?
Solved

Is it possible to allow per user Active X control install on Windows Server 2008 R2 RDS?

Posted on 2010-08-25
7
Medium Priority
?
8,699 Views
Last Modified: 2013-12-08
We have two 2008 R2 RDS boxes, with about 75 users across them, and the need for each user to install Active X controls for web meetings (such as WebEx and GoToMeeting).  I have played around with our group policies, tried installing the Active X controls as admin, etc. but we need a more scalable solution.  It is not possible for us to have to install each Active X control to the server each time a user needs access to a different site, nor do I want to have all the Active X controls installed server-wide.  I would much rather they be installed per user, then if the user gets hosed, we can just delete / recreate the profile.

I have set up the GPO to allow a "quiet" install - there is no yellow bar asking the user to install the Active X control, but I am getting an error on install:

An error occurred while copying file <filename>
Cannot copy file to destination directory.

I saw this post: http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_23859523.html

And this post: http://www.experts-exchange.com/Security/Misc/Q_21917199.html

But neither worked.  The second post, when modified for internet zone (rather than local zone), seems to have worked to allow the install to proceed without user interaction, but I still get the error message above.

Any help would be greatly appreciated!

Tim
0
Comment
Question by:triegler
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 33526404
It will not be per user.
It will be per machine,...like you have been.
There is no scalability here because there is no scale (it just doesn't apply),...the ActiveX is no different than any other application that you (the Admin) would have to install before the users can use it.  You're going to face the same thing everytime the Adobe Reader hits a new version, or the Flash Player, or Silverlight hits a new version.  It is just called maintanence,...it is just what we get paid for doing.

If everything had an automatic way to do it that didn't require the Admin to lift his hands or get out of the chair,...then the Admin wouldn't be needed, the salary wouldn't be justified, the job would be elminated, and consultants would be brought in instead to do what little bit the Admin actually did and could probably do it on a monthly basis.   I'm not joking and am serious,...it happens more and more all the time,...I'm just lucky that I am a full time Admin and a part time consultant for a different company at the same time,...I live on both sides of the fence at the same time.  It wouldn't suprise me one bit if some day my "Admin self" is suddenly out of a job and replaced by my "Consultant self" because the company thought it was cheaper to pay the Consultant part of the time than the Admin all of the time,...after all the machines automatically take care of themselves don't they?,...what do we need a full time IT guy for?
0
 

Author Comment

by:triegler
ID: 33531501
pwindell,

Thank you for the response.  That strikes me as odd, that there is no way that a "regular" user can install Active X controls into their user session on the terminal server.  Especially as the client used to have several Windows Server 2003 Terminal Servers which *DID* allow user Active X installs...

Regarding your following comments - I understand fully, as I *AM* that consultant.  This client *does not want* me to have to come in and set up Active X controls each time a user needs access to a WebEx training, nor do their full-time admins have the time.  As admins / consultants, our job is also to maximize our time, whether by automating, removing complexity, creating processes and policies, end user training, and so on.  Part of that is knowing the trade offs between what is user controlled and what is admin controlled.  This client has indicated that they do now want their admins constantly installing Active X controls for their users, when their users were formerly able to do so themselves.  Not only that, but due to the nature of the environment, the training sessions occur often, but randomly (including sometimes after hours), and admins aren't always available to install the Active X control across both servers.

I know that there is no AXIS for Windows 7 / Windows Server 2008 R2, but there *has* to be a way to allow users to install their own ActiveX controls.

Thanks again,

Tim
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33532364
Regular users cannot install ActiveX controls or any other application for the most part.
If  they had users doing that in the past on another TS box then they probably made the user local Admins by adding the Domain Users Groups to the local Administrators Group.
Another option is to give one responsible trustworthy users (one of the managers?) Admin rights on the machine so that they can log into the machine,...go to those web sites, and install the plugins.  Once it is installed the other users should be fine.  That is how we handle that type of situation at our clients.  A lot of these webex and similar things seems to end up being in Sales Meetings between the local Sales Staff and a remote Marketing Agency,...so the Sale Manager is a good canidate for adding them to the Local Administrators Group in those cases.
 
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 29

Accepted Solution

by:
pwindell earned 2000 total points
ID: 33532436
With the ActiveX,..it isn't all just the ActiveX,...even if you setup a GPO for a particular user to have their IE Settings allow the ActiveX install,...there is more to the story,...depending on what the ActiveX control actually is and what it actually does,...you run into the same hinderance that prevents the install of it just as the install of any other kind of normal application because or where files may attempt to be copied or registry entries that might attempt to be written or overwritten,...so the user has to be at least a local Admin just as they would to install MS Office or something.
 
0
 

Author Comment

by:triegler
ID: 33535675
pwindell,

Thank you again for your response.  I believe at this time that we may indeed follow up on your suggestion to make the supervisors local admins.  This won't really affect the RDS boxes, as we have them fairly locked down via GPOs, folder redirection, etc.  I will run it by the VP ITS, but I'm giving you the points anyways.

Thanks again,

Tim
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33536168
Thank you sir!  Good luck with the it all.
0
 

Expert Comment

by:gusmaio
ID: 38581388
Another solution is to creae an installer acct with local admin rights, then upon UAC dialog enter those credentials. This account doesn't have to have rights to any shares on any other boxes and if you inform your users that this is only used for those instances and that it is audited, you won't have issues. You can also DENY NTFS permissions granularly to the workstation local accounts if you think someone may actually log in as the installer account, AND you can add a login script that informs the user that attempted to login with this account that they are violating policy and activity is being recorded. It  works.
0

Featured Post

Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question