none
Applying Computer group policy except to Domain Admins

    Question

  • Hi,

    Last week, we have decided to disable Windows Installer on all of our Remote Desktop Services servers in order to fix an issue.

    Now today, I noticed that a user couldn't open Access 2013 in one of the servers and since Access is almost never used on that server, it's possible that the first boot of Access 2013 following the last updates did require Windows Installer to launch.

    Now, even with the admin account, I still couldn't open Access. In the Group policy created to disable Windows Installer, Domain Admins have the setting Apply group policy set to Deny. But it seems, this is only for Users Configuration.

    How can I keep this GPO without affecting the Domain Admin ?

    Monday, February 22, 2016 8:09 PM

Answers

  • Hi,
     
    Am 22.02.2016 um 21:09 schrieb darkman007e:
    > How can I keep this GPO without affecting the Domain Admin ?
     
    You can not.
    If it is a computer configuration you can only exclude computers from
    being manipulated.
     
    Disabling Windows installer, on a system where you regularly create new
    user profiles is really(!) a bad idea.
     
    Why? Because you often need a runonce of a software for a user part at
    profile creation, or at first start of software.
     
    You can use Active Setup (introduced with NT/IE4) at login time or MSI
    (closely 20 years ago aswell) at process starting time.
    The developer of the software decides, which technic to use.
     
    Enable Windows Installer.
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    • Marked as answer by Emmanuel P Tuesday, February 23, 2016 3:18 PM
    Tuesday, February 23, 2016 8:59 AM
  • As Mark has said, you can't inf the policy applies at the computer level.

    I would probably ask why you haven't gone down the user applied policy of Software restrictions, as they are RDS servers I assume that you are deploying a certain set of applications or a single application. In either instance it is relatively easy to control application access, its located:

    [GP Name]>User Configuration>Windows Settings>Security Settings>Software Restriction policies>Additional Rules.

    The good thing about this set of policies is that you it affects the users ability run anything you don't want them to run while adding msi's to run on login as different users not being affected. It's worth investigating if you haven't already.

    Make sure you add the following paths as unrestricted else logon will fail:

    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%

    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe

    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe

    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%

    %LOGONSERVER%\Netlogon

    %LOGONSERVER%\Netlogon\*

    you will also need to add the domain Sysvol and Netlogon locations

    • Marked as answer by Emmanuel P Tuesday, February 23, 2016 3:17 PM
    Tuesday, February 23, 2016 9:16 AM
  • Hi,

    For “Domain Admins have the setting Apply group policy set to Deny. But it seems, this is only for Users Configuration.”

    It is excepted behavior as computer Group Policy are applied to computers, regardless of who logs on to the computers.


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Emmanuel P Tuesday, February 23, 2016 3:31 PM
    Tuesday, February 23, 2016 9:32 AM
    Moderator

All replies

  • Hi,
     
    Am 22.02.2016 um 21:09 schrieb darkman007e:
    > How can I keep this GPO without affecting the Domain Admin ?
     
    You can not.
    If it is a computer configuration you can only exclude computers from
    being manipulated.
     
    Disabling Windows installer, on a system where you regularly create new
    user profiles is really(!) a bad idea.
     
    Why? Because you often need a runonce of a software for a user part at
    profile creation, or at first start of software.
     
    You can use Active Setup (introduced with NT/IE4) at login time or MSI
    (closely 20 years ago aswell) at process starting time.
    The developer of the software decides, which technic to use.
     
    Enable Windows Installer.
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    • Marked as answer by Emmanuel P Tuesday, February 23, 2016 3:18 PM
    Tuesday, February 23, 2016 8:59 AM
  • As Mark has said, you can't inf the policy applies at the computer level.

    I would probably ask why you haven't gone down the user applied policy of Software restrictions, as they are RDS servers I assume that you are deploying a certain set of applications or a single application. In either instance it is relatively easy to control application access, its located:

    [GP Name]>User Configuration>Windows Settings>Security Settings>Software Restriction policies>Additional Rules.

    The good thing about this set of policies is that you it affects the users ability run anything you don't want them to run while adding msi's to run on login as different users not being affected. It's worth investigating if you haven't already.

    Make sure you add the following paths as unrestricted else logon will fail:

    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%

    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe

    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe

    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%

    %LOGONSERVER%\Netlogon

    %LOGONSERVER%\Netlogon\*

    you will also need to add the domain Sysvol and Netlogon locations

    • Marked as answer by Emmanuel P Tuesday, February 23, 2016 3:17 PM
    Tuesday, February 23, 2016 9:16 AM
  • Hi,

    For “Domain Admins have the setting Apply group policy set to Deny. But it seems, this is only for Users Configuration.”

    It is excepted behavior as computer Group Policy are applied to computers, regardless of who logs on to the computers.


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Emmanuel P Tuesday, February 23, 2016 3:31 PM
    Tuesday, February 23, 2016 9:32 AM
    Moderator
  • The reason why we want to disable Windows installer is because we use Sage 300 ERP and when Sage 300 Intelligence Reporter is installed, there's a weird behavior were the software would launch a Windows Installer and it would delay the execution.

    With that program being poorly made, the only solution they offer is to disable Windows Installer (which I did with GPO instead of through the registry)

    https://support.na.sage.com/selfservice/viewdocument.do?noCount=true&externalId=39027&sliceId=1&dialogID=31384&cmd=displayKC&docType=kc&noCount=true&stateId=31389&isLoadPublishedVer=&docTypeID=DT_Article&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl

    http://kb.sageintelligence.com/index.php?title=SAGE_300_WORKSTATION_WINDOWS_INSTALLER_POP-UP

    Disabling Windows Installer improves at bit the performance of Sage 300 ERP but technically, if a user cancels the Windows Installer, the app would still run which basicly means that it's a bug that Windows Installer runs.

    Now of course if there's no way to enable Windows Installer only for admin then I will have to keep it enable.

    Tuesday, February 23, 2016 3:31 PM
  • > there's a weird behavior were the software would launch a Windows
    > Installer and it would delay the execution.
     
    This is mostly due to the fact that they use an installer shortcut
    instead of a "traditional" lnk file. If you can figure out which exe to
    launch, you might create a new shortcut that launches the exe directly...
     
    To determine if it's an installer shortcut, open its properties. If no
    commandline or "run in" is present, it is.
     
    for the "Target" column.
     
    If it is an installer shortcut, it will not launch the exe directly, but
    it will first launch msiexec which then can perform potentially required
    configuration actions for the user environment prior to launching.
     
    Tuesday, February 23, 2016 4:42 PM
  • I actually didn't express myself correctly.

    When users open Sage 300 ERP, they need to login then they get access to the program. So far, Windows Installer hasn't launch yet.

    Then it's only if they try to view somes reports, Windows Installer would launch. But on the 2 others RDS servers were we don't have Intelligence Reporting Installed, Windows Installer never launch.

    Therefore, I don't see how it can be linked to a specific MSI.

    Tuesday, February 23, 2016 7:36 PM
  • > Then it's only if they try to view somes reports, Windows Installer
    > would launch.
     
    Ok, it's inside the application and we are out of luck :()
     
    Wednesday, February 24, 2016 10:21 AM