Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Is it possible to allow per user Active X control install on Windows Server 2008 R2 RDS?

Posted on 2010-08-25
7
Medium Priority
?
9,185 Views
Last Modified: 2013-12-08
We have two 2008 R2 RDS boxes, with about 75 users across them, and the need for each user to install Active X controls for web meetings (such as WebEx and GoToMeeting).  I have played around with our group policies, tried installing the Active X controls as admin, etc. but we need a more scalable solution.  It is not possible for us to have to install each Active X control to the server each time a user needs access to a different site, nor do I want to have all the Active X controls installed server-wide.  I would much rather they be installed per user, then if the user gets hosed, we can just delete / recreate the profile.

I have set up the GPO to allow a "quiet" install - there is no yellow bar asking the user to install the Active X control, but I am getting an error on install:

An error occurred while copying file <filename>
Cannot copy file to destination directory.

I saw this post: http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_23859523.html

And this post: http://www.experts-exchange.com/Security/Misc/Q_21917199.html

But neither worked.  The second post, when modified for internet zone (rather than local zone), seems to have worked to allow the install to proceed without user interaction, but I still get the error message above.

Any help would be greatly appreciated!

Tim
0
Comment
Question by:triegler
  • 4
  • 2
7 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 33526404
It will not be per user.
It will be per machine,...like you have been.
There is no scalability here because there is no scale (it just doesn't apply),...the ActiveX is no different than any other application that you (the Admin) would have to install before the users can use it.  You're going to face the same thing everytime the Adobe Reader hits a new version, or the Flash Player, or Silverlight hits a new version.  It is just called maintanence,...it is just what we get paid for doing.

If everything had an automatic way to do it that didn't require the Admin to lift his hands or get out of the chair,...then the Admin wouldn't be needed, the salary wouldn't be justified, the job would be elminated, and consultants would be brought in instead to do what little bit the Admin actually did and could probably do it on a monthly basis.   I'm not joking and am serious,...it happens more and more all the time,...I'm just lucky that I am a full time Admin and a part time consultant for a different company at the same time,...I live on both sides of the fence at the same time.  It wouldn't suprise me one bit if some day my "Admin self" is suddenly out of a job and replaced by my "Consultant self" because the company thought it was cheaper to pay the Consultant part of the time than the Admin all of the time,...after all the machines automatically take care of themselves don't they?,...what do we need a full time IT guy for?
0
 

Author Comment

by:triegler
ID: 33531501
pwindell,

Thank you for the response.  That strikes me as odd, that there is no way that a "regular" user can install Active X controls into their user session on the terminal server.  Especially as the client used to have several Windows Server 2003 Terminal Servers which *DID* allow user Active X installs...

Regarding your following comments - I understand fully, as I *AM* that consultant.  This client *does not want* me to have to come in and set up Active X controls each time a user needs access to a WebEx training, nor do their full-time admins have the time.  As admins / consultants, our job is also to maximize our time, whether by automating, removing complexity, creating processes and policies, end user training, and so on.  Part of that is knowing the trade offs between what is user controlled and what is admin controlled.  This client has indicated that they do now want their admins constantly installing Active X controls for their users, when their users were formerly able to do so themselves.  Not only that, but due to the nature of the environment, the training sessions occur often, but randomly (including sometimes after hours), and admins aren't always available to install the Active X control across both servers.

I know that there is no AXIS for Windows 7 / Windows Server 2008 R2, but there *has* to be a way to allow users to install their own ActiveX controls.

Thanks again,

Tim
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33532364
Regular users cannot install ActiveX controls or any other application for the most part.
If  they had users doing that in the past on another TS box then they probably made the user local Admins by adding the Domain Users Groups to the local Administrators Group.
Another option is to give one responsible trustworthy users (one of the managers?) Admin rights on the machine so that they can log into the machine,...go to those web sites, and install the plugins.  Once it is installed the other users should be fine.  That is how we handle that type of situation at our clients.  A lot of these webex and similar things seems to end up being in Sales Meetings between the local Sales Staff and a remote Marketing Agency,...so the Sale Manager is a good canidate for adding them to the Local Administrators Group in those cases.
 
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 29

Accepted Solution

by:
pwindell earned 2000 total points
ID: 33532436
With the ActiveX,..it isn't all just the ActiveX,...even if you setup a GPO for a particular user to have their IE Settings allow the ActiveX install,...there is more to the story,...depending on what the ActiveX control actually is and what it actually does,...you run into the same hinderance that prevents the install of it just as the install of any other kind of normal application because or where files may attempt to be copied or registry entries that might attempt to be written or overwritten,...so the user has to be at least a local Admin just as they would to install MS Office or something.
 
0
 

Author Comment

by:triegler
ID: 33535675
pwindell,

Thank you again for your response.  I believe at this time that we may indeed follow up on your suggestion to make the supervisors local admins.  This won't really affect the RDS boxes, as we have them fairly locked down via GPOs, folder redirection, etc.  I will run it by the VP ITS, but I'm giving you the points anyways.

Thanks again,

Tim
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33536168
Thank you sir!  Good luck with the it all.
0
 

Expert Comment

by:gusmaio
ID: 38581388
Another solution is to creae an installer acct with local admin rights, then upon UAC dialog enter those credentials. This account doesn't have to have rights to any shares on any other boxes and if you inform your users that this is only used for those instances and that it is audited, you won't have issues. You can also DENY NTFS permissions granularly to the workstation local accounts if you think someone may actually log in as the installer account, AND you can add a login script that informs the user that attempted to login with this account that they are violating policy and activity is being recorded. It  works.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
Following on from our article on "The Murky World of Consent and opt in", we thought we would issue some helpful guidance, not only on consent itself but knowing what information you are capturing, what you are doing with this data and how you can p…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question