Restrict Software to Specific User on Terminal Server
Hello.
I've read quite a few postings and Microsoft documents, but cannot seem to figure out how, exactly, software restriction are applied to specific users. Here's the setup, numbers are for example:
+ Windows 2003 Server running Terminal Services
+ This server is accessed by 20 users via RDP.
+ I want only 6 of them to be able to run Office.
+ I have a small number of other applications I would like specific users to run.
+ I would like to use local policy for simplicity, even though this server is part of a domain.
So, my guess to do this is the following:
+ Create a local group "Office Users", containing those users permitted to run Office.
+ Set the default Software Restriction Security Level to "Disallowed"
+ Add an Additional Path Rule (Unrestricted) containing the path to the Office apps.
My problem: I cannot see how to apply this additional rule to specific users, that is (I guess) to the Office Users group.
(Sorry if I didn't pick the question zones correctly.)
I've read quite a few postings and Microsoft documents, but cannot seem to figure out how, exactly, software restriction are applied to specific users. Here's the setup, numbers are for example:
+ Windows 2003 Server running Terminal Services
+ This server is accessed by 20 users via RDP.
+ I want only 6 of them to be able to run Office.
+ I have a small number of other applications I would like specific users to run.
+ I would like to use local policy for simplicity, even though this server is part of a domain.
So, my guess to do this is the following:
+ Create a local group "Office Users", containing those users permitted to run Office.
+ Set the default Software Restriction Security Level to "Disallowed"
+ Add an Additional Path Rule (Unrestricted) containing the path to the Office apps.
My problem: I cannot see how to apply this additional rule to specific users, that is (I guess) to the Office Users group.
(Sorry if I didn't pick the question zones correctly.)
Hi,
Check this: http://technet.microsoft.com/en-us/library/cc781337(WS.10).aspx
Regards,
Faraz H. Khan
Check this: http://technet.microsoft.com/en-us/library/cc781337(WS.10).aspx
Regards,
Faraz H. Khan
ASKER
Sadly, it looks as if enriquecadalso has it right. I guess I was hoping for a better answer! Let me review the article given by farazhkhan (again) before I go ahead an close this question. Thanks...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okay, I'll look at that too. Looks like a nice document. It'll be until after the new year that I reply, though. Enjoy!
Answer ID 26140322 covers it all and explains how to do exactly what he wants.
Cláudio Rodrigues
Citrix CTP
Cláudio Rodrigues
Citrix CTP
ASKER
Go ahead and close this. However, since tsmvp and enriquecadalso suggested the same solution, they both should get credit if that's possible.
ASKER
Oh, I see this is already closed.
If you are going to create local groups try modifying the ntfs permission of the office executables (winword.exe, excel.exe, etc), assigning the rights to read only to the "Office Users" group.