| Author | Messages | |
y2k
Posts:41
 | | 06/22/2009 2:10 PM |
| Hi All
We've got some problems where our users are installing "unauthorized
software" to the Documents and Settings\%username% folder. Obviously
this doesn't work for certain software, but for some software it does
appear to work fine (such as Skype, Google Earth etc). We've setup a
certificate rule blocking certain certificates for all our users
(except helpdesk). We also wanted to stop the unauthorized
applications from being run, so we use the "Don't run specificed
windows applications" to put in the executible name (we know it's not
100% reliable, but we're happy enough with that)
the problem is that some of our users have google earth licenses or
licenses for other software which is normally unauthorized. And these
users have to be able to run that software. My problem is that I
still want to block the google earth users from running any
unauthorized software they might have run.
Is there any way of having 2 policies withe the same setting (ie, the
setting above) and making them cumulative rather than overwrite each
other ?
Hope I've explained all this OK ?
Cheers !
Martin
| | | |
| darren
Posts:386
| | 06/22/2009 4:20 PM |
| Martin-
Software Restriction Policies are additive by default (as long as rules
don't conflict) so you should be able to craft this with SRP in a way that
would work for you.
Darren
****
Darren Mar-Elia
CTO & Founder
SDM Software, Inc.
"The Group Policy Experts"
www.sdmsoftware.com
Spot and report on GPO inconsistencies quickly with GPO Compare
http://www.sdmsoftware.com/group_policy_compare
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Martin McDermott
Sent: Monday, June 22, 2009 6:08 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Cumulative GPO Registry Settings
Hi All
We've got some problems where our users are installing "unauthorized
software" to the Documents and Settings\%username% folder. Obviously
this doesn't work for certain software, but for some software it does
appear to work fine (such as Skype, Google Earth etc). We've setup a
certificate rule blocking certain certificates for all our users
(except helpdesk). We also wanted to stop the unauthorized
applications from being run, so we use the "Don't run specificed
windows applications" to put in the executible name (we know it's not
100% reliable, but we're happy enough with that)
the problem is that some of our users have google earth licenses or
licenses for other software which is normally unauthorized. And these
users have to be able to run that software. My problem is that I
still want to block the google earth users from running any
unauthorized software they might have run.
Is there any way of having 2 policies withe the same setting (ie, the
setting above) and making them cumulative rather than overwrite each
other ?
Hope I've explained all this OK ?
Cheers !
Martin
| | | |
| y2k
Posts:41
| | 06/22/2009 4:57 PM |
| Hi Darren
Thanks for the reply didn't know that actually. Is there any way to make
path rules so that they are relative rather than absolute ? Eg instead of
blocking C:\Documents and Settings\%username%\Google\googleearth.exe can I
just block googleearth.exe ? I can do this using registry policies
Thanks !
Martin
2009/6/22 Darren Mar-Elia <darren@sdmsoftware.com>
> Martin-
> Software Restriction Policies are additive by default (as long as rules
> don't conflict) so you should be able to craft this with SRP in a way that
> would work for you.
>
> Darren
>
>
> ****
> Darren Mar-Elia
> CTO & Founder
> SDM Software, Inc.
> "The Group Policy Experts"
> www.sdmsoftware.com
> Spot and report on GPO inconsistencies quickly with GPO Compare
> http://www.sdmsoftware.com/group_policy_compare
>
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Martin McDermott
> Sent: Monday, June 22, 2009 6:08 AM
> To: activedir@mail.activedir.org
> Subject: [ActiveDir] Cumulative GPO Registry Settings
>
> Hi All
>
> We've got some problems where our users are installing "unauthorized
> software" to the Documents and Settings\%username% folder. Obviously
> this doesn't work for certain software, but for some software it does
> appear to work fine (such as Skype, Google Earth etc). We've setup a
> certificate rule blocking certain certificates for all our users
> (except helpdesk). We also wanted to stop the unauthorized
> applications from being run, so we use the "Don't run specificed
> windows applications" to put in the executible name (we know it's not
> 100% reliable, but we're happy enough with that)
>
> the problem is that some of our users have google earth licenses or
> licenses for other software which is normally unauthorized. And these
> users have to be able to run that software. My problem is that I
> still want to block the google earth users from running any
> unauthorized software they might have run.
>
> Is there any way of having 2 policies withe the same setting (ie, the
> setting above) and making them cumulative rather than overwrite each
> other ?
>
> Hope I've explained all this OK ?
>
> Cheers !
> Martin
>
>
| | | |
| darren
Posts:386
| | 06/22/2009 5:21 PM |
| Yep, you can simply block "googleearth.exe" or, even better, you can use a
registry path rule to block an app regardless of where the user installs it,
assuming a given app registers it install directory in the registry.
Darren
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Martin McDermott
Sent: Monday, June 22, 2009 8:57 AM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Cumulative GPO Registry Settings
Hi Darren
Thanks for the reply didn't know that actually. Is there any way to make
path rules so that they are relative rather than absolute ? Eg instead of
blocking C:\Documents and Settings\%username%\Google\googleearth.exe can I
just block googleearth.exe ? I can do this using registry policies
Thanks !
Martin
2009/6/22 Darren Mar-Elia <darren@sdmsoftware.com>
Martin-
Software Restriction Policies are additive by default (as long as rules
don't conflict) so you should be able to craft this with SRP in a way that
would work for you.
Darren
****
Darren Mar-Elia
CTO & Founder
SDM Software, Inc.
"The Group Policy Experts"
www.sdmsoftware.com <http://www.sdmsoftware.com/>
Spot and report on GPO inconsistencies quickly with GPO Compare
http://www.sdmsoftware.com/group_policy_compare
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Martin McDermott
Sent: Monday, June 22, 2009 6:08 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Cumulative GPO Registry Settings
Hi All
We've got some problems where our users are installing "unauthorized
software" to the Documents and Settings\%username% folder. Obviously
this doesn't work for certain software, but for some software it does
appear to work fine (such as Skype, Google Earth etc). We've setup a
certificate rule blocking certain certificates for all our users
(except helpdesk). We also wanted to stop the unauthorized
applications from being run, so we use the "Don't run specificed
windows applications" to put in the executible name (we know it's not
100% reliable, but we're happy enough with that)
the problem is that some of our users have google earth licenses or
licenses for other software which is normally unauthorized. And these
users have to be able to run that software. My problem is that I
still want to block the google earth users from running any
unauthorized software they might have run.
Is there any way of having 2 policies withe the same setting (ie, the
setting above) and making them cumulative rather than overwrite each
other ?
Hope I've explained all this OK ?
Cheers !
Martin
| | | |
| darren
Posts:386
| | 06/25/2009 5:24 PM |
| Martin-
The following article does a great job of discussing the merging behavior of
SRP (among other things):
http://technet.microsoft.com/en-us/library/bb457006.aspx#EEAA
Darren
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Martin McDermott
Sent: Thursday, June 25, 2009 6:07 AM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Cumulative GPO Registry Settings
Hi Darren
Thanks so much for this - that's really good to know. Just one final
question - what would be considered a conflict ? Is it if a user were
under the scope of 2 policies - one which says they can run google
earth and one that says they can't ? Suppose I have 2 policies, one
which prevents all exe's from being run if they are under C:\Documents
and Settings\%username and a second policy which allows a particular
exe to be run from C:\Documents and Settings\%username%\Local
Settings\Application Data\MyApp. Would these be considered
conflicting ? Or will I just have to try this out and see !?!?
Thanks again
Martin
| | | |
| y2k
Posts:41
| | 06/25/2009 5:40 PM |
| wow ... some light bedtime reading ... excellent !!
As always, thanks for your help Darren
Cheers !
Martin
| | | |
|
|