Windows Thread, How to move MSI installation share without GPO reinstallation in Technical; Just in the process of locking down our servers a bit more and noticed that the share on which our ...
17th November 2008, 11:13 AM #1
- Rep Power
How to move MSI installation share without GPO reinstallation
Just in the process of locking down our servers a bit more and noticed that the share on which our MSI Packages for deployment via GPO isn't hidden (... no $ after the share name). Would like to change the share from \\server\MSIPackages to \\server\MSIPackages$ . Is there anyway of doing this without having to remake all the GPOs and therefore forcing the system to all PCs to uninstall and then reinstall the MSI'd software?
Obviously we don't want out students to be able to browse to the share from their own PCs and start installing software that they aren't licenced for. Am I correct in thinking that access permissions for this share need to be set at Everyone to Read so that the networked PCs can read the MSI Packages and install them before anyone is logged on? What are the permissions on your shares for your MSI deployments?
Cheers in advance
IDG Tech News
17th November 2008, 11:17 AM #2
We share our application folder without the hidden attribute. It's no problem as staff and pupils cannot install software, they do not have permisions.
17th November 2008, 11:20 AM #3
I did the share moving recently, after a lot of deliberation I decided it would be best to allow the re-installation to occur.
The way that the re-installation works is that it checks the installed software and then only updates what it has to (i.e. it isn't a full installation). I simply removed the old software from teh GPOs and told them computers not to uninstall it and then added the new software paths. At reboot the re-installation occurred but it only took about 5-10 minutes... I did this after school too.
As for the permissions, I'm not sure.
17th November 2008, 11:20 AM #4
Can they not copy the contents onto a pen drive and use for personal use, thus illegally using the school's licenced software, if they are able to view the folder?
Originally Posted by jsnetman
17th November 2008, 11:24 AM #5
I suppose so, but then they would be using software illegally.
17th November 2008, 11:24 AM #6
Why not set a deny on the share for your student security group?
17th November 2008, 11:31 AM #7
- Rep Power
Seems like a good idea... but...
Originally Posted by powdarrmonkey
As a boarding school many students have their own laptops. As the MSI share has to be Read enabled to Everybody so that PCs on our domain can get install the MSIs before anyone logs on. Therefore if a student uses his own laptop what is to stop them browsing the network on that laptop (not logged on to our domain) to find the share which will let them get access to the files as they won't be logged in as Students to be denied access, and would just come under the 'Everybody' permissions and be able to Read the files.
17th November 2008, 11:35 AM #8
- Rep Power
Originally Posted by Ric_
Interesting... in the past I've found that trying to re-install an MSI over the same program already installed causes it to try to install everytime the PC is booted up. It usually goes through the Installing Software bit a lot faster than it would if it was installing it properly, but I presume it must fail as it retries each time......
... however this has been when I've already had the software manually installed. It may be different if the software was originally installed via GPO in the first place.
17th November 2008, 11:45 AM #9
Why do you need Everybody permissions again? thought these msi's are for gpo deployment. If that is the case the you only need Domain Computer rights and not user rights.
Originally Posted by TheFopp
17th November 2008, 11:50 AM #10
- Rep Power
Ahhhh... hadn't thought of that! Brilliant stuff. Cheers.
Originally Posted by apeo
17th November 2008, 12:28 PM #11
What would happen if you did this and then ran office for the first time ... it looks to the MSI to do the "first run" stuff, would it use the users permissions or the machines?
An alternative would be to remove the "List" permission from everyone which is how we stop nosy users browsing our shares.
17th November 2008, 12:46 PM #12
We have ours setup using computer rights rather than user rights.
I don't bother using $ shares at all anymore, it is folly.
If you want shares hidden - use SAMBA.
17th November 2008, 03:28 PM #13
I'm not sure. I don't know whether the engine will use its local cache of the MSI if it can't reach the share, or whether it runs as system or the user if it can. You could suck it and see, but removing List would be a good compromise.
Originally Posted by kmount
17th November 2008, 04:19 PM #14
Does the local PC hold a copy of the MSI? Our experience is that if a machine is "away" from the domain and someone tries to use something like an Outlook Import tool or something converter not already installed it fails looking for our server... Same principle I guess?
17th November 2008, 08:52 PM #15
If the Students laptops are on a different IP range than the servers, with a router in between the ranges, then you could amend the security on the Router/Firewall to block access to this server.
Or change the routing on the Server so that the IP range is not visible.
This assumes that:
a) the IP ranges are different.
b) there's nothing on the server that the users would need.
c) the firewall/router between them is clever enough.
d) there's nothing else within this workstation range that would need access to the server in question.
By meastaugh1 in forum Windows
Last Post: 18th April 2008, 05:48 PM
By roland in forum Educational Software
Last Post: 20th November 2007, 02:23 PM
By projector1 in forum Windows
Last Post: 1st February 2007, 08:42 AM
Last Post: 8th September 2006, 07:49 AM
By russdev in forum Windows
Last Post: 17th October 2005, 08:23 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)