Restriction Software

[Jmnts]

Hi
I'm having a problem with Restriction Software Policy:

I created a Hash Rule to deny to some users access to some admin tools: for
now i'm testing the dssite.msc.

I applied a restriction software policy (Hash Rule) to dssite.msc, then went
to the workstation installed the adminpak.msi and i try to run the Active
Directory Sites and Services from the start menu and it worked???, but if i
try to run the console directly from the %SystemRoot%\System32\dssite.msc
the software isn't allow to run as espected.

Does anyone knows what i'm missing here?

Another Question.

I've a group of users and I want to allow them only to create and modify
policies in the domain.
To achive this I add this group to the Group Policy Created Owners, the
problem is that this group only can add or edit their own policies??
I want to allow them to have total access to all policies in the domain.

Best Regards.

 

[Florian Frommherz]

Howdy!

I applied a restriction software policy (Hash Rule) to dssite.msc, then went
to the workstation installed the adminpak.msi and i try to run the Active
Directory Sites and Services from the start menu and it worked???, but if i
try to run the console directly from the %SystemRoot%\System32\dssite.msc
the software isn't allow to run as espected.

Hashes depend on size, version number and other information of the file.
If you create a hash rule for let's say somewhat.exe version 1.0 with
size 250kb and roll it out to your users, they will still be able to
open somewhat.exe version 1.1 with filesize 250kb. So - working with
hash rules is a little bit tricky. Are dssite.msc from the server and
dssite.msc from adminpak.msi exactly the same?

If not, you will have to create a new hash rule for the adminpak.msi's
dssite.msc...

To achive this I add this group to the Group Policy Created Owners, the
problem is that this group only can add or edit their own policies??
I want to allow them to have total access to all policies in the domain.

The easiest way to do this would be downloading the Group Poolicy
Management Console (GPMC) from Microsoft:

and Delegate the rights the group needs. You can delegate the rights by
right-clicking the OU you want the users to be able to administer the
GPs and select the "Delegation" tab on the right side. Just remember
that you should *not* delegate user rights at domain-level since they're
then able to alter critical domain-level-GPs such as the Password Policy...

cheers,

Florian

 

[Florian Frommherz]

Howdy!

I applied a restriction software policy (Hash Rule) to dssite.msc, then went
to the workstation installed the adminpak.msi and i try to run the Active
Directory Sites and Services from the start menu and it worked???, but if i
try to run the console directly from the %SystemRoot%\System32\dssite.msc
the software isn't allow to run as espected.

Hashes depend on size, version number and other information of the file.
If you create a hash rule for let's say somewhat.exe version 1.0 with
size 250kb and roll it out to your users, they will still be able to
open somewhat.exe version 1.1 with filesize 250kb. So - working with
hash rules is a little bit tricky. Are dssite.msc from the server and
dssite.msc from adminpak.msi exactly the same?

If not, you will have to create a new hash rule for the adminpak.msi's
dssite.msc...

To achive this I add this group to the Group Policy Created Owners, the
problem is that this group only can add or edit their own policies??
I want to allow them to have total access to all policies in the domain.

The easiest way to do this would be downloading the Group Poolicy
Management Console (GPMC) from Microsoft:
http://www.microsoft.com/downloads/...24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en

and Delegate the rights the group needs. You can delegate the rights by
right-clicking the OU you want the users to be able to administer the
GPs and select the "Delegation" tab on the right side. Just remember
that you should *not* delegate user rights at domain-level since they're
then able to alter critical domain-level-GPs such as the Password Policy...

cheers,

Florian

 

[Jmnts]

Hi Florian Thks for the fast awnser

Regarding to the version of the adminpak.msi, is the same i check it myself.
You see the problem is that if I try to run the dssite.msc directly from
System32 the software is blocked as expected, the software isn't being
blocked if i try to run it from start menu -> Administrative tools - >
Active directory Sites and Services.

Another strange thing is that i manually created a shortcut to the desktop
from the dssite.msc and that shortcut also worked ??? Strange??
The software is only blocked if i try to run it directly from the System32
folder.


Regarding to the Delegation of Permissions to the Group Policy Creator
Owners: i run the delegation wizard on the OU, but only a few options to
manage GPOs are available: Manage Group GPO Link, RSoP (Planning and
Logging).

I tryed to run in advanced mode but none of them seams to serve my golds.

And my golds are (Users of this group must be able to Create, Change, Edit,
Delete and Link Policy Objects, no matter who created the policies they must
be able to change each one policies)

Thanks Again
Best Regards

 

[Florian Frommherz]

Howdy!

Regarding to the version of the adminpak.msi, is the same i check it myself.
You see the problem is that if I try to run the dssite.msc directly from
System32 the software is blocked as expected, the software isn't being
blocked if i try to run it from start menu -> Administrative tools - >
Active directory Sites and Services.

Is it really blocked or are you just logged in as a user and get an
"Access denied" message? I assume that you're using Windows XP / Windows
Server 2003 since Windows 2000 isn't capable of processing the Software
Restriction Policies, so ...

Another strange thing is that i manually created a shortcut to the desktop
from the dssite.msc and that shortcut also worked ??? Strange??
The software is only blocked if i try to run it directly from the System32
folder.

You're sure you created a Hash rule and not a Path rule, right? This all
reads a little different. If so, did you logoff and logon again? Windows
XP handles Software Restriction Policies via explorer.exe - and a
already opened and running explorer.exe will *not* automatically block
sofware unless you log off and log in again.

Regarding to the Delegation of Permissions to the Group Policy Creator
Owners: i run the delegation wizard on the OU, but only a few options to
manage GPOs are available: Manage Group GPO Link, RSoP (Planning and
Logging).

Hum, sorry, I'm not using the "old-schooled" ;-) gpedit.msc - Policy
editor since GPMC is a little more comfortable. So, I can't say much
about that.

cheers,

Florian

 

[Jmnts]

When I try to run from c:\Windows\system32\dssite.msc I receive the message:

c:\Windows\System32\dssite.msc
Windows cannot open this program because it has been prvented by a software
restriction policy. For more information, open Event Viewer or contact your
system administrator.

Of course this is an expected message
If I try to run from start menu -> Administrative tools - > Active directory
Sites and Services, the console opens with no problems???

If t this was an permission issue I wouldn't be able to run in any way..
Right?


In the GPMC the options for delegating permissions are the same as you would
in delegation wizard.
In the GPMC you only have as default: Link GPOs, Perform Group Policy
Modeling analyses and read group policy Results data.

If we want to achive something else we have to go to the advance tab, and
manually give permissions. The problem is that i can find the righ
permissions for my expecific needs, which are:
(Users of this group must be able to Create, Change, Edit, Delete and Link
Policy Objects, no matter who created the policies they must be able to
change each one policies)


Any ideas...!!!

Best Regards