Re: set service start permissions to Administrator only

Hello Mathieu, Anthony and Roger!

Thank you for Your replays! And special thanks to
Mathieu Chateau, who was around all the time
and gave me many suggestions!

After reinstalling Office 2007 a few times, the only
catch I noticed was a warning application event from
before the reinstallations... Word had some problems
accessing "HKEY_CLASSES_ROOT\.pip". I deleted the
related keys, but even after clean reinstallation,
my problem remained.

Visual Studio 2008 beta 2 had stopped working due to
Office reinstallation. I was really tired for things
were getting worse and worse with every step I did.

But when I analyzed the permissions for that key
I noticed that they were very restrictive:
System:F, Administrators:R
Limited users had no chance for accessing anything
under "HKEY_CLASSES_ROOT". I compared this to the
virtual machine where the permissions are:
System:F, Administrators:F, Users:R, Power Users:special

I applied the proper security settings to the entire key
"HKEY_CLASSES_ROOT" and then reinstalled Office 2007.

Now everything works just fine for the limited users.
Word will not attempt to install, not even for once -
as some of you had told me.

Visual Studio repair took a lot of time, but at least
it's ready to work again!


It's time for the big backup! :-)
I've about 31 GB backups to compress (hopefully on 2 DVDs)
This is about 24h CPU time at the slowest 7-zip settings.

Cheers everyone, and thanks again!



George Valkov



"Mathieu CHATEAU" wrote:
| just about the "install mode", all recent MSI do it automaticaly:
|
http://technet2.microsoft.com/windowsserver2008/en/library/6656a734-b480-4533-b131-281d755df4b31033.mspx?mfr=true
| If you install a program from an .msi package, you do not have to run
these
| commands to switch the system in and out of install mode. Instead, you can
| run the .msi package or associated Setup file directly.
|
|
| BUT, office 2007 seems to need it as it's a setup:
| Deploy the 2007 Office system on a Terminal Services-enabled computer
|
http://technet2.microsoft.com/Office/en-us/library/7e816caa-7c1c-4d78-ac28-693aa4ea58d81033.mspx?mfr=true
|
| =>George, did you use it (change user /install) ?
|
| By the way, about the way to install office 2007:
| When users run the 2007 Office release on a Terminal Services-enabled
| computer, they cannot install, configure, or uninstall features or
| applications. This is because the features and applications are installed
on
| the terminal server and not on the client computer, and users do not have
| administrative rights to install, configure, or uninstall software on the
| terminal server. Consequently, you must be sure that the installation
state
| for each feature and application is configured as Run from My Computer
(that
| is, fully installed) or Not Available (that is, not installed). If the
| installation state for a feature or application is configured as Installed
| on First Use, users will see a warning if they attempt to use the feature
or
| run the application. For example, if you configure the installation state
| for an application to Installed on First Use, the following error appears
| when a user tries to run the application:
|
|
| --
| Cordialement,
| Mathieu CHATEAU
| http://lordoftheping.blogspot.com
|
|
| "Anthony" <anthony.spam@xxxxxxxxxxxxxx> wrote in message
| news:OtrR3dY4HHA.4436@xxxxxxxxxxxxxxxxxxxxxxx
| > George,
| > The Office "repair" need to set up the per-user settings for each user,
in
| > the user profile and HKCU. If you stop it, Word will start but without
| > user settings. The "repair" should only be running in the user context,
as
| > it does not require admin rights to set the per-user settings.
| > As you are installing it on a server, I am wondering if you are using
| > Terminal Services. If so, you have to install Office in Install Mode,
| > otherwise the per-user elements (like the shortcuts on the installing
| > user's desktop) will be installed incorrectly.
| > If you want to customise Office (for example by removing the ShellNew,
you
| > will need to do it by using the Office Resource Kit. I doubt if you can
do
| > it successfully by blocking the permissions, as that will just trigger
| > continual repairs.
| > Apologies in advance if I have misunderstood,
| > Anthony.
| > http://www.airdesk.co.uk
| >
| > "George Valkov" <a@xxxxx> wrote in message
| > news:OEhI$pX4HHA.2752@xxxxxxxxxxxxxxxxxxxxxxx
| >> Thank You for the replay, Mathieu, but this doesn't fix my problem.
| >>
| >> I don't want any exceptions for any services. Limited uses must not be
| >> able
| >> to start services.
| >>
| >>
| >> Now about Your suggestion, this is what I did to test it:
| >>
| >> create account "testUser"
| >> member in groups "Users", "Remote Desktop Users"
| >> remote desktop to localhost, login as testUser
| >> start Word, asks for Name and Initials...
| >> Office 2007 setup starts and completes in 2 minutes.
| >> Word displays "Privacy Options", I unchecked all
| >> Quit Word.
| >>
| >> Start Word again... Office 2007 setup again...
| >> Word is ready for use in 2 minutes,
| >>
| >> Disable and stop "Office Source Engine" service
| >> Disable and stop "Windows Installer" service
| >>
| >> Start Word... 'An error occurred and this feature
| >> is no longer functioning properly. Please run
| >> Setup and select "Repair..." to restore this
| >> application."
| >>
| >> Click OK -- Word shows and is ready to use!
| >> No delays, no problems, no any kind of trouble!
| >>
| >> I've tried reinstalling or repairing Office, but
| >> nothing helps! This problem is ever since I
| >> installed it for the first time. I also had the
| >> same problem with Office 2003. I also had the same
| >> problem in my previous and my current installation
| >> of Windows 2003 server.
| >>
| >> Well this could be because I've removed the "ShellNew"
| >> for all of the office documents, of course Word wants
| >> to restore it, but to prevent this I've set explicit
| >> Deny permissions for changing that keys in the registry.
| >>
| >>
| >>
| >> George Valkov
| >>
| >>
| >>
| >> "Mathieu CHATEAU" wrote :
| >> | Hello,
| >> | Only administrators can start/stop services
| >> |
| >> | These services are exceptions, they are called to impersonate Office
| >> through
| >> | the MSI technology
| >> |
| >> | If you create a fresh user, it should only do that once, no more.
| >> |
| >> | --
| >> | Cordialement,
| >> | Mathieu CHATEAU
| >> | http://lordoftheping.blogspot.com
| >> |
| >> |
| >> | "George Valkov" <a@xxxxx> wrote in message
| >> | news:eLg6HvR4HHA.4184@xxxxxxxxxxxxxxxxxxxxxxx
| >> | > Hello everyone!
| >> | > I'd like to know, how can I configure the permissions for a service
| >> so
| >> | > that
| >> | > only Administrators can start it.
| >> | >
| >> | >
| >> | > I have a problem with Microsoft Office 2007 installed on Windows
2003
| >> SP2
| >> | > Enterprise. When I start for example Word as an Administrators
| >> member -
| >> | > all
| >> | > seems just fine. But if I change that account to User or Power User
| >> and
| >> | > remove it from the Administrators group:
| >> | >
| >> | > When Word is started as a limited user, it starts Windows Installer
| >> | > service
| >> | > and Office Source Engine service. It takes about 2 minutes to
| >> complete
| >> the
| >> | > installation and Word is ready for use. But the next time he starts
| >> Word,
| >> | > it
| >> | > starts installing again.
| >> | >
| >> | > On the other hand, if those two services are disabled, Word starts
| >> just
| >> | > fine
| >> | > with no delays, no installations and is ready for use. So that's
why
| >> I'd
| >> | > like to prevent limited users from starting those two services.
| >> | >
| >> | > Oh, by the way It will be much better if the limited users cannot
| >> start
| >> | > any
| >> | > services or drivers at all. This will increase the security. Is
there
| >> any
| >> | > such setting or group policy, and where?
| >> | >
| >> | >
| >> | > Thank You for any help or web-link!
| >> | >
| >> | >
| >> | > George Valkov
| >> | >
| >> | >
| >> | >
| >> |
| >>
| >>
| >
| >
|


.

Relevant Pages

  • Re: Computer Infected:
    ... reinstalling the OS correct this or perhaps using the Recovery disk ... A format & reinstall would take care of it, yes, but a Repair Install would ... [WARNING] ...
    (microsoft.public.windowsxp.general)
  • Re: WinXP install ruins two HDs - Help!
    ... and then try to restore the boot partition from there. ... helpfile and give it a shot--at least maybe I can reuse the drives that way. ... Thank-you again.....I'll try to be more patient about reinstalling to fix ... drive and then install XP on it. ...
    (microsoft.public.windowsxp.hardware)
  • Re: WinXP install ruins two HDs - Help!
    ... I restored both my Data and Programs partitions with it onto my new HD after I installed XP on it, but after finally accepting my fate on the other drives didn't think anything would work. ... I haven't used Acronis for very long, but I guess I would just create a boot disk and then try to restore the boot partition from there. ... One way that you can avoid reinstalling Windows is to backup your system partition. ... It was just a matter of rebooting with the WinXP disk and going through the steps to reformat the C: drive and then install XP on it. ...
    (microsoft.public.windowsxp.hardware)
  • Re: Computer Infected:
    ... reinstalling the OS correct this or perhaps using the Recovery disk ... install with repair option? ... A format & reinstall would take care of it, yes, but a Repair Install would ... recommend NOD32 or Kaspersky; If cost is a factor, ...
    (microsoft.public.windowsxp.general)
  • Re: Computer Infected:
    ... Recovery CDs or hidden Recovery Partition to return the machine to OOBE (out ... You do NOT want to do a Repair or Recovery install. ... reinstalling the correct drivers for them, ... back-up your personal data and then do a clean install of Windows. ...
    (microsoft.public.windowsxp.general)