Can I Disable Error Messages Produced by Software Restriction Policies?

  • Thread starter Thread starter Brad Berson
  • Start date Start date
B

Brad Berson

In a previous post I asked if there was a way to use Group Policies to
prevent users' login scripts from running. I'm concerned about the
damage potential in a Terminal Services environment, posed by login
scripts from business units that I cannot control but whose users must
have access to my servers.

There was no response at all here and none of my research turned up
anything terribly hopeful until I started reading about Software
Restriction Policies on Windows 2003.

I should be able to set a policy to disallow "\\*\*", which should
neatly remove the ability to run any program or script that isn't on
the Terminal Server's local drives, right?

But according to what I read, every time something violates the policy
the user is going to get an error message. That would make all the
user's logons rather ugly. Is there a way to disable the messages so
that violations would merely get logged quietly, if noticed at all?

Thanks for any help!

Brad
brad dott berson att bytebrothers dott org
 
I actually went ahead and tried this out, and I think that since the
logon scripts run minimized nobody will no the difference.

Now the PROBLEM... I can't figure out how well this is working!

There is no evidence of SRP doing anything in the server's event log.
I even added the LogFileName key and the resulting log file records
all the "unrestricted" events, but none of the "disallowed" events.

Argh!!!!

What am I missing??


-Brad
 
Well, I haven't actually tried this, but from what I've read it should work.

Apply a GPO that has Loopback processing turned on to the OU containing the
Terminal Servers .
Apply a second GPO to the same OU (or perhaps in the same GPO that has the
loopback setting) that specifies a Logon Script that runs an empty command
file.

With "Merge mode" loopback, the User settings applied by loopback processing
are applied after other User settings, so, the Logon Script setting in the
GPO applied by the loopback feature should be the "wining" GPO. With
"Replace mode" loopback, GPOs that apply to the user's account are not
processed at all.

See http://support.microsoft.com/?kbid=231287 and
http://support.microsoft.com/?kbid=260370
 
Thanks, we've had a loopback GPO on that OU since day one. I can tell
that the SRP policy I've instated works by doing things like dumping a
copy of CALC.EXE on the root of C: and trying to run it from an
unprivileged logon, in which case an error dialogue does pop up. Yet
there's no evidence of that event either in the system event log or
the special log file!

This makes evaluating the success and troubleshooting the failures
rather difficult, when ALL you get is the events relating to processes
that were OK'd.


-Brad
 
Back
Top