I am working on setting up software restriction for the pupils here, currently this is being done in a Test OU and a Test Pupil user which was copied from an existing user.
Up until yseterday things were going fine with it set to only allow the applications that I explicitly specified - down to the actual filename, or to a group of files in a folder.
But now I am having problems in that when I add a new "allowed" application to the list and then login with the test user, it is refusing to acknowledge that the program is now trusted for use.
the settings thus far are:
Disallow by default
=======
WORKING
=======
Name Type Security Level
C:\program files\microsoft office\office\*.exe Path Unrestricted
C:\program files\internet explorer\iexplore.exe Path Unrestricted
C:\program files\Crocodile Clips\Crocodile Technology 1.6\*.exe Path Unrestricted
\\mhs-pdc\NETLOGON\*.bat Path Unrestricted
C:\Windows\explorer.exe Path Unrestricted
C:\windows\system32\winlogon.exe Path Unrestricted
C:\windows\system32\userinit.exe Path Unrestricted
C:\windows\system32\rundll32.exe Path Unrestricted
\\mhs-pdc\kudos\kudos.exe Path Unrestricted
C:\Program Files\Grisoft\AVG7\*.exe Path Unrestricted
==========
NOT WORKING
==========
C:\program files\Corel\Corel Graphics 11\Programs\*.exe Path Unrestricted
C:\Program Files\Adobe\Photoshop 7.0\*.exe Path Unrestricted
C:\Program Files\Adobe\Acrobat 7.0\Reader\*.exe Path Unrestricted
C:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\*.exe Path Unrestricted
C:\Program Files\Winzip\*.exe Path Unrestricted
C:\Pogram Files\Macromedia\Dreamweaver MX\Dreamweaver.exe Path Unrestricted
C:\Pogram Files\Macromedia\Dreamweaver MX\JVM\bin\*.exe Path Unrestricted
C:\windows\system32\*.exe Path Unrestricted
-
Is there something I'm doing wrong?
did you wait for the policies to update or do a gpupdate /force (xp only) or a secedit /refreshpolicy machine_policy /enforce and secedit /refreshpolicy user_policy /enforce (2000) to make sure the policies were updated?
Using 2k3 server, and ran gpupdate after changing the settings , the user is logged out unless I am testing policy changes, so when i log iin it picks up the new policies - just not the new program restrictions anymore - which it used to do
Still not getting this to work
Checked the event log of the target machine, and I am getting the following error.
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1054
Date: 17/01/2006
Time: 09:44:47
User: NT AUTHORITY\SYSTEM
Computer: IT-TESTBED
Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Any suggestions?
run 'netdiag' on the server and post the results.
here's the results of NETDIAG...
I can get in before Dos_Box and say... "it's a DNS issue!"
If you look at the part that reads:
It looks like you have a DNS replication problem which can cause problems like this to occur. Check that zone transfers are allowed between servers and try forcing a manual replication to see if that helps.DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '10.4.28.200' and other DCs also have some of the names registered.
[WARNING] The DNS entries for this DC are not registered correctly on DNS server '10.1.198.65'. Please wait for 30 minutes for DNS server replication.
PASS - All the DNS entries for DC are registered on DNS server '10.4.24.200' and other DCs also have some of the names registered.
Yeah was finding replication errors all over the place, found out why..
the RJ45 wall socket for the BDC had failed, and no one had noticed!
dont know hwen it was but was at leasat 60 days ago, so the PDC was not wanting to talk to the BDC anymore - spent ages trying to get the replications back up and running - hopefully cracked it - AD-UC is now replicating over, will check DNS, etc tomorrow...
You are going to have problems with the macromedia suite. In the college i administer i found that dreamweaver spawns a process in the users temp folder, called something similar to (random each time) ~edb112.tmp
Currently this means students can write to this folder and run anything. :'(
anyway of changing where this file is stored?
As far as I explored, there wasn't. I have taken the "security through obscurity" approach and ignored the problem and not talked about it.
The director of ICT here has said any problems from it and its an admin thing (get parents in etc) we can reclone a pc using symantec ghost (that was fun gettin it set up) so its not a major problem.
It stores the files wherever the TEMP environment variable is set to, if you can change this to a place less obvious, or that is cleared out often or a network share where EXE's are disabled to be stored (file screening on a hp nas or windows server R2's file screening) this will obviously add network traffic, and slow down dreamweaver as its accessing a network place.
Thinking about it you could set the temp folder to their document or profile folder with the file screening on, however 16bit or some older software will become affected by this change... not good. i remember now i tried changing it and lots of our maths software stopped working.
I would really advise against fiddling with the temp environment variables unless you really need to as I've had lots of problems with it.
Ben
Yeah good plan
OK, deleted the GPO and recreated it
all ok with the stuf on the desktop (eg word & IE-)
however.. launch them from the start menu - disallowed!!
using local paths as the rules. pupil using a mandatory profle..
any ideas?
wondering if its cos of the local links but not sure how to use the registry as the links..
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote