Prevent users from launching tsadmin.exe?

[Guest Dennis_S]

What is the best practice to prevent users from being able to launch

tsadmin.exe?

 

Thanks.

[Guest Vera Noest [MVP]]

Re: Prevent users from launching tsadmin.exe?

 

You can always change the NTFS permissions on tsadmin.exe

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?RGVubmlzX1M=?= <DennisS@discussions.microsoft.com> wrote

on 19 mar 2008 in microsoft.public.windows.terminal_services:

> What is the best practice to prevent users from being able to

> launch tsadmin.exe?

>

> Thanks.

[Guest Dennis_S]

Re: Prevent users from launching tsadmin.exe?

 

Thanks for the reply Vera. I considered that option, but I don't want to

select Deny for the Users (computername\Users). If I delete this group, is

there a way to replace it if needed?

 

Much appreciated.

 

Dennis

 

"Vera Noest [MVP]" wrote:

> You can always change the NTFS permissions on tsadmin.exe

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?RGVubmlzX1M=?= <DennisS@discussions.microsoft.com> wrote

> on 19 mar 2008 in microsoft.public.windows.terminal_services:

>

> > What is the best practice to prevent users from being able to

> > launch tsadmin.exe?

> >

> > Thanks.

>

[Guest Vera Noest [MVP]]

Re: Prevent users from launching tsadmin.exe?

 

I wouldn't add a "Deny" ACL, I would add an ACL which ensures that

you can continue to use tsadmin.exe, something like

computername\Administrators or maybe domain\Domain Admins with Full

Control and then remove the Authenticated Users ACL.

 

As long as you make sure that there is an ACL which allows you Full

Control (and there is no rule which denies you access), you can

always undo your changes. Keep in mind that a "Deny" rule overrides

other rules, so be extremely careful (or better: avoid) Deny rules.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?RGVubmlzX1M=?= <DennisS@discussions.microsoft.com> wrote

on 20 mar 2008 in microsoft.public.windows.terminal_services:

> Thanks for the reply Vera. I considered that option, but I

> don't want to select Deny for the Users (computername\Users).

> If I delete this group, is there a way to replace it if needed?

>

> Much appreciated.

>

> Dennis

>

> "Vera Noest [MVP]" wrote:

>

>> You can always change the NTFS permissions on tsadmin.exe

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?RGVubmlzX1M=?= <DennisS@discussions.microsoft.com>

>> wrote on 19 mar 2008 in

>> microsoft.public.windows.terminal_services:

>>

>> > What is the best practice to prevent users from being able to

>> > launch tsadmin.exe?

>> >

>> > Thanks.

[Guest Soo Kuan Teo [MSFT]]

Re: Prevent users from launching tsadmin.exe?

 

Can you please share why would you want to prevent users running tsadmin?

Please keep in mind that tsadmin functionalities also available in ts

command line tools.

Thanks

Soo Kuan

 

 

--

This posting is provided "AS IS" with no warranties, and confers no rights.

 

"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message

news:Xns9A67D5F6A8281veranoesthemutforsse@207.46.248.16...

>I wouldn't add a "Deny" ACL, I would add an ACL which ensures that

> you can continue to use tsadmin.exe, something like

> computername\Administrators or maybe domain\Domain Admins with Full

> Control and then remove the Authenticated Users ACL.

>

> As long as you make sure that there is an ACL which allows you Full

> Control (and there is no rule which denies you access), you can

> always undo your changes. Keep in mind that a "Deny" rule overrides

> other rules, so be extremely careful (or better: avoid) Deny rules.

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?RGVubmlzX1M=?= <DennisS@discussions.microsoft.com> wrote

> on 20 mar 2008 in microsoft.public.windows.terminal_services:

>

>> Thanks for the reply Vera. I considered that option, but I

>> don't want to select Deny for the Users (computername\Users).

>> If I delete this group, is there a way to replace it if needed?

>>

>> Much appreciated.

>>

>> Dennis

>>

>> "Vera Noest [MVP]" wrote:

>>

>>> You can always change the NTFS permissions on tsadmin.exe

>>> _________________________________________________________

>>> Vera Noest

>>> MCSE, CCEA, Microsoft MVP - Terminal Server

>>> TS troubleshooting: http://ts.veranoest.net

>>> ___ please respond in newsgroup, NOT by private email ___

>>>

>>> =?Utf-8?B?RGVubmlzX1M=?= <DennisS@discussions.microsoft.com>

>>> wrote on 19 mar 2008 in

>>> microsoft.public.windows.terminal_services:

>>>

>>> > What is the best practice to prevent users from being able to

>>> > launch tsadmin.exe?

>>> >

>>> > Thanks.