Printable View
Hi Folks,
I've been asked to create a profile for a student that only allows Access to Microsoft Word 2003 and Microsoft Office 2003 any hints or tips on how I can achieve this please.
Using Windows XP SP2 and Server 2003 Ent on a Vanilla Network.
Cheers,
Matt
create a new ou and pop the user into it(connected to existing ou to allow for existing permissions to filter down) )and lock it down further by a new group policy specifically there is a setting that allows you to specify what application are allowed to run. Also think about redirected start menus to hide shortcuts.
Create an OU like Uraken says. In that OU, create a new GPO. Open the GPO, go to User Config, Windows Settings, Security Settings, Software Restriction Policies. On the right hand side it will say "No software restriction polices have been defined" or words to that effect.
Right click on Software Restriction Policies, press Create New Polices. Go to Security Levels, right click on Disallowed and press Set as Default. Then click on Additional Rules. Remove the %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\ProgramFilesDir% entry and create a couple of new rules to the %programfiles%\microsoft office\office11\winword.exe and %programfiles%\microsoft office\office11\excel.exe files. Make sure the rules are set to allow.
Put a user in that OU, the user finds they're mysteriously restricted. However they will still be able to run everything in the windows and system32 directories so you may want to put more rules to disallow certain files (e.g cmd.exe, sol.exe etc)
Thanks Guys for the info,
I've setup like you said, and I get these results:-
Created a new OU called restricted programs which has been created within the exsiting pupils OU Folder. Created a software restrictions policy, and modified it to allow (unrestricted) to the Office programs I want to allow i.e ...%programfiles%\microsoft office\Office11\winword.exe etc and I've moved the user into that OU folder (in this case my test account)
When I logon to a workstation I get the following:-
1. It can't run the logon script, because it's obviuolsy being blocked (Can I allow a scipt to be run just from the Netlogon share folder on the server?)
2. If I try and open Word/Excel/Access etc from an Icon on the Desktop or from the Start Menu it says cannot open due to software restrictions on this account, but if I go to the Users Documents and open a Word Doc, Word will open, also true for Excel/PowerPoint and Publisher but not Access.
Anybody got any clues? Is this something to do with maybe shortcuts being blocked aswell?
Cheers,
Matt
[list=1][*]Yes. Set a path exception for //{domain}/netlogon (or the full script path if you want to be really safe)[*]By default SRP classes shortcuts as executables, you need to either:
- Remove .lnk from the executables list
- Set exceptions for the shortcuts you need.
The second option is probably best.[/list:o]
OK
I've removed the .lnk from the banned extensions list and it still won't let me click and open the Office applications!! But I have noticed that when you create a shortcut to an Office 2003 Application, it seems to create it's own little icon shortcut made from an .exe file in the path similar to:-
C:\WINDOWS\Installer\{9011-600-1DS...... etc etc\wordicon.exe
C:\WINDOWS\Installer\{9011-600-1DS...... etc etc\pubs.exe
C:\WINDOWS\Installer\{9011-600-1DS...... etc etc\pptico.exe
C:\WINDOWS\Installer\{9011-600-1DS...... etc etc\xlicons.exe
C:\WINDOWS\Installer\{9011-600-1DS...... etc etc\accicon.exe
Obvioulsy these applications are blocked, hence the reason for them not opening when clicking the Icon, BUT if I unblock that particular path of the Installer, it doesn't mean it will be the same path on every machine, so is there away to allow those .exe files regardless of where they are located?
I've also added the path to the Netlogon folder, it now Executes the .bat logon file, but we also have a script using Windows Scripting and I get the error that says:-
Windows Script Host
Execution of the Windows Script Host failed. Windows cannot open this program beacuse it has been prevented by a Software Restriction Policy.
By allowing this program, will it created any problems? Or will it only allow the script to run successfully from the Netlogon folder as specified in the SRP?
Any further hints??
Cheers,
Matt
Strange I could have sworn the restirction policy was always suposed to let anything from windows/system32 run. Make a rule to allow windows\system32\wscript.exe run and see if that lets it rok. If it does I'd consider manually adding a windows\system32 rule to save future problems. I'm going to check and see if MS changed this recently because I'm almost sure ina previous job I had this set up and working without having to manually allow system32.
Set them using hash rules, then it won't matter where they are, they'll still be allowed.Quote:
Originally Posted by mattpant
@Teth: As long as you leave the default rules intact, I'm sure that's how it works. My SRP had these rules set by default.
Code:%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe
This is really strarting to annoy now!!! It's still not behaving!!!
I've added them .exe's as Hash files and also added in the path to wscript.exe as unrestricted but they still won't allow me to run!!!
The settings were already in place for the following:-
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe
and not removed.
Any more clues!!!! Driving me mad!
Cheers,
Matt
Try putting %allusersprofile% and %userprofile% in there and allowing it.
Thanks Norphy,
I added the variable %userprofile% and it worked! I can now open up the icons and run the programs no problem, but I still get the error about not being able to run the Windows Scrip Host?
Any ideas why?
Also, why would opening Word/Excel start working as soon as I added the %userprofile% section?
I can see light at the end of this dark tunnel!!!!
Regards,
Matt....
This is something I came across when I was doing something similar myself. I'm guessing that you have the right to execute the program but not the shortcuts in the profile. If you browsed to the folder that Office is stored in and tried run the executable directly it would probably work.
Where is the logon script stored? Try adding its location as an allow rule.
How tight security does it need to be?
I mean is this kid going to go trawling through somewhere with shortcuts he already has?
I ask because in the past I've just given them a different Start Menu with only applications I want them to have, this hasn't shown any problems. But then it just depends how determined you think they will be.
The logon script is located in \\curriculum\NETLOGON
I've added this as allowed, and also added \\curriculum\NETLOGON\Script.vbs as being allowed.
I have a pupils.bat file in the logon script that runs OK after adding the path to allowed, I still seem to get the error about the Windows Scipt Host not running.
Cheers,
Matt
you may be better to allow ALL files from your netlogon share to run
eg just put \\curriculum\NETLOGON\ with no extensions after it
I also had to specify wscript.exe and cscript.exe as allowed - i know it should be covered by the %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% lines, but ws driving me nuts at the time