Re: Administrator Consoled in Can not install software

Asif Shah wrote:
Thanks for the insight Hank.

What GPO settings are talking about in particular? As Vera suggested I have the "Permissions compatible with Windows 2000 Users" in TSC already selected. I also have the windows installer GPO setting disabled. What other GPO can I touch. I will be changing the NTFS permissions today like Vera suggested.

Thanks.

"Hank Arnold (MVP)" wrote:

I'm a little confused... We control the installation of software by GPO. No one except someone in the Administrators group can install software on *ANY* computer (server, workstation, laptop, etc.)....period. In addition, we have a firewall (part of the Sophos End Point Security) that will not allow *any* program to run that has not been added to the firewall security.

We still have W2K servers with TS installed. I've never seen this problem. I'm forwarding this to my work id and I'll see what I can find.

To be honest, I can't guarantee I'll get to it today (Monday). This is typically my busiest day with several weekly reports due in the AM, I have to deal with all the problems the nurses have had over the weekend with their laptops and remote access as well as some major issues that just came up due to a vendor telling us that we need to spend a significant amount of $$ that is not in the budget. You haven't lived until you work for a non-profit and try to get IT money that isn't in the budget... :-(

--

Regards,
Hank Arnold
Microsoft MVP
Windows Server - Directory Services

Vera Noest [MVP] wrote:
Well, as I wrote, I don't remember the details of a W2K TS. During installation, you are asked to choose the "Compatibility mode". Is there anyting in tscc which mentions that? If so, you chould choose "Permissions compatible with Windows 2000 Users".

Anyone else maybe, who has access to a W2K TS?
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote on 02 aug 2008 in
microsoft.public.windows.terminal_services:

I am looking at the Terminal Services Configuration - Server
Settings, which setting do I change. I dont see anything that
says "relaxed security".

"Vera Noest [MVP]" wrote:

OK, seems like the Terminal Services was installed with relaxed
security. It's a long time ago that I worked with W2K TS, so
I'm unsure about the details, but I believe that you can check
(and change?) this in Terminal Services Configuration - Server
settings.

You'll have to further secure the server with NTFS permissions
on the file system. At the minimum, modify the NTFS permissions
as follows: %SystemDrive%, %SystemRoot%, %ProgramFiles% and %SystemRoot%\system32 : System - Full Control
Administrators - Full Control
Authenticated Users - Read & Execute

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?QXNpZiBTaGFo?= <AsifShah@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote on 01 aug 2008 in
microsoft.public.windows.terminal_services:

Vera,

My appoligies for adding to an older thread. I just thought
since you were dicussing a similiar problem I would post my
issue. I will keep in mind nex time.

I am the administrator and I am trying to restrict all
non-admin users from installing software on the server. This
is on a Windows 2000 server. How can I check if I installed
TS with full security. Apprently something is not setup
right, because few days ago I discovered that new software
were installed, some games and Mozilla Firebox. I checked
with my admins and they didnt. So it had to have been a
regular user. No other user has right like us admins. I even
did a test. I logged in as a normal user whose password I
knew and I was able to download and install Firefox and other
software.

The only thing I have done is disable the windows installer
but seems like that only works for software that use windows
installer to install itself. The article I read from
Microsoft that talks about this GPO mentions this condition.
What else can I do? What else can I check?

Thanks.

"Vera Noest [MVP]" wrote:

Asif, you seem to append to an old thread which was about
the opposite of your problem. That's very confusing. Next
time, please start a new thread and clearly state your
problem.

What exactly is it that you want to achieve? I'm assuming
that your are the Administrator of a TS, and that you want
to prohibit users to install software, is that correct? Or
do you want to disable this for all users, including
Administrators?

If you just want to take away this possibility for normal
users, the answer is that they don't have the proper rights
any way, assuming that you run on Windows 2003 and have
installed Terminal Services with "Full Security". They can
install applications in their home folder, but can't add or
replace system files, dll's etc.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*

=?Utf-8?B?QXNpZiBTaGFo?=
<AsifShah@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 01 aug 2008:

Vera,

I have disabled the windows installer but that only
applies to software installations that use windows
installer to install itself. There are other installs that
dont use windows install. e.g. installing Mozilla Firefox.
I have the GPO you mentioned for the windows installer
enabled but i can still install firefox........what else
can i try?

"Vera Noest [MVP]" wrote:

OK, thanks for the feedback, I'm glad that your problem
is solved! It's a bit puzzeling though that the problem
didn't disappear by configuring the GPO setting in the
domain-wide GPO applied to the TS, since those settings
override the local policy.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?VE0=?= <TM@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on
14 nov 2007 in
microsoft.public.windows.terminal_services:

Thanks for your help it was the local policy that was
still turned on.


"Vera Noest [MVP]" wrote:

Did you run Resultant Set of Policies, as I suggested
in my previous post? That would tell you exactly which
policy has the setting configured.
You can edit the local policy with gpedit.msc

If you get this error message even when you are logged
in at the physical console of the server, then it
seems that Windows Installer is disabled completely,
not only for installations from within a TS session.
That setting can be found in Computer Configuration -
Administrative Templates - Windows Components -
Windows Installer "Disable Windows Installer"

Other troubleshooting tools could be:

223300 - How to Enable Windows Installer Logging
http://support.microsoft.com/?kbid=223300

221833 - How to enable user environment debug logging
in retail builds of Windows
http://support.microsoft.com/?kbid=221833
_______________________________________________________
__ Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email
___

=?Utf-8?B?VE0=?= <TM@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
on 14 nov 2007 in
microsoft.public.windows.terminal_services:

Well I have went through on the domain controller
and removed the group policy for that server.
Even when consoled and logged in as Administrator it
still gives that error.

Is there any chance a setting could have been set
locally on that server. If so where does a person
look to find out if it has been reset?

thanks for your response

"Vera Noest [MVP]" wrote:

Given the error message that you get, I'm still
convinced it's a GPO setting. Have you tried
resultant set of Policies?

____________________________________________________
___ __ Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private
email ___

=?Utf-8?B?VE0=?= <TM@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote on 08 nov 2007 in
microsoft.public.windows.terminal_services:

Thanks for the reply

I found an article on doing that and it still
isn't working. I have even restarted the terminal
server to try and fix the issue.

Could there be a registry setting on the server
itself that would prevent installations?


"Vera Noest [MVP]" wrote:

Sounds like you want to enable this GPO setting:

Computer Configuration - Administrative
Templates - Windows Components - Windows
Installer "Allow admin to install from Terminal
Services session" _________________________________________________
___ ___ __ Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private
email ___

=?Utf-8?B?VE0=?= <TM@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote on 08 nov 2007 in
microsoft.public.windows.terminal_services:

I am having an issue installing programs
consoled in and logged in as admininstrator. It keeps giving the message of "The system
administrator has set policies to prevent this
installation"

I don't know of any policy set to prevent this
from even happening for the administrator. I
have went to the lengths of removing the group
policy for the users and trying it again
without any luck.

Does anyone know how to reset everything on
that server or any suggestions.

Thanks,
TM

I'll have to look into it... Its been along time since I updated the GPO............



--

Regards,
Hank Arnold
Microsoft MVP
Windows Server - Directory Services
.

Relevant Pages