[prev in list] [next in list] [prev in thread] [next in thread]
List: patchmanagement
Subject: RE: Office Service Pack 2 (UNCLASSIFIED)
From: "Aakash Shah" <aakash.shah () research ! uci ! edu>
Date: 2009-05-10 2:42:29
Message-ID: 62A181A4DF33074AB71D8A9CB07AFF3F4F789C () email ! rgs ! uci ! edu
[Download RAW message or body]
One way that we have accomplished restricting user's from installing anything is by \
using Software Restriction Policies (SRP). Here is a great article by a MS MVP who \
goes by "mechBgon" on how it works and how to set it up: http://www.mechbgon.com/srp
It becomes harder to implement SRP if the user is an admin since the admin user can \
either run the executable from a trusted folder (such as Program Files or Windows), \
or they can create an exception in SRP to allow any executables in their profile to \
run. So, for programs that require admin level access, there are a few ways to get \
around this:
1. Use a scheduled task using an account that has elevated rights to run the program. \
We use this approach in our environment with great success for some in updater \
programs (it was not feasible to use a patch management product for these products \
due to the frequency and schedule with which updates were released for these specific \
programs). If you use the scheduled task approach, here are a few things to note:
a. You can use the new Group Policy Preferences (GPP) to easily "deploy" scheduled \
tasks. b. If you are concerned with saving passwords in a GPP, it appears that the \
passwords are stored using AES 256 bit encryption: \
http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/1e471cf1-6faf-4161-9cb5-ea9a372e5b89 \
c. You will need to provide read and write permissions to the individual scheduled \
tasks. Users will need read access to actually see the scheduled task (by default \
users can't see scheduled tasks) and the users will need write access to run the \
scheduled task (it sounds weird giving "write" access, but it's the only way I got it \
to work). You can use cacls.exe to accomplish this on the individual files at \
%SystemRoot%\Tasks.
2. Use Windows Sysinternals' Process Monitor to figure out what areas of the computer \
the program is having a problem reading/writing to and then grant the user read/write \
access to those specific areas.
I've listed some references that I've come across that deal with running programs as \
non-admins: http://nonadmin.editme.com/LUABuglight
http://nonadmin.editme.com
http://4sysops.com/archives/run-a-program-with-administrator-rights-runasspc-cpau-and-steel-run-as-compared \
Aakash Shah
Systems Administrator
Office of Research
University of California, Irvine
-----Original Message-----
From: Cardinal, Donna T Ms CIV USA MEDCOM USARIEM [mailto:donna.cardinal@us.army.mil] \
Sent: Friday, May 08, 2009 10:54 AM
To: Patch Management Mailing List
Subject: RE: Office Service Pack 2 (UNCLASSIFIED)
Classification: UNCLASSIFIED
Caveats: NONE
Can you please tell me how you accomplish number 2?
Thanks,
Donna Cardinal
-----Original Message-----
From: Hank Arnold [mailto:arnoldhf@optonline.net]
Sent: Thursday, May 07, 2009 3:42 AM
To: Patch Management Mailing List
Subject: RE: Office Service Pack 2
We avoid issues by:
1) Using WSUS to download, approve (or decline) and distribute updates
2) Restricting, via GPO, users from installing *ANYTHING*.
Regards,
Hank Arnold
arnoldhf@optonline.net
Microsoft MVP
Windows Server - Directory Services
http://mypcassistant.blogspot.com
-----Original Message-----
From: Andy Bolton [mailto:abolton@victrex.com]
Sent: Monday, May 04, 2009 3:02 AM
To: Patch Management Mailing List
Subject: RE: Office Service Pack 2
I have pushed out without any issues (so Far).
There is an option to prevent the automatic distribution and
installation of IE8, similar to that for IE7
http://www.microsoft.com/downloads/details.aspx?familyid=21687628-5806-4
ba6-9e4e-8e224ec6dd8c&displaylang=en&tm
However it doesn't prevent users downloading and installing for
themselves.
Andy Bolton
ICT Operations Support Engineer
Victrex plc
Victrex Technology Centre
Hillhouse International
Thornton Cleveleys
Lancashire, FY5 4QD
Phone: +44 1253 897726
Fax: +44 (0)1253 897701
Email: abolton@victrex.com
Web: www.victrex.com
This correspondence is for the named person/s use only and may contain
confidential or legally privileged information or both. If you receive
this correspondence in error, please notify the sender and then
immediately delete it from your system. You must not disclose, copy or
rely on any part of this correspondence if you are not the intended
recipient. Any views expressed in this message are those of the
individual sender, except where the sender expressly, and with
authority, states them to be the views of the company.
-----Original Message-----
From: Marrazzo, Lia L.--IRM [mailto:MarrazL@inhs.org]
Sent: 28 April 2009 22:13
To: Patch Management Mailing List
Subject: RE: Office Service Pack 2
I usually check to make sure these type of updates are not coming out
via MS Update to avoid a user applying them before testing. I did go to
MS Update and the Office Service Pack 2 was listed both when run as
Express & Custom as well as the Internet Explorer 8. I am testing the
Office SP 2 right now, however, we really do not want IE 8 to install as
we have lots of apps that won't run in it. I know it has a
'compatibility mode', however, this worked very well on one machine but
completely rendered another device useless until it was rolled back. So
I question the "no sooner than 3 months from now and with at least 30
days notice" statement.
Lia Marrazzo
Systems Analyst - INHS/IRM
Family & Internal Medicine Residency Spokane
marrazl@inhs.org
-----Original Message-----
From: Susan Bradley [mailto:sbradcpa@pacbell.net]
Sent: Tuesday, April 28, 2009 11:18 AM
To: Patch Management Mailing List
Subject: Office Service Pack 2
*Liles: *Customers can download SP2
<http://www.microsoft.com/downloads/details.aspx?FamilyID=b444bf18-79ea-
46c6-8a81-9db49b4ab6e5>
right away. In addition, Microsoft will release SP2 via Microsoft
Update's automatic update mechanism no sooner than three months from
now, and with at least 30 days notice, which aligns with our prior
established policy.
Office Service Pack 2 A Significant Stability, Performance and
Interoperability Upgrade: Q&A: Group Program Manager Jane Liles talks
about the enhancements now available through Service Pack 2 for the 2007
Microsoft Office system.:
http://www.microsoft.com/presspass/features/2009/Apr09/04-28Office2007SP
2QA.mspx
---
When posting or replying to messages on this list, please send all
emails in plain text format. HTML formatted messages will not be
accepted.
PatchManagement.org is hosted by Shavlik Technologies
To unsubscribe send a blank email to
leave-patchmanagement@patchmanagement.org
If you are unable to unsubscribe via this email address, please email
owner-patchmanagement@patchmanagement.org
---
When posting or replying to messages on this list, please send all
emails in plain text format. HTML formatted messages will not be
accepted.
PatchManagement.org is hosted by Shavlik Technologies
To unsubscribe send a blank email to
leave-patchmanagement@patchmanagement.org
If you are unable to unsubscribe via this email address, please email
owner-patchmanagement@patchmanagement.org
VICTRE is a registered trademark. PEEK is a trademark of Victrex plc.
The information contained in this e-mail is confidential and is for the attention and \
use of the intended recipients only. The reading, copying, disclosure or other \
distribution or the use or retention of the information by any other person is \
prohibited and may be unlawful. If you are not an intended recipient please notify me \
immediately by return e-mail or by telephone.
Victrex plc (no: 2793780) registered in England and Wales at: Victrex Technology \
Centre, Hillhouse International, Thornton-Cleveleys, Lancashire, FY5 4QD, UK.
E-mail cannot be guaranteed to be secure or error-free as it could be incomplete, \
late, lost, intercepted, corrupted or contain viruses which might affect your system. \
The sender of this e-mail does not accept liability for any loss or damage arising in \
any way from the receipt or the use of this e-mail.
---
When posting or replying to messages on this list, please send all
emails in plain text format. HTML formatted messages will not be accepted.
PatchManagement.org is hosted by Shavlik Technologies
To unsubscribe send a blank email to leave-patchmanagement@patchmanagement.org
If you are unable to unsubscribe via this email address, please email
owner-patchmanagement@patchmanagement.org
---
When posting or replying to messages on this list, please send all
emails in plain text format. HTML formatted messages will not be accepted.
PatchManagement.org is hosted by Shavlik Technologies
To unsubscribe send a blank email to leave-patchmanagement@patchmanagement.org
If you are unable to unsubscribe via this email address, please email
owner-patchmanagement@patchmanagement.org
Classification: UNCLASSIFIED
Caveats: NONE
---
When posting or replying to messages on this list, please send all
emails in plain text format. HTML formatted messages will not be accepted.
PatchManagement.org is hosted by Shavlik Technologies
To unsubscribe send a blank email to leave-patchmanagement@patchmanagement.org
If you are unable to unsubscribe via this email address, please email
owner-patchmanagement@patchmanagement.org
---
When posting or replying to messages on this list, please send all
emails in plain text format. HTML formatted messages will not be accepted.
PatchManagement.org is hosted by Shavlik Technologies
To unsubscribe send a blank email to leave-patchmanagement@patchmanagement.org
If you are unable to unsubscribe via this email address, please email
owner-patchmanagement@patchmanagement.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic