Run only allowed application gpo and ie 11 on remote desktop server (terminal server)

Similar Messages

• "Run only allowed" GP prevents zen apps

  I've just started to experiment with restricted Windows Group Policies an ZMC 10.3. I cant seem to get any restricted applications to run from the nal window like they did in zen 4, 6, or 7 while using the "Run only allowed windows applications" group policy setting.
  Before I only had to allow nalwin.exe and nalshell.dll but this no longer appears to work. Other people have posted this issue with versions as new as 10.2 and the "fix" was to allow nalshell.dll but I've already done that.
  What am I missing? I dont actually get the usual restriction message like if i tried to run an program from the start menu that isnt allowed, but instead zen give an unspecified error. The apps run just fine using a GP that doesnt have "run only allowed" set.
  Any help is appreciated.

  I think it would be difficult to get a bug created that said:
  "ZCM honors Windows Security Policies"
  It was certainly never the intentional design to allow this.
  Rogue Process Mgmt was the tool to perform the feature you are
  describing in lieu of using the Microsoft GPO.
  I'm not aware of any products that do or would advertise this feature,
  since a security patch could fix it at any time.
  The best bet would be to use file rights to actually control what user's
  launch in combination with limiting where programs can be launched.
  (Such as from %ProgramFiles%, etc..)
  On 6/14/2010 1:56 PM, jkillebrew wrote:
  >
  > Does this still have something to do with changes in 10.2?
  >
  > Im not sure how its a security issue, but it certainly works well for
  > us, allowing us to restrict users to only run applications from within
  > the application window and nothing outside other than a very limited
  > list of applications defined by the GP which would include things like
  > nalwin.exe, antivirus related items, and maybe office applications that
  > would need to be opened by file association.
  >
  > The greater security hole is that this policy can be defeated by
  > renaming a program to the same as something allowed since it works by
  > the file name, but students dont know that and dont know what files I
  > have allowed so it hasnt been a problem so far.
  >
  > Thanks for any help you can provide. I'd really like to use ZCM but
  > this is going to be a deal breaker for us if we cant get it working. We
  > are already struggling to remove duplicate usernames across different
  > OUs to support ZCM (makes no sense not to support this if edir allows
  > it) so this is just another major stumbling block.
  >
  > BTW, there are numerous examples of this type of use of GP and zen all
  > over the place. People have posted examples on their blogs and I even
  > read a cool solutions article suggesting this setup, though this was all
  > with 7 or older.
  >
  >
  > craig_wilson;1987251 Wrote:
  >> I actually misread your earlier posting.
  >>
  >> I thought you were having an issue launching the ZEN Components
  >> themselves, rather than the the Windows Policy Locking preventing the
  >> launch of Apps from NAL.
  >>
  >> I was not aware that ever worked and am a little surprised it ever
  >> did.
  >> In fact, I would consider it a fairly significant security hole in the
  >> Windows policy that I did not know existed and would be concerned
  >> about
  >> trying to exploit it.
  >>
  >> I know ZDM had it's own version, called Rogue Process Management, but
  >> that does not exist in ZCM. It may be possible to try and create an
  >> enhancement request to get this feature re-added.
  >>
  >> In 10.0 that shipped, this feature would not really have worked the
  >> way
  >> ZCM was designed, but could at least work in theory now.
  >>
  >>
  >>
  >> On 6/14/2010 11:46 AM, jkillebrew wrote:
  >>>
  >>> I cannot get approval to open a SR because this isnt in production.
  >> We
  >>> are just trying to migrate our existing policies over from zen 4& 7
  >>> with XP to similar policies using zen 10.3 and Windows 7 to see if
  >> we
  >>> can possible stick with Novell or if we have to move to a new
  >> product.
  >>> We must keep restricted policies in place because we use this for
  >> K-12
  >>> schools where students are malicious.
  >>>
  >>> So far the only fix is to add the application to the allowed list in
  >>> the GP every time we create a new app which would be a huge pain the
  >>> butt and would cause great delays in getting new apps deployed since
  >>> have to wait for the GP to propogate at login while the app would
  >> often
  >>> arive ahead of the new GP. This would also allow everyone to run the
  >>> application even if they dont have that bundle, unless we are going
  >> to
  >>> start managing more granular GPs, maybe hundreds of separate ones,
  >> and
  >>> we would have to keep notes on what GPs have access to what
  >>> applications. I'd move to another product before I'd go that route.
  >>>
  >>> It should be fairly easy to recreate i think.
  >>>
  >>>
  >>> craig_wilson;1987169 Wrote:
  >>>> There was a change in ZCM 10.3 in how some of the ZCM Processes
  >> Launch.
  >>>> They are no longer child processes under explorer and they are
  >>>> actually
  >>>> started by one of the other ZCM services.
  >>>>
  >>>> It is possible that this could be related to the issue you are
  >> seeing.
  >>>>
  >>>> Just be sure to let me know if you can't create an SR, because I
  >> may
  >>>> use
  >>>> spare time to try and dupe and follow this up.
  >>>>
  >>>> However, my preference would be me to try and follow an SR you have
  >>>> created.
  >>>>
  >>>> Just let me know.
  >>>>
  >>>> On 6/14/2010 10:26 AM, jkillebrew wrote:
  >>>>>
  >>>>> Thanks for the suggestion. At least one person with 10.2 had it
  >>>> working
  >>>>> according to another thread on this forum so I was hoping it was
  >>>> just
  >>>>> something simple. Unfortunately I think we have to pay per
  >> incident
  >>>> so I
  >>>>> cant open a CSR.
  >>>>>
  >>>>> I tried Procmon on both a pc with and without restrictions and
  >>>> compared
  >>>>> line by line but they seem to be identical. Something is happening
  >>>>> within Zen that isnt showing up on procmon and i dont know how
  >> else
  >>>> to
  >>>>> see what is going on by hind the scenes.
  >>>>>
  >>>>>
  >>>>> craig_wilson;1987046 Wrote:
  >>>>>> If you are able to open a Service Request, I would recommend
  >> doing
  >>>>>> this.
  >>>>>> I am not sure if the Agent is tested with that policy, but I
  >> think
  >>>> it
  >>>>>> would be a good idea to get an official method documented.
  >>>>>>
  >>>>>> In the mean time, I would recommend trying the following........
  >>>>>>
  >>>>>> Disable the Policy and configure PROCOMON to run from startup.
  >>>>>> Use this to see what processes and items launch and run.
  >>>>>>
  >>>>>> Try adding those items to your list.
  >>>>>>
  >>>>>> (Note: If you can and do make an SR, please drop me a note at
  >>>>>> Craig_d_Wilson at Yahoo, and I will make sure it gets into the
  >>>> hands
  >>>>>> of
  >>>>>> somebody who understands the issue.)
  >>>>>>
  >>>>>> --
  >>>>>> Craig Wilson - MCNE, MCSE, CCNA
  >>>>>> Novell Knowledge Partner
  >>>>>>
  >>>>>> Novell does not officially monitor these forums.
  >>>>>>
  >>>>>> Suggestions/Opinions/Statements made by me are solely my own.
  >>>>>> These thoughts may not be shared by either Novell or any rational
  >>>>>> human.
  >>>>>
  >>>>>
  >>>>
  >>>>
  >>>> --
  >>>> Craig Wilson - MCNE, MCSE, CCNA
  >>>> Novell Knowledge Partner
  >>>>
  >>>> Novell does not officially monitor these forums.
  >>>>
  >>>> Suggestions/Opinions/Statements made by me are solely my own.
  >>>> These thoughts may not be shared by either Novell or any rational
  >>>> human.
  >>>
  >>>
  >>
  >>
  >> --
  >> Craig Wilson - MCNE, MCSE, CCNA
  >> Novell Knowledge Partner
  >>
  >> Novell does not officially monitor these forums.
  >>
  >> Suggestions/Opinions/Statements made by me are solely my own.
  >> These thoughts may not be shared by either Novell or any rational
  >> human.
  >
  >
  Craig Wilson - MCNE, MCSE, CCNA
  Novell Knowledge Partner
  Novell does not officially monitor these forums.
  Suggestions/Opinions/Statements made by me are solely my own.
  These thoughts may not be shared by either Novell or any rational human.

• How do I get The ipad locked to run only one application for customers (perhaps a webapp)

  how do I get The ipad locked to run only one application for customers (just one web app, or video- instructions, or just safari). What I really want is that my customers to only use one app that has all my services. It is an interactive app so I would not like them to go surfing elsewhere while they are in my store.
  Is it possible to do this on the iPad ?

  Try this:
  LabVIEW Champion . Do more with less code and in less time .
  Attachments:
  checkbox - clusters_MOD.vi ‏23 KB

• How to run only certified applications in windows ce 6.0

  I want to run only certified applications in windows ce 6.0

  Please read your NetBeans documentation for using the GUI editor and the Java Tutorial on building GUI's if you choose to try this manually. If you choose to do this with the GUI editor in NetBeans, please ask your question on the NetBeans site as it is the proper place to ask NetBeans questions and not Java specific development questions.

• I updated from windows xp to windows 7 and can not get into my itunes account.  I get the notice that I am only allowed 5 devices and this isn't a new device just an updated one.  How do I get to my itunes?

  I updated from windows xp to windows 7 and can not get into my itunes account.  I get the notice that I am only allowed 5 devices and this isn't a new device just an updated one.  How do I get to my itunes?

  Take a look at Apple's document for authorizations -> iTunes Store: About authorization and deauthorization.
  You can deauthorize all computers from iTunes. All you have to do is click iTunes Store, click your account name in the upper right corner of iTunes, then deauthorize all.

• Apple apps store do double charged me for only one application purchased and i can't find an email of apple customer service.

  Apple apps store do double charged me for only one application purchased and i can't find an email of apple customer service.
  <Email Edited By Host>

  These are user-to-user forums - I've asked the hosts to remove your email address from your post.
  Tou can contact iTunes support here : http://www.apple.com/support/itunes/contact/ - click on Contact iTunes Store Support on the right-hand side of the page

• FV50 should only allow to park and Fbv0 should allow to post

  Dear Gurus
  We have a requirement where we want users to park document via  transaction via fv50 and post via fbv0, as transaction fv50 does allow users to post , I have tried to create transaction variant shd0 and hidden posting option but user still able to post it via simulate and post
  then I have tried following
  IF sy-tcode = 'FV50'.
  t_exctab-okcod = 'BU'. " do not allow to post
  APPEND t_exctab.
  ENDIF.
  this does remove post option from fv50 but the problem is , we can not post parked document via fbv0, as this uses same trans fv50 in background,
  any suggestion will be highly appreciated,,

  Hi,
  I do not think you can do it this way. If they park a document using FV50 and you use BTE 1140 to exclude 'BU', then, as you already noticed, when they try to post using FBV0, the system translates it back to FV50. This is like Godel's logic, Ecsher's sketch, Bach's Canon (just kidding). Anyway, what you are trying to tell the system is 'FV50 is only allowed to park AND FV50 is only allowed to post'
  I am not sure but I think you can try to do it by first only allowing FV50 to park; then, configure a variant transaction, say ZV50 for posting. If the variant transaction has the problem of simulation interfering with the variant, you can impose an FI validation on it. The validation calls a user exit in which you specify IF SY-UCOMM = 'BU'. b_result = b_true. ELS. b_result = b_false. The reason I am not sure of this approach is because I do not know whether ZV50 will still be translated back to FV50.
  Just a side note, you might also want to give consideration to other transactions like FB50, FB01, F-65 etc, since these transactions allow both park and post.
  Regards,
  Ming

• Default acrobat xi pro send mail to default email application and remember my choice 2008R2 remote desktop server

  I have 2008R2 Remote Desktop Servers with Adobe Acrobat XI pro.  When a new user tries to send a pdf via email, it pops up a message "How would you like to send this email"  they have to pick "Default email application (Microsoft Outlook) and Remember my choice.  Then the next time they try to send an email, the get a warning "This email will be sent using "Default email application (Microsoft Outlook)".  Click on 'Change Preferences' to change your default account settings.  They have to Click Do not Show this message again, and then continue.  (actually I have a couple of users that have to go through this process Every time they sign on to the remote desktop server),
  I downloaded the group policy adm pack and I can not find any settings to default this for a user.
  Is there any group policy settings or a registry entry I can make on the remote desktop server to default these settings?
  Thank you in advance

  Distiller is a different product. The prefs should go under  Adobe Acrobat.
  BTW, are you familiar with the Admin Guide and the Pref Ref? Acrobat-Reader Enterprise Toolkit Home
  Examples:
  [HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\11.0\AVAlert]
  [HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\11.0\AVAlert\cCheckbox]
  "iDigSigSaveAsCertified"=dword:00000001
  "iAppDoNotTakePDFOwnershipAtLaunch"=dword:00000001
  "iavARMNoAutoUpdateWarning"=dword:00000002
  "iDontShowWarn"=dword:00000000
  "iSendMailDefaultAccountAlert"=dword:00000001
  [HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\11.0\AVAlert\cCheckbox\cAnnots]
  "iEmailCollisionConfirm"=dword:00000001
  "iSharedReviewConfirm"=dword:00000001
  "iSendForReviewConfirm"=dword:00000001

• I installed google chrome and added it to my applications folder and it works but my desktop still has the icon of the chrome volume/disk and when i right click it gives an option to eject but it will not delete how can I get rid of it?

  I installed google chrome and added it to my applications folder and it works but my desktop still has the icon of the chrome volume/disk and when i right click it gives an option to eject but it will not delete how can I get rid of it?

  Drag it to the trash icon in your dock.  This is a disk image, and you need to "eject" it, to get rid of it.  

• Error when uninstalling App-V RDS client: Product: Microsoft Application Virtualization (App-V) Client for Remote Desktop Services 5.0 Service Pack 2 x64 -- Error 1324. The folder path 'C:' contains an invalid character

  Issue:  experienced when attempting to uninstall the App-V 5.0 SP2 RDS client. 
  Event Log:  Product: Microsoft Application Virtualization (App-V) Client for Remote Desktop Services 5.0 Service Pack 2 x64 -- Error 1324. The folder
  path 'C:' contains an invalid character
  Symptoms (when in this current state): 
  Unable to uninstall the SP2 client
  You can upgrade the client (via hotfix) and uninstall the hotfix, but you will not be able to remove the SP2 client
  AppvVfs filter driver will not create an instance, therefore applications will not be able to read into existing streamed VFS content, or trigger sparse files to stream content.  (you can still stream the content via other means, like the UI or powershell)
  Because of the AppvVfs filter driver not instantiating, applications that depend on licences that exist in VFS will not be able to be read causing certain applications to react as if the license does not exist or is an incorrect format

  Resolution:
  Check for the existence of a hidden folder named %appdata% in the C:\Program Files\Microsoft Application Virtualization\Client folder.  (You will need to un-check the folder options box in windows explorer for "Hide
  protected operating system files" to see it)
  If the hidden %appdata% folder exists, delete it.
  Proceed to uninstall the App-V client
  After a clean uninstall and removal of remnants of the client, reinstall the client again and apply the latest hotfix available (Hotfix 2 for SP2 at a minimum).

• I've updated my Macbook Pro and my iMac with Maverick, updating the various apps. On my Macbook, everything functions perfectly. On my iMac, I get the Your System has Run out of Application Memory, and it's based our Mail, the only app not updated. Ideas?

  Maverick and Your System message
  I've updated my Macbook Pro and my iMac with Maverick, updating the various apps (Pages, Aperture, iPhoto, Numbers & iMovie, too) in the process.
  On my Macbook, everything functions perfectly. On my iMac, I get the Your System has Run out of Application Memory message. But it's not Calendar, it's Mail that not only won't open, but when it does now, it takes the entire system out with it.
  I open Safari, and it works. I open Firefox, and it works and Safari still works. I open Calendar and it works, Safari and Firefox continue to work. I open Reminders, and everything still works.
  I open Aperture, and it opens Finder instead, showing the 3.5 update that was installed two days ago (and Aperture has functioned), but doesn't seem to update the app; after about 20 seconds the update disappears and I can now open Aperture and it shows I'm now opening the updated Aperture, which it didn't show before.
  I click on Mail, and the cursor spins for ten minutes. The mail window finally opens, but the cursor spins and does not connect to upload new mail, and I finally Force Quit Mail. Since the Maverick update, even though Mail was not updated (and maybe because Mail was not updated), I have been able to receive emails twice, and then the program crashed.
  Besides the Aperture app, Pages didn't fully update on the iMac, and I had to remove the old Pages icon from the dock after the new program loaded up from Applications.
  Any ideas?

  Maverick and Your System message
  I've updated my Macbook Pro and my iMac with Maverick, updating the various apps (Pages, Aperture, iPhoto, Numbers & iMovie, too) in the process.
  On my Macbook, everything functions perfectly. On my iMac, I get the Your System has Run out of Application Memory message. But it's not Calendar, it's Mail that not only won't open, but when it does now, it takes the entire system out with it.
  I open Safari, and it works. I open Firefox, and it works and Safari still works. I open Calendar and it works, Safari and Firefox continue to work. I open Reminders, and everything still works.
  I open Aperture, and it opens Finder instead, showing the 3.5 update that was installed two days ago (and Aperture has functioned), but doesn't seem to update the app; after about 20 seconds the update disappears and I can now open Aperture and it shows I'm now opening the updated Aperture, which it didn't show before.
  I click on Mail, and the cursor spins for ten minutes. The mail window finally opens, but the cursor spins and does not connect to upload new mail, and I finally Force Quit Mail. Since the Maverick update, even though Mail was not updated (and maybe because Mail was not updated), I have been able to receive emails twice, and then the program crashed.
  Besides the Aperture app, Pages didn't fully update on the iMac, and I had to remove the old Pages icon from the dock after the new program loaded up from Applications.
  Any ideas?

• Allow application installations and updates for standard user account

  Good Afternoon. Is there a way to configure/allow standard, non-admin user accounts to have access to only install applications or update applications? Is there a group those user accounts can be added to via dscl or some other method? Appreciate any help/input. Ideally I would like to grant users this access/option without giving them full administrative rights. Thank you.

  When you're prompted for the administrator password, take note of the requested right in the dialog box, download TextWrangler from the developer's website(not the Mac App Store), and use it to edit the /private/etc/authorization file so that those accounts have that right.
  (110103)

• I keep getting told that i have run out of application memory and have to force quit applications. Not sure why this happens or what I do to fix it.

  I keep getting told that I have no more application memory and have to force quit applications. Why does this happen and how do I fix it? This issue has only started since I started using Mavericks 10.9.2.

  Have you checked how much space you have left on your HDD?  You may find some useful information here:
  pondini.org/OSX/DiskSpace.htmlhttp://
  Ciao.

• 2GB ipod nano will only allow 40 songs and not 500.

  My little sisters ipod nano will only allow forty smoething songs to be downloaded on it, but isn't 2GB supposed to get around 500? There is nothing else on it except music so there isn't anything else taking up memory space. And yes I have restored it numerous times. Please help!

  Make sure that the Music files are compressed formats if you want to get the m ost out of the cpacity of your iPod. When the iPod is "advertised" as "500 songs" or what have you, it is based on circumstance that the song is an AAC format (.m4a) and I think an average of 4minutes long.
  AAC is as small as you can get. Make sure the tracks are in that format, if they are already, then the tracks must be quite long.

• Adobe Updater can be run only by users with administrator rights error on 2003 termianl server

  I just installed the latest security update of 8.1.7 on my two terminal servers. Now when each users logs in, they get the following error.
  Insufficient Rights (title)
  Adobe Updater can be run only by usrs with administrator rights.
  They simply click OK and it goes away but it is very annoying. It seems like every time their is an update to Adobe Reader, something goes wrong.
  Does anybody have any thoughts on how to stop the Adobe Updater from loading when my users login? Thanks,
  Justin

  I ended up finding the solution at this link.
  http://forums.adobe.com/message/1770665
  Erech_Belt said
  5. Aug 14, 2008 7:22 AM in response to: (LeaAnn_Coldren)
  Re: Insufficient Rights Window for non-admins after 8.1.2 successful install
  Here is the solution I found.
  "Renaming %program files%/Common Files/Adobe/updater5 to something else removed the error."
  This seems like a brute force approach, but it does work. I checked the event logs after doing this and don't see any errors in the App or System logs. This folder is the location of AdobeUpdater.exe and all of the Adobe .cer files, so it makes sense that this works, but seems like it should generate other errors...
  This is not how I wanted to solve the problem but it did solve it.
  Justin