| Author | Messages | |
justjbatwork
Posts:2
 | | 09/20/2010 9:06 PM |
|
So just send an email to: xxxxxxxxxxxxxxxx
with unsubscribe in the subject?
JB
From: xxxxxxxxxxxxxxxx
To: xxxxxxxxxxxxxxxx
Subject: FW: [gptalk] lockdown exes
Date: Mon, 20 Sep 2010 19:56:00 +0000
JB,
Type unsubscribe into the email and send it to the list.
~ Mary ~
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of J B
Sent: Monday, September 20, 2010 2:36 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] lockdown exes
Mary,
How can I get off this list?
JB
From: xxxxxxxxxxxxxxxx
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] lockdown exes
Date: Mon, 20 Sep 2010 15:47:03 +0000
Unfortunately this regkey is either on or off (1 or 0). I want administrators to be able to force off an admin that say, went on vacation but stayed logged in. But I do not want regular users to be able to do this, only administrators.
~ Mary ~
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: Monday, September 20, 2010 10:25 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] lockdown exes
Yes that is exactly what I thought… when looking via gpmc.msc the setting says “at least” and then finishes with “Only” slight contradiction of words J
The documentation below shows it as only…
http://technet.microsoft.com/en-us/library/cc731606(WS.10).aspx
If you look at all of the other settings they are worded different… Maybe try looking for the following registry key just in case it is worded incorrectly?
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableForcibleLogoff
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary
Sent: 20 September 2010 16:16
To: 'xxxxxxxxxxxxxxxx'
Subject: RE: [gptalk] lockdown exes
Sean,
This setting is in the ADMX and it says Requirements: At Least Windows XP and Windows Server 2003 only. I thought that “At Least” meant it would work on all newer versions as well.
This policy setting determines whether an administrator attempting to connect remotely to the console of a server can log off an administrator currently logged on to the console.
This policy is useful when the currently connected administrator does not want to be logged off by another administrator. If the connected administrator is logged off, any data not previously saved is lost.
If you enable this policy setting, logging off the connected administrator is not allowed.
If you disable or do not configure this policy setting, logging off the connected administrator is allowed.
Note: The console session is also known as Session 0. Console access can be obtained by using the /console switch from Remote Desktop Connection in the computer field name or from the command line.
It is somewhat confusing because the settings refer to a server and I’m creating this for workstations.
~ Mary ~
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: Monday, September 20, 2010 9:51 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] lockdown exes
Just had a quick look at the .adm info for this and it appears not to be supported on W2K7
Deny logoff of an administrator logged in to the console session
This policy setting determines whether an administrator attempting to connect remotely to the console of a server can log off an administrator currently logged on to the console.
This policy is useful when the currently connected administrator does not want to be logged off by another administrator. If the connected administrator is logged off, any data not previously saved is lost.
If you enable this policy setting, logging off the connected administrator is not allowed.
If you disable or do not configure this policy setting, logging off the connected administrator is allowed.
Windows XP Professional or Windows Server 2003 only
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary
Sent: 20 September 2010 15:31
To: 'xxxxxxxxxxxxxxxx'
Subject: RE: [gptalk] lockdown exes
No, it seems that anyone can boot an Admin off and we only want another Admin to be able to do that.
~ Mary ~
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: Monday, September 20, 2010 9:03 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] lockdown exes
Is the entire policy being ignored, or just certain settings?
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary
Sent: 20 September 2010 14:19
To: 'xxxxxxxxxxxxxxxx'
Subject: RE: [gptalk] lockdown exes
I am trying to keep it to only 1 person on the PC at a time. And regular users should not be able to bump off an Admin.
This is the GPO. The Restricted Group for Builtin\Remote Desktop Users is Domain Users.
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connectionshide
Policy
Setting
Comment
Allow users to connect remotely using Remote Desktop Services
Enabled
Deny logoff of an administrator logged in to the console session
Enabled
Limit number of connections
Enabled
RD Maximum Connections allowed
1
Type 999999 for unlimited connections.
This works fine in XP but I’m thinking there is a setting I’m missing.
~ Mary ~
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: Monday, September 20, 2010 8:06 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] lockdown exes
What’s the RDP issue, I’m sure one of us could help J
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary
Sent: 20 September 2010 13:59
To: 'xxxxxxxxxxxxxxxx'
Subject: RE: [gptalk] lockdown exes
Hi Sean,
I am also creating the policy for Windows 7 workstations. For the most part I am done with that except for an RDP issue.
~ Mary ~
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: Monday, September 20, 2010 7:34 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] lockdown exes
Hi Mary,
I have done a few Software Distribution projects and many upgrade projects J This sounds like you are doing a desktop refresh, so a couple of questions..
Are you using any software distribution tools, such as SCCM, Unicenter etc, or are you using AD for the complete control of over 2000 applications?
When you say many more exe’s are you speaking about securing just office or various applications?
Are you looking at securing the new settings in W2K7 as well?
When you are saying xcacls. Do you mean deploying a script to run this against all clients, securing the NTFS permissions to executables?
Cheers,
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary
Sent: 20 September 2010 13:16
To: 'xxxxxxxxxxxxxxxx'
Subject: [gptalk] lockdown exes
Hello List,
You have been a great help the last month or so. I’m hoping you have some ideas for me. My company purchased Office Pro 2010 and I am setting up policy now. We are updating from 2003 and XPsp3 to Windows 7 and Office 2010. There are many more Office settings! There are exes that the managers do not want people to use. So far I’ve found that I cannot lockdown the Office 14 directory using Security Settings\File System. I looked into Software Restriction but it seems daunting. We have around 2000 apps so I wouldn’t want to do a white list. Has anyone done this before? I have about 3 exes that I do not want the clients to see or be able to run. If I can’t figure out how to do it with group policy I will use xcacls. However, we would prefer group policy and its centralization.
Thanks for any help you can provide.
Mary Winter
This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England.
This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system.
Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group.
Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission.
Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.
| | | |
| MaryWinter
Posts:45
| | 09/20/2010 9:28 PM |
| In the body.
~ Mary ~
________________________________
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of J B
Sent: Monday, September 20, 2010 3:05 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] lockdown exes
So just send an email to: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
with unsubscribe in the subject?
JB
________________________________
From: xxxxxxxxxxxxxxxx
To: xxxxxxxxxxxxxxxx
Subject: FW: [gptalk] lockdown exes
Date: Mon, 20 Sep 2010 19:56:00 +0000
JB,
Type unsubscribe into the email and send it to the list.
~ Mary ~
________________________________
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of J B
Sent: Monday, September 20, 2010 2:36 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] lockdown exes
Mary,
How can I get off this list?
JB
________________________________
From: xxxxxxxxxxxxxxxx
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] lockdown exes
Date: Mon, 20 Sep 2010 15:47:03 +0000
Unfortunately this regkey is either on or off (1 or 0). I want administrators to be able to force off an admin that say, went on vacation but stayed logged in. But I do not want regular users to be able to do this, only administrators.
~ Mary ~
________________________________
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: Monday, September 20, 2010 10:25 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] lockdown exes
Yes that is exactly what I thought... when looking via gpmc.msc the setting says "at least" and then finishes with "Only" slight contradiction of words 
The documentation below shows it as only...
http://technet.microsoft.com/en-us/library/cc731606(WS.10).aspx
If you look at all of the other settings they are worded different... Maybe try looking for the following registry key just in case it is worded incorrectly?
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableForcibleLogoff
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary
Sent: 20 September 2010 16:16
To: 'xxxxxxxxxxxxxxxx'
Subject: RE: [gptalk] lockdown exes
Sean,
This setting is in the ADMX and it says Requirements: At Least Windows XP and Windows Server 2003 only. I thought that "At Least" meant it would work on all newer versions as well.
This policy setting determines whether an administrator attempting to connect remotely to the console of a server can log off an administrator currently logged on to the console.
This policy is useful when the currently connected administrator does not want to be logged off by another administrator. If the connected administrator is logged off, any data not previously saved is lost.
If you enable this policy setting, logging off the connected administrator is not allowed.
If you disable or do not configure this policy setting, logging off the connected administrator is allowed.
Note: The console session is also known as Session 0. Console access can be obtained by using the /console switch from Remote Desktop Connection in the computer field name or from the command line.
It is somewhat confusing because the settings refer to a server and I'm creating this for workstations.
~ Mary ~
________________________________
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: Monday, September 20, 2010 9:51 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] lockdown exes
Just had a quick look at the .adm info for this and it appears not to be supported on W2K7
Deny logoff of an administrator logged in to the console session
This policy setting determines whether an administrator attempting to connect remotely to the console of a server can log off an administrator currently logged on to the console.
This policy is useful when the currently connected administrator does not want to be logged off by another administrator. If the connected administrator is logged off, any data not previously saved is lost.
If you enable this policy setting, logging off the connected administrator is not allowed.
If you disable or do not configure this policy setting, logging off the connected administrator is allowed.
Windows XP Professional or Windows Server 2003 only
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary
Sent: 20 September 2010 15:31
To: 'xxxxxxxxxxxxxxxx'
Subject: RE: [gptalk] lockdown exes
No, it seems that anyone can boot an Admin off and we only want another Admin to be able to do that.
~ Mary ~
________________________________
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: Monday, September 20, 2010 9:03 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] lockdown exes
Is the entire policy being ignored, or just certain settings?
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary
Sent: 20 September 2010 14:19
To: 'xxxxxxxxxxxxxxxx'
Subject: RE: [gptalk] lockdown exes
I am trying to keep it to only 1 person on the PC at a time. And regular users should not be able to bump off an Admin.
This is the GPO. The Restricted Group for Builtin\Remote Desktop Users is Domain Users.
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connectionshide
Policy
Setting
Comment
Allow users to connect remotely using Remote Desktop Services
Enabled
Deny logoff of an administrator logged in to the console session
Enabled
Limit number of connections
Enabled
RD Maximum Connections allowed
1
Type 999999 for unlimited connections.
This works fine in XP but I'm thinking there is a setting I'm missing.
~ Mary ~
________________________________
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: Monday, September 20, 2010 8:06 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] lockdown exes
What's the RDP issue, I'm sure one of us could help
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary
Sent: 20 September 2010 13:59
To: 'xxxxxxxxxxxxxxxx'
Subject: RE: [gptalk] lockdown exes
Hi Sean,
I am also creating the policy for Windows 7 workstations. For the most part I am done with that except for an RDP issue.
~ Mary ~
________________________________
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: Monday, September 20, 2010 7:34 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] lockdown exes
Hi Mary,
I have done a few Software Distribution projects and many upgrade projects This sounds like you are doing a desktop refresh, so a couple of questions..
Are you using any software distribution tools, such as SCCM, Unicenter etc, or are you using AD for the complete control of over 2000 applications?
When you say many more exe's are you speaking about securing just office or various applications?
Are you looking at securing the new settings in W2K7 as well?
When you are saying xcacls. Do you mean deploying a script to run this against all clients, securing the NTFS permissions to executables?
Cheers,
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary
Sent: 20 September 2010 13:16
To: 'xxxxxxxxxxxxxxxx'
Subject: [gptalk] lockdown exes
Hello List,
You have been a great help the last month or so. I'm hoping you have some ideas for me. My company purchased Office Pro 2010 and I am setting up policy now. We are updating from 2003 and XPsp3 to Windows 7 and Office 2010. There are many more Office settings! There are exes that the managers do not want people to use. So far I've found that I cannot lockdown the Office 14 directory using Security Settings\File System. I looked into Software Restriction but it seems daunting. We have around 2000 apps so I wouldn't want to do a white list. Has anyone done this before? I have about 3 exes that I do not want the clients to see or be able to run. If I can't figure out how to do it with group policy I will use xcacls. However, we would prefer group policy and its centralization.
Thanks for any help you can provide.
Mary Winter
This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England.
This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system.
Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group.
Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission.
Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.
| | | |
|
|