Re: Software Restriction Hash
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 02/21/04
- Next message: Sophia: "How to find which service is using which port?"
- Previous message: Larry: "Re: Move port from Closed to Stealth"
- In reply to: klose: "Re: Software Restriction Hash"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 21 Feb 2004 16:06:39 GMT
OK. I have not tried it with machine configuration yet. From your post it sounds as
if the user the policy is not being applied to is logging onto the local machine as
local administrator and not the domain as a regular user who also is in the local
administrators group on that computer. Since it is a machine policy, that would lead
me to also believe it should affect all users on that computer logging into the local
machine or the domain. What happens when a domain user that is also in the local
administrators group logs onto that machine? Are they denied access to run that
application? Of course restricting any local administrator is extremely difficult as
they can do things like create local administrator accounts and unjoin computers from
the domain. --- Steve
"klose" <norepl@noreply.com> wrote in message
news:%231a6xnI%23DHA.3568@TK2MSFTNGP10.phx.gbl...
> Hi Steve,
>
> It is a 2003 AD domain and GP.
> These policies are being applied on XP Pro.
>
> I am already working from the white paper you referred and have been
> reviewing your similar related posts.
> There is some other issue going on.
>
> The hash was created, in this case AOL V9, in the machine GP policy.
> The same copy of the software was moved to the XP pro client and tested. The
> hash is an exact match.
> I have been testing this GP on a test container and new GP with only these
> options. The user and the machine are both getting this GP applied and
> confirmed with gpupdate/result.
>
> Specifically, the option which prevents local admins is not working.
> When a regular user logs on, they are prevented to install. When a local
> admin logs on, they can freely install the software.
>
> The path rule could be used, and I have not tried that yet. But the Hash
> should block the install. I prefer to get the hash working to prevent the
> exe from running at all.
>
> I wonder if there is some other local or GP that overides this local admin
> rule.
>
>
>
>
> "Steven L Umbach" <sumbach@nospam-ameritech.net> wrote in message
> news:0dHZb.12777$PY.8511@newssvr26.news.prodigy.com...
> > I assume this is an XP Pro or W2003 machine as SRP do not work on W2K
> > machines. Possibly the administrator is using a different version of the
> > application that does not correspond to the hash. See link below for more
> > details on SRP as you may also want to try path rules in addition to
> > ash. -- Steve
> >
> >
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/maintain/rstrplcy.asp
> >
> > "Klose" <noreply@noreply.com> wrote in message
> > news:1403701c3f837$60d83e20$a001280a@phx.gbl...
> > > My GP Machine software restriction hash prevents a user
> > > from installing an applicaiton OK , but still allows the
> > > local admin to install it.
> > > The option was set to ALL USERS, so the local admins
> > > could not bypass it.
> > >
> > > Why doesn't this work?
> >
> >
>
>
- Next message: Sophia: "How to find which service is using which port?"
- Previous message: Larry: "Re: Move port from Closed to Stealth"
- In reply to: klose: "Re: Software Restriction Hash"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
