|
The first thing that comes to mind is disabling Windows
Installer for non-managed apps via GPO, considering you are already doing
something similar as you had mentioned that may be the most viable
solution.
Otherwise, I'm not sure if its possible or how difficult it
would be to implement but you could restrict the use of certain file extensions
in the user folder tree which would prevent users from running executables for
instance.
Just two ideas... I'm sure there will be
more From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Wednesday, August 04, 2004 8:06 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Fileserver and Self-Executing Programs Within our domain, roaming profiles
are used. The roaming profiles are limited to 10MB by means of a GPO. The
user is also given a networked drive (K:\) that gives them an additional 40MB
which gives them a grand total of 50MB of usable space when on their
workstations. The 50MB limit is then enforced by Disk Quotas. The
roaming profile data and the networked drive are both on the same
machine. The user logging into their
workstation is not able to install applications unless first approved.
What I have noticed however is that users within the domain are still managing
to run unauthorized pieces of software. They are doing this by copying the
files K:\ The application that they want to use is a self executing
program that does not need to write data to the registry or modify the system in
any way. In one case, I noticed that a user
is using FireFox. I installed the software with under the same user
privileges and was able to do so but with a warning that the application may not
install correctly without Admin rights. The application did install to the K:\
and worked correctly when was opened. The good thing about this was that
anything that was written to the registry was access
denied. So here is the question. How
can I prevent users from installing these type of applications to the K:\?
When they do this, they are using resources on the remote machine that shouldn’t
be. I could care less that they are using more drive space since it will
only affect them and their ability to write more files to the remote machine or
will prevent them from logging off of their desktop until the space is
cleared. I don’t have a problem putting fear
into those who are doing this, but I would rather just cut them off and keep my
mouth shut if a solution is available. Any
thoughts? Thanks everyone for your
replies, Edwin |
