Re: Administrator Consoled in Can not install software

Yes.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote on 03 aug 2008 in
microsoft.public.windows.terminal_services:

You mean the permissions on C drive, WINNT folder, Program
Files, and WINNT/system32 folders?

"Vera Noest [MVP]" wrote:

Then the next step is to make sure that your users are normal
users, not Administrators or Power Users, and apply the NTFS
permissions which I mentioned. Those will see to it that they
cannot install anything which includes dlls or other files
which must reside in the windows folder.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote on 03 aug 2008 in
microsoft.public.windows.terminal_services:

I saw that settings. I had a feeling you were talking about
that. Permissions compatible with Windows 2000 Users is
already selected.

"Vera Noest [MVP]" wrote:

Well, as I wrote, I don't remember the details of a W2K TS.
During installation, you are asked to choose the
"Compatibility mode". Is there anyting in tscc which
mentions that? If so, you chould choose "Permissions
compatible with Windows 2000 Users".

Anyone else maybe, who has access to a W2K TS?
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?QXNpZiBTaGFo?=
<AsifShah@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 02 aug 2008 in
microsoft.public.windows.terminal_services:

I am looking at the Terminal Services Configuration -
Server Settings, which setting do I change. I dont see
anything that says "relaxed security".

"Vera Noest [MVP]" wrote:

OK, seems like the Terminal Services was installed with
relaxed security. It's a long time ago that I worked with
W2K TS, so I'm unsure about the details, but I believe
that you can check (and change?) this in Terminal
Services Configuration - Server settings.

You'll have to further secure the server with NTFS
permissions on the file system. At the minimum, modify
the NTFS permissions as follows:
%SystemDrive%, %SystemRoot%, %ProgramFiles% and
%SystemRoot%\system32 :
System - Full Control
Administrators - Full Control
Authenticated Users - Read & Execute

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?QXNpZiBTaGFo?=
<AsifShah@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 01 aug 2008
in microsoft.public.windows.terminal_services:

Vera,

My appoligies for adding to an older thread. I just
thought since you were dicussing a similiar problem I
would post my issue. I will keep in mind nex time.

I am the administrator and I am trying to restrict all
non-admin users from installing software on the server.
This is on a Windows 2000 server. How can I check if I
installed TS with full security. Apprently something is
not setup right, because few days ago I discovered that
new software were installed, some games and Mozilla
Firebox. I checked with my admins and they didnt. So it
had to have been a regular user. No other user has
right like us admins. I even did a test. I logged in as
a normal user whose password I knew and I was able to
download and install Firefox and other software.

The only thing I have done is disable the windows
installer but seems like that only works for software
that use windows installer to install itself. The
article I read from Microsoft that talks about this GPO
mentions this condition. What else can I do? What else
can I check?

Thanks.

"Vera Noest [MVP]" wrote:

Asif, you seem to append to an old thread which was
about the opposite of your problem. That's very
confusing. Next time, please start a new thread and
clearly state your problem.

What exactly is it that you want to achieve? I'm
assuming that your are the Administrator of a TS, and
that you want to prohibit users to install software,
is that correct? Or do you want to disable this for
all users, including Administrators?

If you just want to take away this possibility for
normal users, the answer is that they don't have the
proper rights any way, assuming that you run on
Windows 2003 and have installed Terminal Services with
"Full Security". They can install applications in
their home folder, but can't add or replace system
files, dll's etc.

_______________________________________________________
__ Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*

=?Utf-8?B?QXNpZiBTaGFo?=
<AsifShah@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 01 aug
2008:

Vera,

I have disabled the windows installer but that only
applies to software installations that use windows
installer to install itself. There are other
installs that dont use windows install. e.g.
installing Mozilla Firefox. I have the GPO you
mentioned for the windows installer enabled but i
can still install firefox........what else can i
try?
.

Relevant Pages

  • Re: update rollup refuses to unstall on my pc {?}
    ... The .log file was saved when I tried to install a rollup update I downloaded ... Windows update saves non such log files on my computer. ... Media Center Ident Set part of the page. ... Microsoft MVP - Windows Media Center ...
    (microsoft.public.windows.mediacenter)
  • Re: Multi-user access of an Embedded Windows System ?
    ... First off, EWF is available ... > only for Windows XP Embedded, and is not intended to be used with XP Pro or ... > install, and in this case it sounds like the system would be best suited ... it looks to me like what you're referring to is the Terminal Server ...
    (microsoft.public.windowsxp.embedded)
  • Re: Repair Install and bypassing Activation
    ... used by software pirates to ... Ken Blake - Microsoft MVP Windows: ... My laptop screwed and I did a repair install using the ...
    (microsoft.public.windowsxp.general)
  • Re: DCOM Access Permissions
    ... Microsoft MVP (Windows Server System: Security) ... One of the requirements is that after the install, ...
    (microsoft.public.windows.server.security)
  • Re: Can not install an application on TS
    ... of a normal session. ... MCSE, CCEA, Microsoft MVP - Terminal Server ... Computer Configuration - Administrative templates - Windows ... "Allow admin to install from Terminal Services session" ...
    (microsoft.public.windows.terminal_services)
Loading