Solved

Is it possible to allow per user Active X control install on Windows Server 2008 R2 RDS?

Posted on 2010-08-25
7
7,918 Views
Last Modified: 2013-12-08
We have two 2008 R2 RDS boxes, with about 75 users across them, and the need for each user to install Active X controls for web meetings (such as WebEx and GoToMeeting).  I have played around with our group policies, tried installing the Active X controls as admin, etc. but we need a more scalable solution.  It is not possible for us to have to install each Active X control to the server each time a user needs access to a different site, nor do I want to have all the Active X controls installed server-wide.  I would much rather they be installed per user, then if the user gets hosed, we can just delete / recreate the profile.

I have set up the GPO to allow a "quiet" install - there is no yellow bar asking the user to install the Active X control, but I am getting an error on install:

An error occurred while copying file <filename>
Cannot copy file to destination directory.

I saw this post: http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_23859523.html

And this post: http://www.experts-exchange.com/Security/Misc/Q_21917199.html

But neither worked.  The second post, when modified for internet zone (rather than local zone), seems to have worked to allow the install to proceed without user interaction, but I still get the error message above.

Any help would be greatly appreciated!

Tim
0
Comment
Question by:triegler
  • 4
  • 2
7 Comments
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
It will not be per user.
It will be per machine,...like you have been.
There is no scalability here because there is no scale (it just doesn't apply),...the ActiveX is no different than any other application that you (the Admin) would have to install before the users can use it.  You're going to face the same thing everytime the Adobe Reader hits a new version, or the Flash Player, or Silverlight hits a new version.  It is just called maintanence,...it is just what we get paid for doing.

If everything had an automatic way to do it that didn't require the Admin to lift his hands or get out of the chair,...then the Admin wouldn't be needed, the salary wouldn't be justified, the job would be elminated, and consultants would be brought in instead to do what little bit the Admin actually did and could probably do it on a monthly basis.   I'm not joking and am serious,...it happens more and more all the time,...I'm just lucky that I am a full time Admin and a part time consultant for a different company at the same time,...I live on both sides of the fence at the same time.  It wouldn't suprise me one bit if some day my "Admin self" is suddenly out of a job and replaced by my "Consultant self" because the company thought it was cheaper to pay the Consultant part of the time than the Admin all of the time,...after all the machines automatically take care of themselves don't they?,...what do we need a full time IT guy for?
0
 

Author Comment

by:triegler
Comment Utility
pwindell,

Thank you for the response.  That strikes me as odd, that there is no way that a "regular" user can install Active X controls into their user session on the terminal server.  Especially as the client used to have several Windows Server 2003 Terminal Servers which *DID* allow user Active X installs...

Regarding your following comments - I understand fully, as I *AM* that consultant.  This client *does not want* me to have to come in and set up Active X controls each time a user needs access to a WebEx training, nor do their full-time admins have the time.  As admins / consultants, our job is also to maximize our time, whether by automating, removing complexity, creating processes and policies, end user training, and so on.  Part of that is knowing the trade offs between what is user controlled and what is admin controlled.  This client has indicated that they do now want their admins constantly installing Active X controls for their users, when their users were formerly able to do so themselves.  Not only that, but due to the nature of the environment, the training sessions occur often, but randomly (including sometimes after hours), and admins aren't always available to install the Active X control across both servers.

I know that there is no AXIS for Windows 7 / Windows Server 2008 R2, but there *has* to be a way to allow users to install their own ActiveX controls.

Thanks again,

Tim
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
Regular users cannot install ActiveX controls or any other application for the most part.
If  they had users doing that in the past on another TS box then they probably made the user local Admins by adding the Domain Users Groups to the local Administrators Group.
Another option is to give one responsible trustworthy users (one of the managers?) Admin rights on the machine so that they can log into the machine,...go to those web sites, and install the plugins.  Once it is installed the other users should be fine.  That is how we handle that type of situation at our clients.  A lot of these webex and similar things seems to end up being in Sales Meetings between the local Sales Staff and a remote Marketing Agency,...so the Sale Manager is a good canidate for adding them to the Local Administrators Group in those cases.
 
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
Comment Utility
With the ActiveX,..it isn't all just the ActiveX,...even if you setup a GPO for a particular user to have their IE Settings allow the ActiveX install,...there is more to the story,...depending on what the ActiveX control actually is and what it actually does,...you run into the same hinderance that prevents the install of it just as the install of any other kind of normal application because or where files may attempt to be copied or registry entries that might attempt to be written or overwritten,...so the user has to be at least a local Admin just as they would to install MS Office or something.
 
0
 

Author Comment

by:triegler
Comment Utility
pwindell,

Thank you again for your response.  I believe at this time that we may indeed follow up on your suggestion to make the supervisors local admins.  This won't really affect the RDS boxes, as we have them fairly locked down via GPOs, folder redirection, etc.  I will run it by the VP ITS, but I'm giving you the points anyways.

Thanks again,

Tim
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
Thank you sir!  Good luck with the it all.
0
 

Expert Comment

by:gusmaio
Comment Utility
Another solution is to creae an installer acct with local admin rights, then upon UAC dialog enter those credentials. This account doesn't have to have rights to any shares on any other boxes and if you inform your users that this is only used for those instances and that it is audited, you won't have issues. You can also DENY NTFS permissions granularly to the workstation local accounts if you think someone may actually log in as the installer account, AND you can add a login script that informs the user that attempted to login with this account that they are violating policy and activity is being recorded. It  works.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
OfficeMate Freezes on login or does not load after login credentials are input.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now