Software Restrictions via group policy may be an option for
you.
Hunter From: Edwin [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 04, 2004 7:59 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Fileserver and Self-Executing Programs What I have noticed, in
the couple of test I have done, is that if the installer is a MSI package, it
will immediately be denied any further access. If it is a *.exe then there
may be progress on the installation and it is up to the *.exe on how to
proceed. If a *.exe is used, the system itself appears never to be
modified except within the users own profile allotted
space. I am not sure how to
restrict file extensions on a folder. Do you have more information on
this? I know that I can
remove execute permissions but this will take some work to do and resolve my
issue. ß I am not
complaining about the work. Just that it will take some
time. I guess if there is a
way to filter out certain executables I would want to filter them all out.
So I guess removing execute access will be the best way. But this would
also mean I would have to remove this type of permission to their desktop or My
Documents since they could also install such a program there providing it was
under their 10MB limit. But to go that far would be nasty and I don’t
think it would be recommended. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Michael
Wassell The first thing that
comes to mind is disabling Windows Installer for non-managed apps via GPO,
considering you are already doing something similar as you had mentioned that
may be the most viable solution. Otherwise, I'm not sure
if its possible or how difficult it would be to implement but you could restrict
the use of certain file extensions in the user folder tree which would prevent
users from running executables for instance. Just two ideas... I'm
sure there will be more From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Edwin Within our domain, roaming profiles
are used. The roaming profiles are limited to 10MB by means of a GPO. The
user is also given a networked drive (K:\) that gives them an additional 40MB
which gives them a grand total of 50MB of usable space when on their
workstations. The 50MB limit is then enforced by Disk Quotas. The
roaming profile data and the networked drive are both on the same
machine. The user logging into their
workstation is not able to install applications unless first approved.
What I have noticed however is that users within the domain are still managing
to run unauthorized pieces of software. They are doing this by copying the
files K:\ The application that they want to use is a self executing
program that does not need to write data to the registry or modify the system in
any way. In one case, I noticed that a user
is using FireFox. I installed the software with under the same user
privileges and was able to do so but with a warning that the application may not
install correctly without Admin rights. The application did install to the K:\
and worked correctly when was opened. The good thing about this was that
anything that was written to the registry was access
denied. So here is the question. How
can I prevent users from installing these type of applications to the K:\?
When they do this, they are using resources on the remote machine that shouldn’t
be. I could care less that they are using more drive space since it will
only affect them and their ability to write more files to the remote machine or
will prevent them from logging off of their desktop until the space is
cleared. I don’t have a problem putting fear
into those who are doing this, but I would rather just cut them off and keep my
mouth shut if a solution is available. Any
thoughts? Thanks everyone for your
replies, Edwin |