Sign in
Microsoft.com
 
System Center Configuration Manager TechCenter
 
 
 
System Center Configuration Manager TechCenter > System Center Configuration Manager Forums > Configuration Manager Software Distribution > IE ActiveX automated install for restricted users
Ask a questionAsk a question
Search Forums:
 

AnswerIE ActiveX automated install for restricted users

  • Friday, November 06, 2009 11:38 PMI Think I Swallowed A Bug Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    I am preparing the network for a big OS upgrade using Configuration Manager. Since we don't allow our users to install ANYTHING...including ActiveX controls in Internet Explorer...I need to find a way to install everything for them, including ActiveX controls.

    In the past, I have been successful in putting a bandaid on a problem by copying the ActiveX files themselves to a folder on the PC (total accident how I got my hands on the files in the first place), then registering the ocx file with regsvr32.exe. The control worked fine in IE, but the problem was that Internet Explorer didn't know it existed. Which makes it hard to try and troubleshoot since it appears that the control doesn't exist, but it works anyway. So I can't use this method for installing every ActiveX control we would ever need on 500 computers, that would be a helpdesk nightmare!

    So, my question is...how do I PROPERLY install an ActiveX control when my users don't have permission to install anything? I was looking for instructions for how I could pre-install the ActiveX using software distribution. That would allow me to treat the ActiveX like any other application. I can't seem to find much information on it, plus ActiveX installation presents several problems I don't know how to deal with:

    1. How do I find the actual ActiveX files in the first place? (IE Doesn't give me a "Save As" dialog box when it downloads and installs controls.)
    2. Where would I put the files once I find them? (Is there a "Program Files" directory for ActiveX controls?)
    3. How do I register them so that IE knows they are installed and adds them in the "Installed Add-Ons" list?

     

    Another thought was possibly doing something fancy with Group Policy instead of app deployment with ConfigMgr. I found this article KB883256 that talks about managing add-ons in a GPO. You're supposed to list the CLSID's of approved controls in the "Add-On List" and enable "Deny all add-ons unless specifically allowed in the Add-on List" policy. I was hoping that by explicitly listing approved ActiveX controls in AD, my restricted users would be allowed to install the control despite their lack of permissions. I followed the instructions, but it appears that you still need to have permission to install all ActiveX controls, including the approved controls (unless I'm doing something wrong). Does anyone have any experience with this policy?

    Does anyone have an easy way to manage ActiveX deployment in a high security environment?
     

Answers

  • Saturday, November 07, 2009 7:45 AMTorsten [MVP]MVP, ModeratorUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Answer
    Sign In to Vote
    0
    Sign In to Vote
    That question is not 100% ConfigMgr related, so you might have a better chance getting an answer if you would post that question to an IE related forum or having a look at appdeploy.com. You can think about automating the deployment using ConfigMgr after you know how deploy ActiveX controls in general.
     

All Replies

  • Saturday, November 07, 2009 7:45 AMTorsten [MVP]MVP, ModeratorUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Answer
    Sign In to Vote
    0
    Sign In to Vote
    That question is not 100% ConfigMgr related, so you might have a better chance getting an answer if you would post that question to an IE related forum or having a look at appdeploy.com. You can think about automating the deployment using ConfigMgr after you know how deploy ActiveX controls in general.
     
  • Saturday, November 07, 2009 8:26 PMJason SandysMVPUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Torsten is right on, this isn't really something ConfigMgr can solve for you as it's not dependant on ConfigMgr but rather on the ActiveX controls in play. An ActiveX control is no different than any other application that you install: it's a set of files and registry keys that are copied to the local system; sometimes those files or registry keys go to non-user areas resulting in the need for elevation but that doesn't change the fact that it's still made up of files and registry keys/values. So the real question is how do you deliver those files and registry updates in the first place? For "normal" applications, the answer is typically by using a setup or MSI. For ActiveX controls, the answer is the same although this is usually hidden for users and admins alike by web setups.

    So the real question is how do you get your hands on these setup files? Well, as usual, that's up to the vendor of the ActiveX control and has nothing to do with ConfigMgr.

    As for the group policies, they refer to the the ActiveX controls themselves, not their setup routines and that's why that won't always work.
    Jason | http://myitforum.com/cs2/blogs/jsandys | http://blogs.catapultsystems.com/jsandys/default.aspx | Twitter @JasonSandys