Thursday, June 26, 2008

Preventing items from being added to the MFU list

The old addage of "Prevention is better than cure" I have found to be true with relation to removing items from the Most Frequently Used (MFU) start menu list.

The following powershell script prevents the Windows Tour icon and Migration settings wizard from being added to the MFU list. Of course, this could be used to prevent any other number of items from being added to the MFU list.

<<<>>>

$TaskDesc = "Clear MFU List"
$AddRemoveApps_New = ";TourStart.exe;MigWiz.exe"
$AddRemoveApps = Get-ItemProperty HKLM:\Software\Microsoft\Windows\Currentversion\Explorer\FileAssociation
-name AddRemoveApps
Set-ItemProperty HKLM:\Software\Microsoft\Windows\Currentversion\Explorer\FileAssociation
-name AddRemoveApps -value $AddRemoveApps$AddRemoveApps_New


# Test to see if the Registry action succeeded
If ($?) {
Write-Host "Enabled $($TaskDesc)"

} Else {
Write-Host "Error:$($TaskDesc) $($Error[0])"

}

Frequently used programs not automatically added to the Start menu
http://support.microsoft.com/kb/q282066/

Wednesday, June 25, 2008

Preventing users from executing files using Software Restriction Policies

Traditionally I have used NTFS permissions to restrict access for standard user accounts to certain executable files.

Most notably is reg.exe, when providing a managed workstation (SOE) to prevent standard users from accessing the registry. When coupled with Group Policy to restrict access to registry editing tools (regedit) it is effective in preventing access.

One alternative I had overlooked until recently was Software Restriction Policies. These can be applied as per most policies at the local or Group Policy level.

Summary:
A user with full permissions to a directory can be blocked from executing files using the Software Restriction Policies.

Using the "Disallowed" Security level, prevents execution regardless of the NTFS permissions the user holds, using Unrestricted honours the user account NTFS permissions.

Example:
User has Full Control of the folder C:\Test

Create a New Path rule by running GPEdit.msc
Local Security Policy / Software Restriction Policies / Additional Rules (Same location for a GPO)
New Path Rule
Path: C:\Test
Security Level: Disallowed

When the user executes a file from the path, the system prevents execution of the file.

C:\test\notepad.exe
The system cannot execute the specified program.


This could be applied to the SOE reg.exe scenario outlined earlier.

Another use I can see for this is to have a "scripts / tools" directory that the system can execute from Using a local System scheduled task, but those pesky users can't.

The following Microsoft articles list there purported uses of the facility, but this is interesting if nothing else and provides another tool for SOE builds that I hadn't considered using before.


Other rules can be specified to identify software including

Hash. A cryptographic fingerprint of the file
Certificate. A software publisher certificate used to digitally sign a file
Path. The local or universal naming convention (UNC) path of where the file is stored
See also "Registry Paths" as outlined in the reference documents.
Zone. Internet Zone

Using Software Restriction Policies to Protect Against Unauthorized Software

http://technet.microsoft.com/en-us/library/bb457006(TechNet.10).aspx

How Software Restriction Policies Work
http://technet2.microsoft.com/windowsserver/en/library/d24bc8c8-27cc-47ba-9b02-78d9d801e9371033.mspx?mfr=true

Thursday, June 12, 2008

SysPrep may not perform FullUnattend as expected

Issue:

When you supply a SysPrep answer file, SysPrep may not process the answer file as you expect. The Mini-Setup wizard stops processing and requests user input.

Cause:

One cause of this may be the use of comments within the SysPrep file. Sysprep.inf comments are denoted by the semi-colon (;) character. When a comment character is included on a line in the Sysprep.inf file, the complete line is omitted from processing.

Workaround:

Move the comment to a separate line of its own.

Example:

AutoMode=PerSeat ; Licensing Mode usually perseat

change the line as follows;

; Licensing Mode usually perseat
AutoMode=PerSeat

Wednesday, June 4, 2008

GPResult.exe may not complete Group policy report

Issue:
When you run "gpresult.exe /z" on a Windows XP machine, the RSOP may not complete processing.

Symptoms:
The GPResult.exe output is incomplete.

Cause:
A GPO contains the percent ("%") sign character. When the GPResult.exe encounters a % sign in the Group Policy Object, processing is terminated. The version of GPResult.exe with this issue is 5.1.2600.2180.

Typically, the % character may have been used in a Group Policy Computer startup/shutdown script or User Logon/Logoff script, to reference a local environment variable such as %SystemDrive%.

Workaround:
Use the Windows 2003 version of GPResult.exe, this tool is able to parse the % character successfully and completes the RSOP report. Version 5.2.3790.1830 or later of the GPResult.exe tool successfully parses the % character.

Alternatively, the GPMC console is able to generate the RSOP report successfully.