Vista SP1 User's Group Policy
- In vista sp1 i want to let users to control the display settings through Personalization of Control panel.
Can you tell wich files do i have to permit through user's group policy in System (Run only allowed Windows programs)?
답변
Hello,
I perform the test on my side and reproduce the issue of accessing and changing Personalization settings (Desktop background, sounds, display settings and etc) when "Run only specified windows application" policy settings is enabled.
From my research, it seems to result from the change of the Explorer and control panel in the Windows Longhorn operating system. Application executing restriction via "Run only specified windows application" is weak because it only the put the restriction on the Explorer.exe (default shell). In the other word, the restriction will not function when you use CMD.exe to execute applications. Then I'd like to introduce you to use the Software Restriction Policy to implement application restriction on client and it is safe to Personalization settings.
To have the same effect as the "Run only specified windows application", you may create a Hash Rule with Disallowed as the default security level.
1. In a Group Policy object, right click the Software Restriction Policies (User configuration--->Windows Settings--->Security Settings) and click New Software Restriction Policies.
2. In the Security Levels, right click Disallowed and set is as default.
3. In the Additional rules, create new hash rules for allowed specific programs.
Hope it helps.
- 답변으로 표시됨Nautos 2008년 6월 12일 목요일 오후 8:36
모든 응답
- Hello,
By default, both local and domain standard users have the permission to access and change the Display Settings. I'd like to know whether you receive the "Your system administrator has disabled lunching of the Display settings control panel" message when trying to open Display Setting dialog. If yes, try to check the following policy setting.
User Configuration--->Administrative Template--->Control Panel--->Display--->Hide settings tab
You can run "gpresult /v" to verify the current applied group policy settings.
Is there anything I have missed?
- Thanks for your concern.
The "Hide Setting Tab" is Disabled.
I have enabled in User Configuration --> Administrative Templates --> System --> Run only allowed Windows applications.
Although that i have inserted the executables that i found out with the help of Process Explorer of Sysinternals , i still get the message that It is not permitted because of the effective permissions and i have to contact the administrator.
When i disable the Run only allowed Windows applications then everything is OK.
I really stacked on that problem for three days now and i do not know what to do.
Things are much simpler with XP!
But with Vista everything is safer for the average user but when it comes the time for "fine tuning" then the administrator is in trouble...
Yes i have checked the gpo with "gpresult /v" and is applied correctly.- 편집됨Nautos 2008년 6월 6일 금요일 오후 2:01Clarify the gpresult
Hello,
I perform the test on my side and reproduce the issue of accessing and changing Personalization settings (Desktop background, sounds, display settings and etc) when "Run only specified windows application" policy settings is enabled.
From my research, it seems to result from the change of the Explorer and control panel in the Windows Longhorn operating system. Application executing restriction via "Run only specified windows application" is weak because it only the put the restriction on the Explorer.exe (default shell). In the other word, the restriction will not function when you use CMD.exe to execute applications. Then I'd like to introduce you to use the Software Restriction Policy to implement application restriction on client and it is safe to Personalization settings.
To have the same effect as the "Run only specified windows application", you may create a Hash Rule with Disallowed as the default security level.
1. In a Group Policy object, right click the Software Restriction Policies (User configuration--->Windows Settings--->Security Settings) and click New Software Restriction Policies.
2. In the Security Levels, right click Disallowed and set is as default.
3. In the Additional rules, create new hash rules for allowed specific programs.
Hope it helps.
- 답변으로 표시됨Nautos 2008년 6월 12일 목요일 오후 8:36
- We are experiencing the same issue here.We are using Windows 2003 Enterprise Sp2 (domain Controller)Windows Vista Business Sp1 (workstation)We start by creating a fresh group and a fresh user, then apply the Group Policy setting Run only allowed Windows applications. We have not enabled or disabled any of the other Group Policy settings!We then log-on to the Vista machine and the 3D Aero Glass setting is disabled. We right click the desk top and select Personalize and then try to select Windows Color and Appearance and then we get the following error message:Restrictions - This operation has been cancelled due to the restrictions in effect on this computer. Please contact your system administrator.We get the same error message for all of the settings on the Personalization page except for Desktop Background setting, which opens and functions just fine.Does anyone have any suggestions to help end the MADNESS?Lost,The System Administrator
