|
|
| richardwhit 2003-05-11, 5:38 am |
| I have a legacy accounting application and in order that it can be used, users have to be added to the Power Users group on the local machine. This is a pain in itself, but the application is also available on my Citrix server which means users that have access to this application can do lots of things I don't want them to be able to do with my Citrix server.
What is the best way to prevent Power Users from installing or uninstalling programs?
In Group Policy I can set the following options - remove "Save program to disk", prevent access to "Add/Remove programs" and Control Panel and "prevent installation from removeable media", so this more or less covers all options, but is there one setting available to prevent users from installing or removing programs?, or can anyone else think oif anything I should be doing to lock down the rights of those users with Power User membership? | |
| TW2001 2003-05-11, 8:14 am |
| why dont you create a path rule.
Local security policy. (or at a higher level..depending on your environment)
Software restriction policies>additional rules.
Create a rule to allow access to the path of your accounting app.
This may prevent you from having to have those users in the power users group.
See if this works.. | |
| richardwhit 2003-05-11, 9:40 am |
| lol, you always manage to confuse me 
My understanding is this: the default software restriction policy is unrestricted - so defining a path rule to the location of the accounting app would not make any difference, since surely the users already have access to that path, because there are no rules defined in the software restriction policy to prevent running programs from the location of the accounting app? | |
| TW2001 2003-05-11, 1:09 pm |
| The default security level is prohibiting the use of the application for a regular user account.
You configure a path rule allowing unrestricted access to the path of the application..hence allowing it to run for a regular user.
I understand your point. However this may be a work around. | |
| richardwhit 2003-05-12, 5:25 am |
| Sorry I see what you mean now.
The problem is this though - the application does not have a local path associated with it - its effectively just a shortcut to an executable file that is sitting on a NetWare server and the users have RWCEMF permissions to the relevant directory, which is all they need to run the app.
It does have some associated registry entries but I have tried granting full control of these to the local users group to no avail. | |
| richardwhit 2003-05-15, 7:41 am |
| Hurray!
I took another look at the registry yesterday after installing the app on a new machine, it adds a registry key that I had missed before, I've now granted full control of this to the users group through Group Policy and the program works in the normal user context, no more Power Users -  |
|
|
|