+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
MIS Systems Thread, Windows 7 : users cannot upgrade - my security policy is blocking - but why? in Technical; My policy is thus: And I cannot see why this should stop SIMS from updating.....with standard users on my windows ...
  1. #1
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,286
    Thank Post
    80
    Thanked 45 Times in 31 Posts
    Rep Power
    30

    Windows 7 : users cannot upgrade - my security policy is blocking - but why?

    My policy is thus:


    And I cannot see why this should stop SIMS from updating.....with standard users on my windows 7 clients...


    Computer Configuration (Disabled)
    No settings defined.

    User Configuration (Enabled)
    Policies
    Windows Settings
    Security Settings
    Software Restriction Policies
    Enforcement
    Policy Setting
    Apply software restriction policies to the following All software files except libraries (such as DLLs)
    Apply software restriction policies to the following users All users
    When applying software restriction policies Ignore certificate rules

    Designated File Types
    File Extension File Type
    ADE Microsoft Access Project Extension
    ADP Microsoft Access Project
    BAS BAS File
    BAT Windows Batch File
    CHM Compiled HTML Help file
    CMD Windows Command Script
    COM MS-DOS Application
    CPL Control panel item
    CRT Security Certificate
    EXE Application
    HLP Help file
    HTA HTML Application
    INF Setup Information
    INS Inspiration 6 Document
    ISP ISP File
    LNK Shortcut
    MDB Microsoft Access Database
    MDE Microsoft Access MDE Database
    MSC Microsoft Common Console Document
    MSI Windows Installer Package
    MSP Windows Installer Patch
    MST MST File
    OCX ActiveX control
    PCD PCD File
    PIF Shortcut to MS-DOS Program
    REG Registration Entries
    SCR Screen saver
    SHS SHS File
    URL Internet Shortcut
    VB VB File
    WSC Windows Script Component

    Trusted Publishers
    Trusted publisher management Allow all administrators and users to manage user's own Trusted Publishers
    Certificate verification None


    Software Restriction Policies/Security Levels
    Policy Setting
    Default Security Level Disallowed

    Software Restriction Policies/Additional Rules
    Hash Rules
    HelpPane.exe (6.1.7600.16385); HelpPane.exe; Microsoft Help and Support; Microsoft® Windows® Operating System; Microsoft Corporation
    Security Level Disallowed
    Description
    Date last modified 17/03/2011 13:49:31


    Path Rules
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
    Security Level Unrestricted
    Description
    Date last modified 01/02/2011 11:23:04

    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\ProgramFilesDir%
    Security Level Unrestricted
    Description
    Date last modified 01/02/2011 11:23:04

    \\dc01-v\netlogon
    Security Level Unrestricted
    Description
    Date last modified 01/08/2011 19:21:57

    \\dc02-p\netlogon
    Security Level Unrestricted
    Description
    Date last modified 01/08/2011 19:22:46

    \\dc03-v\netlogon
    Security Level Unrestricted
    Description
    Date last modified 18/11/2011 08:27:46

    \\fp2\merits$
    Security Level Unrestricted
    Description
    Date last modified 15/09/2011 12:46:24

    \\fp2\SHApps\
    Security Level Unrestricted
    Description
    Date last modified 01/02/2011 13:09:32

    \\fp2\staff$\ebs
    Security Level Unrestricted
    Description EBS exe's from U:\
    Date last modified 22/06/2011 15:43:23

    \\fp3\Balcarras1$\sims\Setups\
    Security Level Unrestricted
    Description
    Date last modified 19/07/2011 10:18:45

    \\fp4\SHApps\
    Security Level Unrestricted
    Description
    Date last modified 01/02/2011 13:08:45

    \\simstest\c$\SIMS\Setups
    Security Level Unrestricted
    Description
    Date last modified 14/12/2011 12:16:55

    \\simstest\sims\setups\
    Security Level Unrestricted
    Description
    Date last modified 14/12/2011 12:36:24

    A:\
    Security Level Disallowed
    Description
    Date last modified 08/03/2011 15:48:12

    B:\
    Security Level Disallowed
    Description
    Date last modified 08/03/2011 15:48:08

    C:\Python27\
    Security Level Unrestricted
    Description Python
    Date last modified 16/12/2011 10:01:28

    D:\
    Security Level Disallowed
    Description
    Date last modified 08/03/2011 15:48:02

    E:\
    Security Level Disallowed
    Description
    Date last modified 08/03/2011 15:49:21

    F:\
    Security Level Disallowed
    Description
    Date last modified 08/03/2011 15:48:16

    G:\
    Security Level Disallowed
    Description
    Date last modified 08/03/2011 15:49:28

    H:\
    Security Level Disallowed
    Description
    Date last modified 08/03/2011 15:49:47

    I:\
    Security Level Disallowed
    Description
    Date last modified 08/03/2011 15:49:54

    J:\
    Security Level Disallowed
    Description
    Date last modified 08/03/2011 15:50:01

    K:\
    Security Level Disallowed
    Description
    Date last modified 08/03/2011 15:50:55

    L:\
    Security Level Disallowed
    Description
    Date last modified 08/03/2011 15:51:01

    M:\
    Security Level Disallowed
    Description
    Date last modified 08/03/2011 15:51:08

    O:\
    Security Level Disallowed
    Description
    Date last modified 08/03/2011 15:51:37

    Q:\
    Security Level Disallowed
    Description
    Date last modified 08/03/2011 15:51:46

    R:\
    Security Level Disallowed
    Description
    Date last modified 08/03/2011 15:52:03

    S:\sims\Setups
    Security Level Unrestricted
    Description
    Date last modified 19/07/2011 10:19:16

    T:\
    Security Level Disallowed
    Description
    Date last modified 08/03/2011 15:52:18

    W:\
    Security Level Disallowed
    Description
    Date last modified 08/03/2011 15:52:47

    X:\
    Security Level Disallowed
    Description
    Date last modified 08/03/2011 15:52:57

    Y:\
    Security Level Disallowed
    Description
    Date last modified 08/03/2011 15:53:04

    Z:\
    Security Level Disallowed
    Description
    Date last modified 08/03/2011 15:53:17

  2. #2

    matt40k's Avatar
    Join Date
    Jun 2008
    Location
    Ipswich
    Posts
    4,388
    Thank Post
    368
    Thanked 637 Times in 519 Posts
    Rep Power
    158
    What about giving them access to the temp folders?

  3. #3
    ricki's Avatar
    Join Date
    Jul 2005
    Location
    uk
    Posts
    1,475
    Thank Post
    20
    Thanked 164 Times in 157 Posts
    Rep Power
    52
    Hi

    The tech from county said he changed the ntfs permissions to get it to update. I think on a folder but am not sure.

    Richard

  4. #4
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,286
    Thank Post
    80
    Thanked 45 Times in 31 Posts
    Rep Power
    30
    The staff have full persmission on C:\Program Files\SIMS which apparently is enough....

    But with the above GPO in place - they cannot upgrade...I will have to try stripping it out bit by bit to see I can get it to work....


  5. #5
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,286
    Thank Post
    80
    Thanked 45 Times in 31 Posts
    Rep Power
    30
    I reduced my software restriction policy down to:

    Default level = Disallowed - Software will not run, regardless of the access rights of the user.

    Unresticted PATHS:
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
    &
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\ProgramFilesDir%

    SIMS would not install correctly.

    I then added
    C:\ as an UNRESTRICTED PATH rule and the upgrade was fine for the non-admin users.

    How can I work out exactly where the software is running from on the C:\ drive?

  6. #6

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,689
    Thank Post
    334
    Thanked 515 Times in 483 Posts
    Rep Power
    179
    You could use something like ProcessMonitor Process Monitor to see what it's trying to access, but obviously there's a lot of things going on. It's probably some silly temp folder it makes just to be a pain

    Steve

  7. #7

    vikpaw's Avatar
    Join Date
    Sep 2006
    Location
    Saudi Arabia
    Posts
    5,848
    Thank Post
    671
    Thanked 1,383 Times in 1,145 Posts
    Rep Power
    350
    @kennysarmy - try program files\sims ; windows\temp ; windows\sims.ini ; to begin with.

    ADD: I think it's the last file that it might want to update:
    [LastChecked]SIMSInfrastructureSetup=5.590.5.0
    [Setup]
    Last edited by vikpaw; 19th December 2011 at 01:36 PM.

  8. #8
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,286
    Thank Post
    80
    Thanked 45 Times in 31 Posts
    Rep Power
    30
    Quote Originally Posted by vikpaw View Post
    @kennysarmy - try program files\sims ; windows\temp ; windows\sims.ini ; to begin with.

    ADD: I think it's the last file that it might want to update:
    But by allowing executables to run from:
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% IE C:\WINDOWS\
    &
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\ProgramFilesDir% IE C:\Program Files\

    that should cover the folder areas you mention...
    program files\sims ; windows\temp ; windows\sims.ini

    I;ve also allowed:
    \\simstest\sims\setups\
    and just in case also:
    \\simstest\c$\SIMS\Setups

    It's only when I add the C:\ root in as an allowable area for executables to run does it work...

    I tried running process monitor during an install but I could nt see how it would help - just suggested that SIMSLOAD.exe was accessing files from
    \\simstest\sims\setups\

  9. #9
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,286
    Thank Post
    80
    Thanked 45 Times in 31 Posts
    Rep Power
    30
    ah OK i tried process explorer....

    going to download and try process monitor next

  10. #10


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,774
    Thank Post
    222
    Thanked 2,632 Times in 1,939 Posts
    Rep Power
    779
    The Standard User Analyzer from Microsoft's Application Compatibility Toolkit might be better suited to this task.


  11. #11
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,286
    Thank Post
    80
    Thanked 45 Times in 31 Posts
    Rep Power
    30
    Perf. monitor helped and I tracked a lot of references to:
    C:\Users\tt\AppData\Local\Temp\ during the installation when C:\ was unrestricted

    tt - being the test user name

    I removed the C:\ unrestriction and put in place in the security policy

    an unrestriction on:

    C:\Users\tt\


    It allowed SIMS to install correctly....

    But surely I don't have to allow an unrestriction to allow sims to install correctly for every C:\users\

    The very place a nasty file would run from is likely to be C:\users


  12. #12

    matt40k's Avatar
    Join Date
    Jun 2008
    Location
    Ipswich
    Posts
    4,388
    Thank Post
    368
    Thanked 637 Times in 519 Posts
    Rep Power
    158
    This is the problem with users installing software, installers need to use the temp folder. Maybe it's time to look at SOLUS3?

  13. #13
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,286
    Thank Post
    80
    Thanked 45 Times in 31 Posts
    Rep Power
    30
    Our SIMS support is LEA based - I don't think we can go Solus 3 unless it's part of their upgrade programme...

    How would it help? I don't know much about it....

  14. #14

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    737
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    36
    Quote Originally Posted by kennysarmy View Post
    Perf. monitor helped and I tracked a lot of references to:
    C:\Users\tt\AppData\Local\Temp\ during the installation when C:\ was unrestricted

    tt - being the test user name

    I removed the C:\ unrestriction and put in place in the security policy




    an unrestriction on:

    C:\Users\tt\


    It allowed SIMS to install correctly....

    But surely I don't have to allow an unrestriction to allow sims to install correctly for every C:\users\

    The very place a nasty file would run from is likely to be C:\users

    Hiya,

    Can you narrow down the path even more i.e. what folders does it create in the temp area you identified. I think on our cc3 network we have got some rules that has specific folders under the temp area set for sims to update correctly. This will solve the problem of allow eveyrthing to run from temp.

    One of the rules (path rule) that we have is %userprofile%\Local Settings\Temp\*.tmp. remember you can use the env variable such as %userprofile%, %homedrive% and also wild cards for files.

    Ash.

  15. #15
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,286
    Thank Post
    80
    Thanked 45 Times in 31 Posts
    Rep Power
    30
    Quote Originally Posted by spc-rocket View Post
    Hiya,

    Can you narrow down the path even more i.e. what folders does it create in the temp area you identified. I think on our cc3 network we have got some rules that has specific folders under the temp area set for sims to update correctly. This will solve the problem of allow eveyrthing to run from temp.

    One of the rules (path rule) that we have is %userprofile%\Local Settings\Temp\*.tmp. remember you can use the env variable such as %userprofile%, %homedrive% and also wild cards for files.

    Ash.
    That's really useful many thanks - will give it a try.....

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 3
    Last Post: 7th May 2010, 07:55 PM
  2. [Windows Software] Windows 7 Pro. upgrade deployment to replace old Win XP and Vista
    By albertwt in forum Licensing Questions
    Replies: 8
    Last Post: 21st April 2010, 01:53 PM
  3. Replies: 12
    Last Post: 26th September 2006, 10:40 PM
  4. ICT Security Policy
    By Sylv3r in forum School ICT Policies
    Replies: 3
    Last Post: 20th September 2006, 08:49 PM
  5. Replies: 2
    Last Post: 9th January 2006, 07:43 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •