triegler
asked on
Is it possible to allow per user Active X control install on Windows Server 2008 R2 RDS?
We have two 2008 R2 RDS boxes, with about 75 users across them, and the need for each user to install Active X controls for web meetings (such as WebEx and GoToMeeting). I have played around with our group policies, tried installing the Active X controls as admin, etc. but we need a more scalable solution. It is not possible for us to have to install each Active X control to the server each time a user needs access to a different site, nor do I want to have all the Active X controls installed server-wide. I would much rather they be installed per user, then if the user gets hosed, we can just delete / recreate the profile.
I have set up the GPO to allow a "quiet" install - there is no yellow bar asking the user to install the Active X control, but I am getting an error on install:
An error occurred while copying file <filename>
Cannot copy file to destination directory.
I saw this post: https://www.experts-exchange.com/questions/23859523/How-to-Enable-Allow-previously-unused-ActiveX-controls-to-run-without-prompt-via-Group-Policy.html
And this post: https://www.experts-exchange.com/questions/21917199/How-to-allow-ActiveX-control-to-install-via-a-Group-Policy.html
But neither worked. The second post, when modified for internet zone (rather than local zone), seems to have worked to allow the install to proceed without user interaction, but I still get the error message above.
Any help would be greatly appreciated!
Tim
I have set up the GPO to allow a "quiet" install - there is no yellow bar asking the user to install the Active X control, but I am getting an error on install:
An error occurred while copying file <filename>
Cannot copy file to destination directory.
I saw this post: https://www.experts-exchange.com/questions/23859523/How-to-Enable-Allow-previously-unused-ActiveX-controls-to-run-without-prompt-via-Group-Policy.html
And this post: https://www.experts-exchange.com/questions/21917199/How-to-allow-ActiveX-control-to-install-via-a-Group-Policy.html
But neither worked. The second post, when modified for internet zone (rather than local zone), seems to have worked to allow the install to proceed without user interaction, but I still get the error message above.
Any help would be greatly appreciated!
Tim
ASKER
pwindell,
Thank you for the response. That strikes me as odd, that there is no way that a "regular" user can install Active X controls into their user session on the terminal server. Especially as the client used to have several Windows Server 2003 Terminal Servers which *DID* allow user Active X installs...
Regarding your following comments - I understand fully, as I *AM* that consultant. This client *does not want* me to have to come in and set up Active X controls each time a user needs access to a WebEx training, nor do their full-time admins have the time. As admins / consultants, our job is also to maximize our time, whether by automating, removing complexity, creating processes and policies, end user training, and so on. Part of that is knowing the trade offs between what is user controlled and what is admin controlled. This client has indicated that they do now want their admins constantly installing Active X controls for their users, when their users were formerly able to do so themselves. Not only that, but due to the nature of the environment, the training sessions occur often, but randomly (including sometimes after hours), and admins aren't always available to install the Active X control across both servers.
I know that there is no AXIS for Windows 7 / Windows Server 2008 R2, but there *has* to be a way to allow users to install their own ActiveX controls.
Thanks again,
Tim
Thank you for the response. That strikes me as odd, that there is no way that a "regular" user can install Active X controls into their user session on the terminal server. Especially as the client used to have several Windows Server 2003 Terminal Servers which *DID* allow user Active X installs...
Regarding your following comments - I understand fully, as I *AM* that consultant. This client *does not want* me to have to come in and set up Active X controls each time a user needs access to a WebEx training, nor do their full-time admins have the time. As admins / consultants, our job is also to maximize our time, whether by automating, removing complexity, creating processes and policies, end user training, and so on. Part of that is knowing the trade offs between what is user controlled and what is admin controlled. This client has indicated that they do now want their admins constantly installing Active X controls for their users, when their users were formerly able to do so themselves. Not only that, but due to the nature of the environment, the training sessions occur often, but randomly (including sometimes after hours), and admins aren't always available to install the Active X control across both servers.
I know that there is no AXIS for Windows 7 / Windows Server 2008 R2, but there *has* to be a way to allow users to install their own ActiveX controls.
Thanks again,
Tim
Regular users cannot install ActiveX controls or any other application for the most part.
If they had users doing that in the past on another TS box then they probably made the user local Admins by adding the Domain Users Groups to the local Administrators Group.
Another option is to give one responsible trustworthy users (one of the managers?) Admin rights on the machine so that they can log into the machine,...go to those web sites, and install the plugins. Once it is installed the other users should be fine. That is how we handle that type of situation at our clients. A lot of these webex and similar things seems to end up being in Sales Meetings between the local Sales Staff and a remote Marketing Agency,...so the Sale Manager is a good canidate for adding them to the Local Administrators Group in those cases.
If they had users doing that in the past on another TS box then they probably made the user local Admins by adding the Domain Users Groups to the local Administrators Group.
Another option is to give one responsible trustworthy users (one of the managers?) Admin rights on the machine so that they can log into the machine,...go to those web sites, and install the plugins. Once it is installed the other users should be fine. That is how we handle that type of situation at our clients. A lot of these webex and similar things seems to end up being in Sales Meetings between the local Sales Staff and a remote Marketing Agency,...so the Sale Manager is a good canidate for adding them to the Local Administrators Group in those cases.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
pwindell,
Thank you again for your response. I believe at this time that we may indeed follow up on your suggestion to make the supervisors local admins. This won't really affect the RDS boxes, as we have them fairly locked down via GPOs, folder redirection, etc. I will run it by the VP ITS, but I'm giving you the points anyways.
Thanks again,
Tim
Thank you again for your response. I believe at this time that we may indeed follow up on your suggestion to make the supervisors local admins. This won't really affect the RDS boxes, as we have them fairly locked down via GPOs, folder redirection, etc. I will run it by the VP ITS, but I'm giving you the points anyways.
Thanks again,
Tim
Thank you sir! Good luck with the it all.
Another solution is to creae an installer acct with local admin rights, then upon UAC dialog enter those credentials. This account doesn't have to have rights to any shares on any other boxes and if you inform your users that this is only used for those instances and that it is audited, you won't have issues. You can also DENY NTFS permissions granularly to the workstation local accounts if you think someone may actually log in as the installer account, AND you can add a login script that informs the user that attempted to login with this account that they are violating policy and activity is being recorded. It works.
It will be per machine,...like you have been.
There is no scalability here because there is no scale (it just doesn't apply),...the ActiveX is no different than any other application that you (the Admin) would have to install before the users can use it. You're going to face the same thing everytime the Adobe Reader hits a new version, or the Flash Player, or Silverlight hits a new version. It is just called maintanence,...it is just what we get paid for doing.
If everything had an automatic way to do it that didn't require the Admin to lift his hands or get out of the chair,...then the Admin wouldn't be needed, the salary wouldn't be justified, the job would be elminated, and consultants would be brought in instead to do what little bit the Admin actually did and could probably do it on a monthly basis. I'm not joking and am serious,...it happens more and more all the time,...I'm just lucky that I am a full time Admin and a part time consultant for a different company at the same time,...I live on both sides of the fence at the same time. It wouldn't suprise me one bit if some day my "Admin self" is suddenly out of a job and replaced by my "Consultant self" because the company thought it was cheaper to pay the Consultant part of the time than the Admin all of the time,...after all the machines automatically take care of themselves don't they?,...what do we need a full time IT guy for?