Controlling user access to applications (Newbie question)

[Guest Pieman]

How do you go about controlling which users can run specific applications

that are installed in a TS environment?

 

As an example, say you have 100 users connecting into a TS server that has

MS Office and MS Project installed, but you only have a need for 5 users to

run Project how would you prevent the remaining users from having the ability

to run Project or even know that it was installed but still allow them to run

Office?

 

Cheers

[Guest Vera Noest [MVP]]

Re: Controlling user access to applications (Newbie question)

 

One way to achieve this is by changing the NTFS permissions on the

main executable file for MS project.

 

Another way is to use a Software Restriction policy and use security

filtering of the GPO to apply it only to specific user groups.

 

324036 - HOW TO: Use Software Restriction Policies in Windows Server

2003

http://support.microsoft.com/?kbid=324036

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?UGllbWFu?= <Pieman@discussions.microsoft.com> wrote on

28 nov 2007 in microsoft.public.windows.terminal_services:

> How do you go about controlling which users can run specific

> applications that are installed in a TS environment?

>

> As an example, say you have 100 users connecting into a TS

> server that has MS Office and MS Project installed, but you only

> have a need for 5 users to run Project how would you prevent the

> remaining users from having the ability to run Project or even

> know that it was installed but still allow them to run Office?

>

> Cheers

[Guest Pieman]

Re: Controlling user access to applications (Newbie question)

 

Vera,

 

Thanks for replying, I was thinking along the lines of software restrictions

using GP, but have never used them before, can you elaborate a bit more on

how to utilise them on a TS?

 

Regards

Pieman

 

"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message

news:Xns99F69842A57A2veranoesthemutforsse@207.46.248.16...

> One way to achieve this is by changing the NTFS permissions on the

> main executable file for MS project.

>

> Another way is to use a Software Restriction policy and use security

> filtering of the GPO to apply it only to specific user groups.

>

> 324036 - HOW TO: Use Software Restriction Policies in Windows Server

> 2003

> http://support.microsoft.com/?kbid=324036

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?UGllbWFu?= <Pieman@discussions.microsoft.com> wrote on

> 28 nov 2007 in microsoft.public.windows.terminal_services:

>

>> How do you go about controlling which users can run specific

>> applications that are installed in a TS environment?

>>

>> As an example, say you have 100 users connecting into a TS

>> server that has MS Office and MS Project installed, but you only

>> have a need for 5 users to run Project how would you prevent the

>> remaining users from having the ability to run Project or even

>> know that it was installed but still allow them to run Office?

>>

>> Cheers

>

[Guest Vera Noest [MVP]]

Re: Controlling user access to applications (Newbie question)

 

You should really read the KB article on how to use Software

Restriction policies, or better stil, here's a TechNet article

which explains all the steps in detail:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstr

plcy.mspx

 

But I can give you the broad picture:

 

* put your TS computer account in a separate OU, let's call it

TS_OU

* do not put your user accounts in this TS_OU

* create a security group, let's call it ProjectUsers

* add all users who are allowed to use MS Project to this group

* create a TS-specific GPO, link it to the TS_OU

* configure the Software Restictions policies in this GPO, under

User Configuration, set the default value to "Unrestricted" and

then create an exception for MSProject and set it to "Disallowed"

* configure loopback processing with the Replace option in this

GPO, under Computer Configuration - Administrative Templates -

System - Group Policy

* in the security filtering of the GPO, add the ProjectUsers

security group, and check "Deny" for the right to Read and Apply

this GPO.

 

The effect of the above is that the policy will only apply to users

when they connect to the TS, not when they logon to their

workstation (that's done with loopback processing), and the

security filtering makes sure that the policy (and thus the

Software Restriction) doesn't apply to members of the ProjectUsers

group.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

"Pieman" <bullens_at_no_spam_nifcoeu.com> wrote on 28 nov 2007 in

microsoft.public.windows.terminal_services:

> Vera,

>

> Thanks for replying, I was thinking along the lines of software

> restrictions using GP, but have never used them before, can you

> elaborate a bit more on how to utilise them on a TS?

>

> Regards

> Pieman

>

> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote

> in message

> news:Xns99F69842A57A2veranoesthemutforsse@207.46.248.16...

>> One way to achieve this is by changing the NTFS permissions on

>> the main executable file for MS project.

>>

>> Another way is to use a Software Restriction policy and use

>> security filtering of the GPO to apply it only to specific user

>> groups.

>>

>> 324036 - HOW TO: Use Software Restriction Policies in Windows

>> Server 2003

>> http://support.microsoft.com/?kbid=324036

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?UGllbWFu?= <Pieman@discussions.microsoft.com> wrote

>> on 28 nov 2007 in microsoft.public.windows.terminal_services:

>>

>>> How do you go about controlling which users can run specific

>>> applications that are installed in a TS environment?

>>>

>>> As an example, say you have 100 users connecting into a TS

>>> server that has MS Office and MS Project installed, but you

>>> only have a need for 5 users to run Project how would you

>>> prevent the remaining users from having the ability to run

>>> Project or even know that it was installed but still allow

>>> them to run Office?

>>>

>>> Cheers

[Guest ThomasT.]

Re: Controlling user access to applications (Newbie question)

 

Hi,

 

If you only need to control "Which user can run specific applications", you

can use Remote Application Center , it's freeware, you can get it here:

http://www.mqtechnologies.com

 

Hope this help

 

Regards

 

ThomasT.

 

 

 

 

 

"Pieman" <Pieman@discussions.microsoft.com> wrote in message

news:72C9C132-0B4D-41CE-A409-341DDC3C07AF@microsoft.com...

> How do you go about controlling which users can run specific applications

> that are installed in a TS environment?

>

> As an example, say you have 100 users connecting into a TS server that has

> MS Office and MS Project installed, but you only have a need for 5 users

> to

> run Project how would you prevent the remaining users from having the

> ability

> to run Project or even know that it was installed but still allow them to

> run

> Office?

>

> Cheers

[Guest Pieman]

Re: Controlling user access to applications (Newbie question)

 

Thanks again Vera,

 

Very concise and just what I was looking for.

 

Regards

Pieman

 

"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message

news:Xns99F6ABE46DC66veranoesthemutforsse@207.46.248.16...

> You should really read the KB article on how to use Software

> Restriction policies, or better stil, here's a TechNet article

> which explains all the steps in detail:

> http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstr

> plcy.mspx

>

> But I can give you the broad picture:

>

> * put your TS computer account in a separate OU, let's call it

> TS_OU

> * do not put your user accounts in this TS_OU

> * create a security group, let's call it ProjectUsers

> * add all users who are allowed to use MS Project to this group

> * create a TS-specific GPO, link it to the TS_OU

> * configure the Software Restictions policies in this GPO, under

> User Configuration, set the default value to "Unrestricted" and

> then create an exception for MSProject and set it to "Disallowed"

> * configure loopback processing with the Replace option in this

> GPO, under Computer Configuration - Administrative Templates -

> System - Group Policy

> * in the security filtering of the GPO, add the ProjectUsers

> security group, and check "Deny" for the right to Read and Apply

> this GPO.

>

> The effect of the above is that the policy will only apply to users

> when they connect to the TS, not when they logon to their

> workstation (that's done with loopback processing), and the

> security filtering makes sure that the policy (and thus the

> Software Restriction) doesn't apply to members of the ProjectUsers

> group.

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> "Pieman" <bullens_at_no_spam_nifcoeu.com> wrote on 28 nov 2007 in

> microsoft.public.windows.terminal_services:

>

>> Vera,

>>

>> Thanks for replying, I was thinking along the lines of software

>> restrictions using GP, but have never used them before, can you

>> elaborate a bit more on how to utilise them on a TS?

>>

>> Regards

>> Pieman

>>

>> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote

>> in message

>> news:Xns99F69842A57A2veranoesthemutforsse@207.46.248.16...

>>> One way to achieve this is by changing the NTFS permissions on

>>> the main executable file for MS project.

>>>

>>> Another way is to use a Software Restriction policy and use

>>> security filtering of the GPO to apply it only to specific user

>>> groups.

>>>

>>> 324036 - HOW TO: Use Software Restriction Policies in Windows

>>> Server 2003

>>> http://support.microsoft.com/?kbid=324036

>>> _________________________________________________________

>>> Vera Noest

>>> MCSE, CCEA, Microsoft MVP - Terminal Server

>>> TS troubleshooting: http://ts.veranoest.net

>>> ___ please respond in newsgroup, NOT by private email ___

>>>

>>> =?Utf-8?B?UGllbWFu?= <Pieman@discussions.microsoft.com> wrote

>>> on 28 nov 2007 in microsoft.public.windows.terminal_services:

>>>

>>>> How do you go about controlling which users can run specific

>>>> applications that are installed in a TS environment?

>>>>

>>>> As an example, say you have 100 users connecting into a TS

>>>> server that has MS Office and MS Project installed, but you

>>>> only have a need for 5 users to run Project how would you

>>>> prevent the remaining users from having the ability to run

>>>> Project or even know that it was installed but still allow

>>>> them to run Office?

>>>>

>>>> Cheers

>