prevent user installations

  • Thread starter Thread starter Jennifer Mar
  • Start date Start date
J

Jennifer Mar

Hi,

How do i prevent TS users from installing applications? I have configured
group policy to prohibit user installs under Windows Installer. What else
can i do?

Jen
 
If users only have Read access to the root of the systemdrive,
system files and program files, they can hardly install any
programs at all.
They still can try to install them in their home directory, but
they won't be able to install any dlls or other components in the
default locations.

Start with the following permissions on %SystemDrive%,
%SystemRoot%, %ProgramFiles% and %SystemRoot%\system32:

System and Administrators - Full Control
Authenticated Users - Read & Execute

Make sure that users have only Read permissions on the following
registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx


Give write permissions to specific files, directories and registry
keys if it is needed to get specific applications to run.

To find out which files or registry keys must be writeable by the
users to make an application work under Terminal Services,
download FileMon and RegMon from http://www.sysinternals.com/. Run
them as administrator at the console, start a TS session as a
normal user and try to run the application.

FileMon and RegMon will show you all "access denied" errors that
occur, so that you can give your users the necessary permissions
on a file-to file or Registry subkey basis.
 
Back
Top