+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
Windows Thread, Profile to allow just MS Word and MS Access in Technical; Hi Folks, I've been asked to create a profile for a student that only allows Access to Microsoft Word 2003 ...
  1. #1

    Join Date
    Aug 2005
    Location
    Shropshire
    Posts
    299
    Thank Post
    17
    Thanked 11 Times in 8 Posts
    Rep Power
    21

    Profile to allow just MS Word and MS Access

    Hi Folks,

    I've been asked to create a profile for a student that only allows Access to Microsoft Word 2003 and Microsoft Office 2003 any hints or tips on how I can achieve this please.

    Using Windows XP SP2 and Server 2003 Ent on a Vanilla Network.

    Cheers,

    Matt

  2. #2

    Join Date
    Oct 2006
    Location
    uk
    Posts
    494
    Thank Post
    19
    Thanked 3 Times in 2 Posts
    Rep Power
    17

    Re: Profile to allow just MS Word and MS Access

    create a new ou and pop the user into it(connected to existing ou to allow for existing permissions to filter down) )and lock it down further by a new group policy specifically there is a setting that allows you to specify what application are allowed to run. Also think about redirected start menus to hide shortcuts.

  3. #3

    Norphy's Avatar
    Join Date
    Jan 2006
    Location
    Harpenden
    Posts
    2,551
    Thank Post
    59
    Thanked 358 Times in 278 Posts
    Blog Entries
    7
    Rep Power
    131

    Re: Profile to allow just MS Word and MS Access

    Create an OU like Uraken says. In that OU, create a new GPO. Open the GPO, go to User Config, Windows Settings, Security Settings, Software Restriction Policies. On the right hand side it will say "No software restriction polices have been defined" or words to that effect.

    Right click on Software Restriction Policies, press Create New Polices. Go to Security Levels, right click on Disallowed and press Set as Default. Then click on Additional Rules. Remove the %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\ProgramFilesDir% entry and create a couple of new rules to the %programfiles%\microsoft office\office11\winword.exe and %programfiles%\microsoft office\office11\excel.exe files. Make sure the rules are set to allow.

    Put a user in that OU, the user finds they're mysteriously restricted. However they will still be able to run everything in the windows and system32 directories so you may want to put more rules to disallow certain files (e.g cmd.exe, sol.exe etc)

  4. #4

    Join Date
    Aug 2005
    Location
    Shropshire
    Posts
    299
    Thank Post
    17
    Thanked 11 Times in 8 Posts
    Rep Power
    21

    Re: Profile to allow just MS Word and MS Access

    Thanks Guys for the info,

    I've setup like you said, and I get these results:-

    Created a new OU called restricted programs which has been created within the exsiting pupils OU Folder. Created a software restrictions policy, and modified it to allow (unrestricted) to the Office programs I want to allow i.e ...%programfiles%\microsoft office\Office11\winword.exe etc and I've moved the user into that OU folder (in this case my test account)

    When I logon to a workstation I get the following:-

    1. It can't run the logon script, because it's obviuolsy being blocked (Can I allow a scipt to be run just from the Netlogon share folder on the server?)

    2. If I try and open Word/Excel/Access etc from an Icon on the Desktop or from the Start Menu it says cannot open due to software restrictions on this account, but if I go to the Users Documents and open a Word Doc, Word will open, also true for Excel/PowerPoint and Publisher but not Access.

    Anybody got any clues? Is this something to do with maybe shortcuts being blocked aswell?

    Cheers,

    Matt

  5. #5
    Irazmus's Avatar
    Join Date
    Feb 2006
    Location
    Suffolk
    Posts
    320
    Thank Post
    13
    Thanked 22 Times in 17 Posts
    Rep Power
    23

    Re: Profile to allow just MS Word and MS Access

    [list=1][*]Yes. Set a path exception for //{domain}/netlogon (or the full script path if you want to be really safe)[*]By default SRP classes shortcuts as executables, you need to either:
    • Remove .lnk from the executables list
    • Set exceptions for the shortcuts you need.

    The second option is probably best.[/list]

  6. #6

    Join Date
    Aug 2005
    Location
    Shropshire
    Posts
    299
    Thank Post
    17
    Thanked 11 Times in 8 Posts
    Rep Power
    21

    Re: Profile to allow just MS Word and MS Access

    OK

    I've removed the .lnk from the banned extensions list and it still won't let me click and open the Office applications!! But I have noticed that when you create a shortcut to an Office 2003 Application, it seems to create it's own little icon shortcut made from an .exe file in the path similar to:-

    C:\WINDOWS\Installer\{9011-600-1DS...... etc etc\wordicon.exe
    C:\WINDOWS\Installer\{9011-600-1DS...... etc etc\pubs.exe
    C:\WINDOWS\Installer\{9011-600-1DS...... etc etc\pptico.exe
    C:\WINDOWS\Installer\{9011-600-1DS...... etc etc\xlicons.exe
    C:\WINDOWS\Installer\{9011-600-1DS...... etc etc\accicon.exe

    Obvioulsy these applications are blocked, hence the reason for them not opening when clicking the Icon, BUT if I unblock that particular path of the Installer, it doesn't mean it will be the same path on every machine, so is there away to allow those .exe files regardless of where they are located?


    I've also added the path to the Netlogon folder, it now Executes the .bat logon file, but we also have a script using Windows Scripting and I get the error that says:-
    Windows Script Host
    Execution of the Windows Script Host failed. Windows cannot open this program beacuse it has been prevented by a Software Restriction Policy.

    By allowing this program, will it created any problems? Or will it only allow the script to run successfully from the Netlogon folder as specified in the SRP?


    Any further hints??

    Cheers,

    Matt

  7. #7

    Join Date
    Jun 2006
    Location
    Belfast, N\'Ireland
    Posts
    190
    Thank Post
    10
    Thanked 9 Times in 7 Posts
    Rep Power
    19

    Re: Profile to allow just MS Word and MS Access

    Strange I could have sworn the restirction policy was always suposed to let anything from windows/system32 run. Make a rule to allow windows\system32\wscript.exe run and see if that lets it rok. If it does I'd consider manually adding a windows\system32 rule to save future problems. I'm going to check and see if MS changed this recently because I'm almost sure ina previous job I had this set up and working without having to manually allow system32.

  8. #8
    Irazmus's Avatar
    Join Date
    Feb 2006
    Location
    Suffolk
    Posts
    320
    Thank Post
    13
    Thanked 22 Times in 17 Posts
    Rep Power
    23

    Re: Profile to allow just MS Word and MS Access

    Quote Originally Posted by mattpant
    is there away to allow those .exe files regardless of where they are located?
    Set them using hash rules, then it won't matter where they are, they'll still be allowed.

    @Teth: As long as you leave the default rules intact, I'm sure that's how it works. My SRP had these rules set by default.
    Code:
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe

  9. #9

    Join Date
    Aug 2005
    Location
    Shropshire
    Posts
    299
    Thank Post
    17
    Thanked 11 Times in 8 Posts
    Rep Power
    21

    Re: Profile to allow just MS Word and MS Access

    This is really strarting to annoy now!!! It's still not behaving!!!

    I've added them .exe's as Hash files and also added in the path to wscript.exe as unrestricted but they still won't allow me to run!!!

    The settings were already in place for the following:-
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe

    and not removed.

    Any more clues!!!! Driving me mad!

    Cheers,

    Matt

  10. #10

    Norphy's Avatar
    Join Date
    Jan 2006
    Location
    Harpenden
    Posts
    2,551
    Thank Post
    59
    Thanked 358 Times in 278 Posts
    Blog Entries
    7
    Rep Power
    131

    Re: Profile to allow just MS Word and MS Access

    Try putting %allusersprofile% and %userprofile% in there and allowing it.

  11. #11

    Join Date
    Aug 2005
    Location
    Shropshire
    Posts
    299
    Thank Post
    17
    Thanked 11 Times in 8 Posts
    Rep Power
    21

    Re: Profile to allow just MS Word and MS Access

    Thanks Norphy,

    I added the variable %userprofile% and it worked! I can now open up the icons and run the programs no problem, but I still get the error about not being able to run the Windows Scrip Host?

    Any ideas why?

    Also, why would opening Word/Excel start working as soon as I added the %userprofile% section?

    I can see light at the end of this dark tunnel!!!!

    Regards,

    Matt....

  12. #12

    Norphy's Avatar
    Join Date
    Jan 2006
    Location
    Harpenden
    Posts
    2,551
    Thank Post
    59
    Thanked 358 Times in 278 Posts
    Blog Entries
    7
    Rep Power
    131

    Re: Profile to allow just MS Word and MS Access

    This is something I came across when I was doing something similar myself. I'm guessing that you have the right to execute the program but not the shortcuts in the profile. If you browsed to the folder that Office is stored in and tried run the executable directly it would probably work.

    Where is the logon script stored? Try adding its location as an allow rule.

  13. #13
    mrforgetful's Avatar
    Join Date
    May 2006
    Posts
    1,639
    Thank Post
    7
    Thanked 15 Times in 15 Posts
    Rep Power
    23

    Re: Profile to allow just MS Word and MS Access

    How tight security does it need to be?

    I mean is this kid going to go trawling through somewhere with shortcuts he already has?

    I ask because in the past I've just given them a different Start Menu with only applications I want them to have, this hasn't shown any problems. But then it just depends how determined you think they will be.

  14. #14

    Join Date
    Aug 2005
    Location
    Shropshire
    Posts
    299
    Thank Post
    17
    Thanked 11 Times in 8 Posts
    Rep Power
    21

    Re: Profile to allow just MS Word and MS Access

    The logon script is located in \\curriculum\NETLOGON

    I've added this as allowed, and also added \\curriculum\NETLOGON\Script.vbs as being allowed.

    I have a pupils.bat file in the logon script that runs OK after adding the path to allowed, I still seem to get the error about the Windows Scipt Host not running.

    Cheers,

    Matt

  15. #15

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,808
    Thank Post
    880
    Thanked 684 Times in 453 Posts
    Rep Power
    505

    Re: Profile to allow just MS Word and MS Access

    you may be better to allow ALL files from your netlogon share to run

    eg just put \\curriculum\NETLOGON\ with no extensions after it
    I also had to specify wscript.exe and cscript.exe as allowed - i know it should be covered by the %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% lines, but ws driving me nuts at the time



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Roaming profile Help please
    By tickmike in forum Windows
    Replies: 7
    Last Post: 7th September 2006, 11:06 PM
  2. logon not picking up profile... sometimes
    By indie in forum Windows
    Replies: 16
    Last Post: 6th March 2006, 10:36 PM
  3. Where's the default profile???
    By secman in forum Windows
    Replies: 7
    Last Post: 17th February 2006, 01:11 PM
  4. pupils able to access c drive via word 2000 web toolbar
    By projector1 in forum Office Software
    Replies: 22
    Last Post: 8th December 2005, 09:44 PM
  5. Profile Deletion - help!
    By mark in forum Windows
    Replies: 3
    Last Post: 29th November 2005, 05:40 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •