > >>>>>>> Vera Noest > >>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server > >>>>>>> TS troubleshooting: http://ts.veranoest.net > >>>>>>> ___ please respond in newsgroup, NOT by private email ___ > >>>>>>> > >>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on > >>>>>>> 14 nov 2007 in > >>>>>>> microsoft.public.windows.terminal_services: > >>>>>>> > >>>>>>>> Thanks for your help it was the local policy that was > >>>>>>>> still turned on. > >>>>>>>> > >>>>>>>> > >>>>>>>> "Vera Noest [MVP]" wrote: > >>>>>>>> > >>>>>>>>> Did you run Resultant Set of Policies, as I suggested > >>>>>>>>> in my previous post? That would tell you exactly which > >>>>>>>>> policy has the setting configured. > >>>>>>>>> You can edit the local policy with gpedit.msc > >>>>>>>>> > >>>>>>>>> If you get this error message even when you are logged > >>>>>>>>> in at the physical console of the server, then it > >>>>>>>>> seems that Windows Installer is disabled completely, > >>>>>>>>> not only for installations from within a TS session. > >>>>>>>>> That setting can be found in Computer Configuration - > >>>>>>>>> Administrative Templates - Windows Components - > >>>>>>>>> Windows Installer "Disable Windows Installer" > >>>>>>>>> > >>>>>>>>> Other troubleshooting tools could be: > >>>>>>>>> > >>>>>>>>> 223300 - How to Enable Windows Installer Logging > >>>>>>>>> http://support.microsoft.com/?kbid=223300 > >>>>>>>>> > >>>>>>>>> 221833 - How to enable user environment debug logging > >>>>>>>>> in retail builds of Windows > >>>>>>>>> http://support.microsoft.com/?kbid=221833 > >>>>>>>>> _______________________________________________________ > >>>>>>>>> __ Vera Noest > >>>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server > >>>>>>>>> TS troubleshooting: http://ts.veranoest.net > >>>>>>>>> ___ please respond in newsgroup, NOT by private email > >>>>>>>>> ___ > >>>>>>>>> > >>>>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote > >>>>>>>>> on 14 nov 2007 in > >>>>>>>>> microsoft.public.windows.terminal_services: > >>>>>>>>> > >>>>>>>>>> Well I have went through on the domain controller > >>>>>>>>>> and removed the group policy for that server. > >>>>>>>>>> Even when consoled and logged in as Administrator it > >>>>>>>>>> still gives that error. > >>>>>>>>>> > >>>>>>>>>> Is there any chance a setting could have been set > >>>>>>>>>> locally on that server. If so where does a person > >>>>>>>>>> look to find out if it has been reset? > >>>>>>>>>> > >>>>>>>>>> thanks for your response > >>>>>>>>>> > >>>>>>>>>> "Vera Noest [MVP]" wrote: > >>>>>>>>>> > >>>>>>>>>>> Given the error message that you get, I'm still > >>>>>>>>>>> convinced it's a GPO setting. Have you tried > >>>>>>>>>>> resultant set of Policies? > >>>>>>>>>>> > >>>>>>>>>>> ____________________________________________________ > >>>>>>>>>>> ___ __ Vera Noest > >>>>>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server > >>>>>>>>>>> TS troubleshooting: http://ts.veranoest.net > >>>>>>>>>>> ___ please respond in newsgroup, NOT by private > >>>>>>>>>>> email ___ > >>>>>>>>>>> > >>>>>>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> > >>>>>>>>>>> wrote on 08 nov 2007 in > >>>>>>>>>>> microsoft.public.windows.terminal_services: > >>>>>>>>>>> > >>>>>>>>>>>> Thanks for the reply > >>>>>>>>>>>> > >>>>>>>>>>>> I found an article on doing that and it still > >>>>>>>>>>>> isn't working. I have even restarted the terminal > >>>>>>>>>>>> server to try and fix the issue. > >>>>>>>>>>>> > >>>>>>>>>>>> Could there be a registry setting on the server > >>>>>>>>>>>> itself that would prevent installations? > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> "Vera Noest [MVP]" wrote: > >>>>>>>>>>>> > >>>>>>>>>>>>> Sounds like you want to enable this GPO setting: > >>>>>>>>>>>>> > >>>>>>>>>>>>> Computer Configuration - Administrative > >>>>>>>>>>>>> Templates - Windows Components - Windows > >>>>>>>>>>>>> Installer "Allow admin to install from Terminal > >>>>>>>>>>>>> Services session" > >>>>>>>>>>>>> _________________________________________________ > >>>>>>>>>>>>> ___ ___ __ Vera Noest > >>>>>>>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server > >>>>>>>>>>>>> TS troubleshooting: http://ts.veranoest.net > >>>>>>>>>>>>> ___ please respond in newsgroup, NOT by private > >>>>>>>>>>>>> email ___ > >>>>>>>>>>>>> > >>>>>>>>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> > >>>>>>>>>>>>> wrote on 08 nov 2007 in > >>>>>>>>>>>>> microsoft.public.windows.terminal_services: > >>>>>>>>>>>>> > >>>>>>>>>>>>>> I am having an issue installing programs > >>>>>>>>>>>>>> consoled in and logged in as admininstrator. > >>>>>>>>>>>>>> It keeps giving the message of "The system > >>>>>>>>>>>>>> administrator has set policies to prevent this > >>>>>>>>>>>>>> installation" > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> I don't know of any policy set to prevent this > >>>>>>>>>>>>>> from even happening for the administrator. I > >>>>>>>>>>>>>> have went to the lengths of removing the group > >>>>>>>>>>>>>> policy for the users and trying it again > >>>>>>>>>>>>>> without any luck. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Does anyone know how to reset everything on > >>>>>>>>>>>>>> that server or any suggestions. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Thanks, > >>>>>>>>>>>>>> TM > >
Guest Hank Arnold (MVP) Posted August 5, 2008 Posted August 5, 2008 Re: Administrator Consoled in Can not install software Asif Shah wrote: > Thanks for the insight Hank. > > What GPO settings are talking about in particular? As Vera suggested I have > the "Permissions compatible with Windows 2000 Users" in TSC already selected. > I also have the windows installer GPO setting disabled. What other GPO can I > touch. I will be changing the NTFS permissions today like Vera suggested. > > Thanks. > > "Hank Arnold (MVP)" wrote: > >> I'm a little confused... We control the installation of software by GPO. >> No one except someone in the Administrators group can install software >> on *ANY* computer (server, workstation, laptop, etc.)....period. In >> addition, we have a firewall (part of the Sophos End Point Security) >> that will not allow *any* program to run that has not been added to the >> firewall security. >> >> We still have W2K servers with TS installed. I've never seen this >> problem. I'm forwarding this to my work id and I'll see what I can find. >> >> To be honest, I can't guarantee I'll get to it today (Monday). This is >> typically my busiest day with several weekly reports due in the AM, I >> have to deal with all the problems the nurses have had over the weekend >> with their laptops and remote access as well as some major issues that >> just came up due to a vendor telling us that we need to spend a >> significant amount of $$ that is not in the budget. You haven't lived >> until you work for a non-profit and try to get IT money that isn't in >> the budget... :-( >> >> -- >> >> Regards, >> Hank Arnold >> Microsoft MVP >> Windows Server - Directory Services >> >> Vera Noest [MVP] wrote: >>> Well, as I wrote, I don't remember the details of a W2K TS. During >>> installation, you are asked to choose the "Compatibility mode". Is >>> there anyting in tscc which mentions that? If so, you chould choose >>> "Permissions compatible with Windows 2000 Users". >>> >>> Anyone else maybe, who has access to a W2K TS? >>> _________________________________________________________ >>> Vera Noest >>> MCSE, CCEA, Microsoft MVP - Terminal Server >>> TS troubleshooting: http://ts.veranoest.net >>> ___ please respond in newsgroup, NOT by private email ___ >>> >>> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com> >>> wrote on 02 aug 2008 in >>> microsoft.public.windows.terminal_services: >>> >>>> I am looking at the Terminal Services Configuration - Server >>>> Settings, which setting do I change. I dont see anything that >>>> says "relaxed security". >>>> >>>> "Vera Noest [MVP]" wrote: >>>> >>>>> OK, seems like the Terminal Services was installed with relaxed >>>>> security. It's a long time ago that I worked with W2K TS, so >>>>> I'm unsure about the details, but I believe that you can check >>>>> (and change?) this in Terminal Services Configuration - Server >>>>> settings. >>>>> >>>>> You'll have to further secure the server with NTFS permissions >>>>> on the file system. At the minimum, modify the NTFS permissions >>>>> as follows: >>>>> %SystemDrive%, %SystemRoot%, %ProgramFiles% and >>>>> %SystemRoot%\system32 : >>>>> System - Full Control >>>>> Administrators - Full Control >>>>> Authenticated Users - Read & Execute >>>>> >>>>> _________________________________________________________ >>>>> Vera Noest >>>>> MCSE, CCEA, Microsoft MVP - Terminal Server >>>>> TS troubleshooting: http://ts.veranoest.net >>>>> ___ please respond in newsgroup, NOT by private email ___ >>>>> >>>>> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com> >>>>> wrote on 01 aug 2008 in >>>>> microsoft.public.windows.terminal_services: >>>>> >>>>>> Vera, >>>>>> >>>>>> My appoligies for adding to an older thread. I just thought >>>>>> since you were dicussing a similiar problem I would post my >>>>>> issue. I will keep in mind nex time. >>>>>> >>>>>> I am the administrator and I am trying to restrict all >>>>>> non-admin users from installing software on the server. This >>>>>> is on a Windows 2000 server. How can I check if I installed >>>>>> TS with full security. Apprently something is not setup >>>>>> right, because few days ago I discovered that new software >>>>>> were installed, some games and Mozilla Firebox. I checked >>>>>> with my admins and they didnt. So it had to have been a >>>>>> regular user. No other user has right like us admins. I even >>>>>> did a test. I logged in as a normal user whose password I >>>>>> knew and I was able to download and install Firefox and other >>>>>> software. >>>>>> >>>>>> The only thing I have done is disable the windows installer >>>>>> but seems like that only works for software that use windows >>>>>> installer to install itself. The article I read from >>>>>> Microsoft that talks about this GPO mentions this condition. >>>>>> What else can I do? What else can I check? >>>>>> >>>>>> Thanks. >>>>>> >>>>>> "Vera Noest [MVP]" wrote: >>>>>> >>>>>>> Asif, you seem to append to an old thread which was about >>>>>>> the opposite of your problem. That's very confusing. Next >>>>>>> time, please start a new thread and clearly state your >>>>>>> problem. >>>>>>> >>>>>>> What exactly is it that you want to achieve? I'm assuming >>>>>>> that your are the Administrator of a TS, and that you want >>>>>>> to prohibit users to install software, is that correct? Or >>>>>>> do you want to disable this for all users, including >>>>>>> Administrators? >>>>>>> >>>>>>> If you just want to take away this possibility for normal >>>>>>> users, the answer is that they don't have the proper rights >>>>>>> any way, assuming that you run on Windows 2003 and have >>>>>>> installed Terminal Services with "Full Security". They can >>>>>>> install applications in their home folder, but can't add or >>>>>>> replace system files, dll's etc. >>>>>>> >>>>>>> _________________________________________________________ >>>>>>> Vera Noest >>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server >>>>>>> TS troubleshooting: http://ts.veranoest.net >>>>>>> *----------- Please reply in newsgroup -------------* >>>>>>> >>>>>>> =?Utf-8?B?QXNpZiBTaGFo?= >>>>>>> <AsifShah@discussions.microsoft.com> wrote on 01 aug 2008: >>>>>>> >>>>>>>> Vera, >>>>>>>> >>>>>>>> I have disabled the windows installer but that only >>>>>>>> applies to software installations that use windows >>>>>>>> installer to install itself. There are other installs that >>>>>>>> dont use windows install. e.g. installing Mozilla Firefox. >>>>>>>> I have the GPO you mentioned for the windows installer >>>>>>>> enabled but i can still install firefox........what else >>>>>>>> can i try? >>>>>>>> >>>>>>>> "Vera Noest [MVP]" wrote: >>>>>>>> >>>>>>>>> OK, thanks for the feedback, I'm glad that your problem >>>>>>>>> is solved! It's a bit puzzeling though that the problem >>>>>>>>> didn't disappear by configuring the GPO setting in the >>>>>>>>> domain-wide GPO applied to the TS, since those settings >>>>>>>>> override the local policy. >>>>>>>>> >>>>>>>>> _________________________________________________________ >>>>>>>>> Vera Noest >>>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server >>>>>>>>> TS troubleshooting: http://ts.veranoest.net >>>>>>>>> ___ please respond in newsgroup, NOT by private email ___ >>>>>>>>> >>>>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on >>>>>>>>> 14 nov 2007 in >>>>>>>>> microsoft.public.windows.terminal_services: >>>>>>>>> >>>>>>>>>> Thanks for your help it was the local policy that was >>>>>>>>>> still turned on. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> "Vera Noest [MVP]" wrote: >>>>>>>>>> >>>>>>>>>>> Did you run Resultant Set of Policies, as I suggested >>>>>>>>>>> in my previous post? That would tell you exactly which >>>>>>>>>>> policy has the setting configured. >>>>>>>>>>> You can edit the local policy with gpedit.msc >>>>>>>>>>> >>>>>>>>>>> If you get this error message even when you are logged >>>>>>>>>>> in at the physical console of the server, then it >>>>>>>>>>> seems that Windows Installer is disabled completely, >>>>>>>>>>> not only for installations from within a TS session. >>>>>>>>>>> That setting can be found in Computer Configuration - >>>>>>>>>>> Administrative Templates - Windows Components - >>>>>>>>>>> Windows Installer "Disable Windows Installer" >>>>>>>>>>> >>>>>>>>>>> Other troubleshooting tools could be: >>>>>>>>>>> >>>>>>>>>>> 223300 - How to Enable Windows Installer Logging >>>>>>>>>>> http://support.microsoft.com/?kbid=223300 >>>>>>>>>>> >>>>>>>>>>> 221833 - How to enable user environment debug logging >>>>>>>>>>> in retail builds of Windows >>>>>>>>>>> http://support.microsoft.com/?kbid=221833 >>>>>>>>>>> _______________________________________________________ >>>>>>>>>>> __ Vera Noest >>>>>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server >>>>>>>>>>> TS troubleshooting: http://ts.veranoest.net >>>>>>>>>>> ___ please respond in newsgroup, NOT by private email >>>>>>>>>>> ___ >>>>>>>>>>> >>>>>>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote >>>>>>>>>>> on 14 nov 2007 in >>>>>>>>>>> microsoft.public.windows.terminal_services: >>>>>>>>>>> >>>>>>>>>>>> Well I have went through on the domain controller >>>>>>>>>>>> and removed the group policy for that server. >>>>>>>>>>>> Even when consoled and logged in as Administrator it >>>>>>>>>>>> still gives that error. >>>>>>>>>>>> >>>>>>>>>>>> Is there any chance a setting could have been set >>>>>>>>>>>> locally on that server. If so where does a person >>>>>>>>>>>> look to find out if it has been reset? >>>>>>>>>>>> >>>>>>>>>>>> thanks for your response >>>>>>>>>>>> >>>>>>>>>>>> "Vera Noest [MVP]" wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Given the error message that you get, I'm still >>>>>>>>>>>>> convinced it's a GPO setting. Have you tried >>>>>>>>>>>>> resultant set of Policies? >>>>>>>>>>>>> >>>>>>>>>>>>> ____________________________________________________ >>>>>>>>>>>>> ___ __ Vera Noest >>>>>>>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server >>>>>>>>>>>>> TS troubleshooting: http://ts.veranoest.net >>>>>>>>>>>>> ___ please respond in newsgroup, NOT by private >>>>>>>>>>>>> email ___ >>>>>>>>>>>>> >>>>>>>>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> >>>>>>>>>>>>> wrote on 08 nov 2007 in >>>>>>>>>>>>> microsoft.public.windows.terminal_services: >>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks for the reply >>>>>>>>>>>>>> >>>>>>>>>>>>>> I found an article on doing that and it still >>>>>>>>>>>>>> isn't working. I have even restarted the terminal >>>>>>>>>>>>>> server to try and fix the issue. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Could there be a registry setting on the server >>>>>>>>>>>>>> itself that would prevent installations? >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> "Vera Noest [MVP]" wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Sounds like you want to enable this GPO setting: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Computer Configuration - Administrative >>>>>>>>>>>>>>> Templates - Windows Components - Windows >>>>>>>>>>>>>>> Installer "Allow admin to install from Terminal >>>>>>>>>>>>>>> Services session" >>>>>>>>>>>>>>> _________________________________________________ >>>>>>>>>>>>>>> ___ ___ __ Vera Noest >>>>>>>>>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server >>>>>>>>>>>>>>> TS troubleshooting: http://ts.veranoest.net >>>>>>>>>>>>>>> ___ please respond in newsgroup, NOT by private >>>>>>>>>>>>>>> email ___ >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> >>>>>>>>>>>>>>> wrote on 08 nov 2007 in >>>>>>>>>>>>>>> microsoft.public.windows.terminal_services: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I am having an issue installing programs >>>>>>>>>>>>>>>> consoled in and logged in as admininstrator. >>>>>>>>>>>>>>>> It keeps giving the message of "The system >>>>>>>>>>>>>>>> administrator has set policies to prevent this >>>>>>>>>>>>>>>> installation" >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I don't know of any policy set to prevent this >>>>>>>>>>>>>>>> from even happening for the administrator. I >>>>>>>>>>>>>>>> have went to the lengths of removing the group >>>>>>>>>>>>>>>> policy for the users and trying it again >>>>>>>>>>>>>>>> without any luck. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Does anyone know how to reset everything on >>>>>>>>>>>>>>>> that server or any suggestions. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>>>> TM >> I'll have to look into it... Its been along time since I updated the GPO............ -- Regards, Hank Arnold Microsoft MVP Windows Server - Directory Services
Guest Asif Shah Posted August 5, 2008 Posted August 5, 2008 Re: Administrator Consoled in Can not install software OK. Let me know if you find something. Thanks. "Hank Arnold (MVP)" wrote: > Asif Shah wrote: > > Thanks for the insight Hank. > > > > What GPO settings are talking about in particular? As Vera suggested I have > > the "Permissions compatible with Windows 2000 Users" in TSC already selected. > > I also have the windows installer GPO setting disabled. What other GPO can I > > touch. I will be changing the NTFS permissions today like Vera suggested. > > > > Thanks. > > > > "Hank Arnold (MVP)" wrote: > > > >> I'm a little confused... We control the installation of software by GPO. > >> No one except someone in the Administrators group can install software > >> on *ANY* computer (server, workstation, laptop, etc.)....period. In > >> addition, we have a firewall (part of the Sophos End Point Security) > >> that will not allow *any* program to run that has not been added to the > >> firewall security. > >> > >> We still have W2K servers with TS installed. I've never seen this > >> problem. I'm forwarding this to my work id and I'll see what I can find. > >> > >> To be honest, I can't guarantee I'll get to it today (Monday). This is > >> typically my busiest day with several weekly reports due in the AM, I > >> have to deal with all the problems the nurses have had over the weekend > >> with their laptops and remote access as well as some major issues that > >> just came up due to a vendor telling us that we need to spend a > >> significant amount of $$ that is not in the budget. You haven't lived > >> until you work for a non-profit and try to get IT money that isn't in > >> the budget... :-( > >> > >> -- > >> > >> Regards, > >> Hank Arnold > >> Microsoft MVP > >> Windows Server - Directory Services > >> > >> Vera Noest [MVP] wrote: > >>> Well, as I wrote, I don't remember the details of a W2K TS. During > >>> installation, you are asked to choose the "Compatibility mode". Is > >>> there anyting in tscc which mentions that? If so, you chould choose > >>> "Permissions compatible with Windows 2000 Users". > >>> > >>> Anyone else maybe, who has access to a W2K TS? > >>> _________________________________________________________ > >>> Vera Noest > >>> MCSE, CCEA, Microsoft MVP - Terminal Server > >>> TS troubleshooting: http://ts.veranoest.net > >>> ___ please respond in newsgroup, NOT by private email ___ > >>> > >>> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com> > >>> wrote on 02 aug 2008 in > >>> microsoft.public.windows.terminal_services: > >>> > >>>> I am looking at the Terminal Services Configuration - Server > >>>> Settings, which setting do I change. I dont see anything that > >>>> says "relaxed security". > >>>> > >>>> "Vera Noest [MVP]" wrote: > >>>> > >>>>> OK, seems like the Terminal Services was installed with relaxed > >>>>> security. It's a long time ago that I worked with W2K TS, so > >>>>> I'm unsure about the details, but I believe that you can check > >>>>> (and change?) this in Terminal Services Configuration - Server > >>>>> settings. > >>>>> > >>>>> You'll have to further secure the server with NTFS permissions > >>>>> on the file system. At the minimum, modify the NTFS permissions > >>>>> as follows: > >>>>> %SystemDrive%, %SystemRoot%, %ProgramFiles% and > >>>>> %SystemRoot%\system32 : > >>>>> System - Full Control > >>>>> Administrators - Full Control > >>>>> Authenticated Users - Read & Execute > >>>>> > >>>>> _________________________________________________________ > >>>>> Vera Noest > >>>>> MCSE, CCEA, Microsoft MVP - Terminal Server > >>>>> TS troubleshooting: http://ts.veranoest.net > >>>>> ___ please respond in newsgroup, NOT by private email ___ > >>>>> > >>>>> =?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@discussions.microsoft.com> > >>>>> wrote on 01 aug 2008 in > >>>>> microsoft.public.windows.terminal_services: > >>>>> > >>>>>> Vera, > >>>>>> > >>>>>> My appoligies for adding to an older thread. I just thought > >>>>>> since you were dicussing a similiar problem I would post my > >>>>>> issue. I will keep in mind nex time. > >>>>>> > >>>>>> I am the administrator and I am trying to restrict all > >>>>>> non-admin users from installing software on the server. This > >>>>>> is on a Windows 2000 server. How can I check if I installed > >>>>>> TS with full security. Apprently something is not setup > >>>>>> right, because few days ago I discovered that new software > >>>>>> were installed, some games and Mozilla Firebox. I checked > >>>>>> with my admins and they didnt. So it had to have been a > >>>>>> regular user. No other user has right like us admins. I even > >>>>>> did a test. I logged in as a normal user whose password I > >>>>>> knew and I was able to download and install Firefox and other > >>>>>> software. > >>>>>> > >>>>>> The only thing I have done is disable the windows installer > >>>>>> but seems like that only works for software that use windows > >>>>>> installer to install itself. The article I read from > >>>>>> Microsoft that talks about this GPO mentions this condition. > >>>>>> What else can I do? What else can I check? > >>>>>> > >>>>>> Thanks. > >>>>>> > >>>>>> "Vera Noest [MVP]" wrote: > >>>>>> > >>>>>>> Asif, you seem to append to an old thread which was about > >>>>>>> the opposite of your problem. That's very confusing. Next > >>>>>>> time, please start a new thread and clearly state your > >>>>>>> problem. > >>>>>>> > >>>>>>> What exactly is it that you want to achieve? I'm assuming > >>>>>>> that your are the Administrator of a TS, and that you want > >>>>>>> to prohibit users to install software, is that correct? Or > >>>>>>> do you want to disable this for all users, including > >>>>>>> Administrators? > >>>>>>> > >>>>>>> If you just want to take away this possibility for normal > >>>>>>> users, the answer is that they don't have the proper rights > >>>>>>> any way, assuming that you run on Windows 2003 and have > >>>>>>> installed Terminal Services with "Full Security". They can > >>>>>>> install applications in their home folder, but can't add or > >>>>>>> replace system files, dll's etc. > >>>>>>> > >>>>>>> _________________________________________________________ > >>>>>>> Vera Noest > >>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server > >>>>>>> TS troubleshooting: http://ts.veranoest.net > >>>>>>> *----------- Please reply in newsgroup -------------* > >>>>>>> > >>>>>>> =?Utf-8?B?QXNpZiBTaGFo?= > >>>>>>> <AsifShah@discussions.microsoft.com> wrote on 01 aug 2008: > >>>>>>> > >>>>>>>> Vera, > >>>>>>>> > >>>>>>>> I have disabled the windows installer but that only > >>>>>>>> applies to software installations that use windows > >>>>>>>> installer to install itself. There are other installs that > >>>>>>>> dont use windows install. e.g. installing Mozilla Firefox. > >>>>>>>> I have the GPO you mentioned for the windows installer > >>>>>>>> enabled but i can still install firefox........what else > >>>>>>>> can i try? > >>>>>>>> > >>>>>>>> "Vera Noest [MVP]" wrote: > >>>>>>>> > >>>>>>>>> OK, thanks for the feedback, I'm glad that your problem > >>>>>>>>> is solved! It's a bit puzzeling though that the problem > >>>>>>>>> didn't disappear by configuring the GPO setting in the > >>>>>>>>> domain-wide GPO applied to the TS, since those settings > >>>>>>>>> override the local policy. > >>>>>>>>> > >>>>>>>>> _________________________________________________________ > >>>>>>>>> Vera Noest > >>>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server > >>>>>>>>> TS troubleshooting: http://ts.veranoest.net > >>>>>>>>> ___ please respond in newsgroup, NOT by private email ___ > >>>>>>>>> > >>>>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote on > >>>>>>>>> 14 nov 2007 in > >>>>>>>>> microsoft.public.windows.terminal_services: > >>>>>>>>> > >>>>>>>>>> Thanks for your help it was the local policy that was > >>>>>>>>>> still turned on. > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> "Vera Noest [MVP]" wrote: > >>>>>>>>>> > >>>>>>>>>>> Did you run Resultant Set of Policies, as I suggested > >>>>>>>>>>> in my previous post? That would tell you exactly which > >>>>>>>>>>> policy has the setting configured. > >>>>>>>>>>> You can edit the local policy with gpedit.msc > >>>>>>>>>>> > >>>>>>>>>>> If you get this error message even when you are logged > >>>>>>>>>>> in at the physical console of the server, then it > >>>>>>>>>>> seems that Windows Installer is disabled completely, > >>>>>>>>>>> not only for installations from within a TS session. > >>>>>>>>>>> That setting can be found in Computer Configuration - > >>>>>>>>>>> Administrative Templates - Windows Components - > >>>>>>>>>>> Windows Installer "Disable Windows Installer" > >>>>>>>>>>> > >>>>>>>>>>> Other troubleshooting tools could be: > >>>>>>>>>>> > >>>>>>>>>>> 223300 - How to Enable Windows Installer Logging > >>>>>>>>>>> http://support.microsoft.com/?kbid=223300 > >>>>>>>>>>> > >>>>>>>>>>> 221833 - How to enable user environment debug logging > >>>>>>>>>>> in retail builds of Windows > >>>>>>>>>>> http://support.microsoft.com/?kbid=221833 > >>>>>>>>>>> _______________________________________________________ > >>>>>>>>>>> __ Vera Noest > >>>>>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server > >>>>>>>>>>> TS troubleshooting: http://ts.veranoest.net > >>>>>>>>>>> ___ please respond in newsgroup, NOT by private email > >>>>>>>>>>> ___ > >>>>>>>>>>> > >>>>>>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> wrote > >>>>>>>>>>> on 14 nov 2007 in > >>>>>>>>>>> microsoft.public.windows.terminal_services: > >>>>>>>>>>> > >>>>>>>>>>>> Well I have went through on the domain controller > >>>>>>>>>>>> and removed the group policy for that server. > >>>>>>>>>>>> Even when consoled and logged in as Administrator it > >>>>>>>>>>>> still gives that error. > >>>>>>>>>>>> > >>>>>>>>>>>> Is there any chance a setting could have been set > >>>>>>>>>>>> locally on that server. If so where does a person > >>>>>>>>>>>> look to find out if it has been reset? > >>>>>>>>>>>> > >>>>>>>>>>>> thanks for your response > >>>>>>>>>>>> > >>>>>>>>>>>> "Vera Noest [MVP]" wrote: > >>>>>>>>>>>> > >>>>>>>>>>>>> Given the error message that you get, I'm still > >>>>>>>>>>>>> convinced it's a GPO setting. Have you tried > >>>>>>>>>>>>> resultant set of Policies? > >>>>>>>>>>>>> > >>>>>>>>>>>>> ____________________________________________________ > >>>>>>>>>>>>> ___ __ Vera Noest > >>>>>>>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server > >>>>>>>>>>>>> TS troubleshooting: http://ts.veranoest.net > >>>>>>>>>>>>> ___ please respond in newsgroup, NOT by private > >>>>>>>>>>>>> email ___ > >>>>>>>>>>>>> > >>>>>>>>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> > >>>>>>>>>>>>> wrote on 08 nov 2007 in > >>>>>>>>>>>>> microsoft.public.windows.terminal_services: > >>>>>>>>>>>>> > >>>>>>>>>>>>>> Thanks for the reply > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> I found an article on doing that and it still > >>>>>>>>>>>>>> isn't working. I have even restarted the terminal > >>>>>>>>>>>>>> server to try and fix the issue. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Could there be a registry setting on the server > >>>>>>>>>>>>>> itself that would prevent installations? > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> "Vera Noest [MVP]" wrote: > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Sounds like you want to enable this GPO setting: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Computer Configuration - Administrative > >>>>>>>>>>>>>>> Templates - Windows Components - Windows > >>>>>>>>>>>>>>> Installer "Allow admin to install from Terminal > >>>>>>>>>>>>>>> Services session" > >>>>>>>>>>>>>>> _________________________________________________ > >>>>>>>>>>>>>>> ___ ___ __ Vera Noest > >>>>>>>>>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server > >>>>>>>>>>>>>>> TS troubleshooting: http://ts.veranoest.net > >>>>>>>>>>>>>>> ___ please respond in newsgroup, NOT by private > >>>>>>>>>>>>>>> email ___ > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> =?Utf-8?B?VE0=?= <TM@discussions.microsoft.com> > >>>>>>>>>>>>>>> wrote on 08 nov 2007 in > >>>>>>>>>>>>>>> microsoft.public.windows.terminal_services: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> I am having an issue installing programs > >>>>>>>>>>>>>>>> consoled in and logged in as admininstrator. > >>>>>>>>>>>>>>>> It keeps giving the message of "The system > >>>>>>>>>>>>>>>> administrator has set policies to prevent this > >>>>>>>>>>>>>>>> installation" > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> I don't know of any policy set to prevent this > >>>>>>>>>>>>>>>> from even happening for the administrator. I > >>>>>>>>>>>>>>>> have went to the lengths of removing the group > >>>>>>>>>>>>>>>> policy for the users and trying it again > >>>>>>>>>>>>>>>> without any luck. > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> Does anyone know how to reset everything on > >>>>>>>>>>>>>>>> that server or any suggestions. > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> Thanks, > >>>>>>>>>>>>>>>> TM > >> > I'll have to look into it... Its been along time since I updated the > GPO............ > > > > -- > > Regards, > Hank Arnold > Microsoft MVP > Windows Server - Directory Services >
Recommended Posts