Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Windows Server General Help » gpo - run only allowed windows applications
gpo - run only allowed windows applications [message #163677] Thu, 04 June 2009 16:26 Go to next message
Sleb  is currently offline Sleb
Messages: 18
Registered: August 2009
Junior Member
Hi,

On a windows terminal server, we are using the "run only allowed windows
applications" (we are in a domain). We are having problems when opening tiff
attachments. First I modified the registry so the temporary location of tiff
images goes to the users personnal folder on the network using the U: drive
mapped there since the user has full control on it (because we hide the C:
drive of the server through GPO).

It still says that the GPO is blocking it. If I save the attachement on the
desktop, I can open the attachement without a problem. This only happens with
tiff attachments in outlook only. They can open any other attachments from
outlook directly without saving anywhere.

1- Any idea what I have to add in the list of allowed applications?
2- Is there a way to see what process or file that is blocked by gpo's? I
don't see anything in event viewer and don't know any tools that does that.

Thanks
Re: gpo - run only allowed windows applications [message #163684 is a reply to message #163677] Thu, 04 June 2009 16:32 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Sleb" <Sleb@discussions.microsoft.com> wrote in message
news:E7814FFF-2F78-484F-98D6-3C5B1F65B405@microsoft.com...
> Hi,
>
> On a windows terminal server, we are using the "run only allowed windows
> applications" (we are in a domain). We are having problems when opening
> tiff
> attachments. First I modified the registry so the temporary location of
> tiff
> images goes to the users personnal folder on the network using the U:
> drive
> mapped there since the user has full control on it (because we hide the C:
> drive of the server through GPO).
>
> It still says that the GPO is blocking it. If I save the attachement on
> the
> desktop, I can open the attachement without a problem. This only happens
> with
> tiff attachments in outlook only. They can open any other attachments from
> outlook directly without saving anywhere.
>
> 1- Any idea what I have to add in the list of allowed applications?
> 2- Is there a way to see what process or file that is blocked by gpo's? I
> don't see anything in event viewer and don't know any tools that does
> that.
>
> Thanks


I believe Outlook is blocking it, not the app running, which I assume you
have the associated application that will open TIFF files allowed in your
GPO allowed list.

The following link should help you with Outlook:
Attachment file types blocked by Outlook - Outlook - Microsoft ...Attachment
file types blocked by Outlook. Applies to: Microsoft Office Outlook 2003.
There are two levels of attachment security. Access to Level 1 files is ...
http://office.microsoft.com/en-us/outlook/HP030850041033.asp x

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay
Re: gpo - run only allowed windows applications [message #163726 is a reply to message #163684] Fri, 05 June 2009 15:19 Go to previous messageGo to next message
Sleb  is currently offline Sleb
Messages: 18
Registered: August 2009
Junior Member
Hi Ace. Thanks for your reply. I can tell you that it is not outlook that
prevents my .tiff files to open up (I am well aware of that outlook
attachment blocking). If I deactivate the GPO, everything is fine and the
message is clear that it is the GPO that is blocking (when you do something
that is blocked by gpo, it's always the same message....the policy on this
system........).

Of course, the application used to open our .tiff files is in the allowed
list. I am used to those kind of problems and got through all the time except
for this one. If I am right, if you block stuff, you are supposed to see in
the event viewer what executable is blocked but on my ts server, I don't get
any clues. I even used process explorer after deactivating the GPO to be sure
I am allowing the right executables and everything is fine there.

Is there a gpo tool you suggest me that will show me what process or
executable is blocked by the gpo?

Thanks

"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "Sleb" <Sleb@discussions.microsoft.com> wrote in message
> news:E7814FFF-2F78-484F-98D6-3C5B1F65B405@microsoft.com...
> > Hi,
> >
> > On a windows terminal server, we are using the "run only allowed windows
> > applications" (we are in a domain). We are having problems when opening
> > tiff
> > attachments. First I modified the registry so the temporary location of
> > tiff
> > images goes to the users personnal folder on the network using the U:
> > drive
> > mapped there since the user has full control on it (because we hide the C:
> > drive of the server through GPO).
> >
> > It still says that the GPO is blocking it. If I save the attachement on
> > the
> > desktop, I can open the attachement without a problem. This only happens
> > with
> > tiff attachments in outlook only. They can open any other attachments from
> > outlook directly without saving anywhere.
> >
> > 1- Any idea what I have to add in the list of allowed applications?
> > 2- Is there a way to see what process or file that is blocked by gpo's? I
> > don't see anything in event viewer and don't know any tools that does
> > that.
> >
> > Thanks
>
>
> I believe Outlook is blocking it, not the app running, which I assume you
> have the associated application that will open TIFF files allowed in your
> GPO allowed list.
>
> The following link should help you with Outlook:
> Attachment file types blocked by Outlook - Outlook - Microsoft ...Attachment
> file types blocked by Outlook. Applies to: Microsoft Office Outlook 2003.
> There are two levels of attachment security. Access to Level 1 files is ...
> http://office.microsoft.com/en-us/outlook/HP030850041033.asp x
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
> Microsoft Certified Trainer
> aceman@mvps.RemoveThisPart.org
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> "Efficiency is doing things right; effectiveness is doing the right
> things." - Peter F. Drucker
> http://twitter.com/acefekay
>
>
>
Re: gpo - run only allowed windows applications [message #163732 is a reply to message #163726] Fri, 05 June 2009 22:03 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Sleb" <Sleb@discussions.microsoft.com> wrote in message
news:C5EB48B2-01C7-4537-A6BB-A1148AC1588A@microsoft.com...
> Hi Ace. Thanks for your reply. I can tell you that it is not outlook that
> prevents my .tiff files to open up (I am well aware of that outlook
> attachment blocking). If I deactivate the GPO, everything is fine and the
> message is clear that it is the GPO that is blocking (when you do
> something
> that is blocked by gpo, it's always the same message....the policy on this
> system........).
>
> Of course, the application used to open our .tiff files is in the allowed
> list. I am used to those kind of problems and got through all the time
> except
> for this one. If I am right, if you block stuff, you are supposed to see
> in
> the event viewer what executable is blocked but on my ts server, I don't
> get
> any clues. I even used process explorer after deactivating the GPO to be
> sure
> I am allowing the right executables and everything is fine there.
>
> Is there a gpo tool you suggest me that will show me what process or
> executable is blocked by the gpo?
>
> Thanks

Hi Sleb,

Ok, sorry, I thought you may not have been aware of that. Here's an off the
wall thought, we had a problem with an AV last year that was blocking the
ability to save PPT and other office and other file types to a mapped drive,
but not locally. Disabling the AV allowed it to work. We contacted the
vendor. After some arguments and testing with their first level support
staff, it got escalated, etc, and after about a month or so, they came up
with an updated DLL that fixed it. I don;t know if it applies, and I assume
you have an AV running on it, and it's allowed in your GPO allowed list.
Just thought I would mention this.

I assume you ran an RSOP on the GPO to see what it's doing.

See if this guy's link helps out:
http://www.gpoguy.com/Free-Group-Policy-Tools.aspx


Ace
Re: gpo - run only allowed windows applications [message #163797 is a reply to message #163732] Mon, 08 June 2009 08:58 Go to previous messageGo to next message
Sleb  is currently offline Sleb
Messages: 18
Registered: August 2009
Junior Member
I will look at the anti-virus. Don't think it's that but worth the shot.

Yes RSOP have been used just to tell me what I already knew.

Thanks for the link. One of the tools is regarding GPO logging. Not sure it
will help me but worth a try. I also found other interesting tools that will
be helpful eventually so even if it doesn't help me on this particular
problem, it will help me with others.

I have seen somewhere a tool that does just that....tells you what process
the GPO is blocking. I don't remember the company and the name of the tool
though and not free. I was sure I was going to find a free tool so didn't
bother to take notes of this tool. I'm sure I'll remember and will probably
go there.

Thanks again for your time and for the free gpo tools link.

Regards

"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "Sleb" <Sleb@discussions.microsoft.com> wrote in message
> news:C5EB48B2-01C7-4537-A6BB-A1148AC1588A@microsoft.com...
> > Hi Ace. Thanks for your reply. I can tell you that it is not outlook that
> > prevents my .tiff files to open up (I am well aware of that outlook
> > attachment blocking). If I deactivate the GPO, everything is fine and the
> > message is clear that it is the GPO that is blocking (when you do
> > something
> > that is blocked by gpo, it's always the same message....the policy on this
> > system........).
> >
> > Of course, the application used to open our .tiff files is in the allowed
> > list. I am used to those kind of problems and got through all the time
> > except
> > for this one. If I am right, if you block stuff, you are supposed to see
> > in
> > the event viewer what executable is blocked but on my ts server, I don't
> > get
> > any clues. I even used process explorer after deactivating the GPO to be
> > sure
> > I am allowing the right executables and everything is fine there.
> >
> > Is there a gpo tool you suggest me that will show me what process or
> > executable is blocked by the gpo?
> >
> > Thanks
>
> Hi Sleb,
>
> Ok, sorry, I thought you may not have been aware of that. Here's an off the
> wall thought, we had a problem with an AV last year that was blocking the
> ability to save PPT and other office and other file types to a mapped drive,
> but not locally. Disabling the AV allowed it to work. We contacted the
> vendor. After some arguments and testing with their first level support
> staff, it got escalated, etc, and after about a month or so, they came up
> with an updated DLL that fixed it. I don;t know if it applies, and I assume
> you have an AV running on it, and it's allowed in your GPO allowed list.
> Just thought I would mention this.
>
> I assume you ran an RSOP on the GPO to see what it's doing.
>
> See if this guy's link helps out:
> http://www.gpoguy.com/Free-Group-Policy-Tools.aspx
>
>
> Ace
>
>
>
Re: gpo - run only allowed windows applications [message #163798 is a reply to message #163797] Mon, 08 June 2009 09:38 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Sleb" <Sleb@discussions.microsoft.com> wrote in message
news:3D8F67C9-B961-477D-9FAE-C3937E1535DE@microsoft.com...
>I will look at the anti-virus. Don't think it's that but worth the shot.
>
> Yes RSOP have been used just to tell me what I already knew.
>
> Thanks for the link. One of the tools is regarding GPO logging. Not sure
> it
> will help me but worth a try. I also found other interesting tools that
> will
> be helpful eventually so even if it doesn't help me on this particular
> problem, it will help me with others.
>
> I have seen somewhere a tool that does just that....tells you what process
> the GPO is blocking. I don't remember the company and the name of the tool
> though and not free. I was sure I was going to find a free tool so didn't
> bother to take notes of this tool. I'm sure I'll remember and will
> probably
> go there.
>
> Thanks again for your time and for the free gpo tools link.
>
> Regards

I remember something about that tool too, but I can't remember it's name.
When you remember, let me know.

And you're welcome for the links.

Ace
Re: gpo - run only allowed windows applications [message #163810 is a reply to message #163798] Mon, 08 June 2009 09:57 Go to previous messageGo to next message
Sleb  is currently offline Sleb
Messages: 18
Registered: August 2009
Junior Member
I got it. It is part of the troubleshooting pack of gpexpert. Here is the link;

http://www.sdmsoftware.com/products.php.

It is called group policy spy. I found it here;

http://x220.minasi.com/forum/topic.asp?TOPIC_ID=24179

Regards



"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "Sleb" <Sleb@discussions.microsoft.com> wrote in message
> news:3D8F67C9-B961-477D-9FAE-C3937E1535DE@microsoft.com...
> >I will look at the anti-virus. Don't think it's that but worth the shot.
> >
> > Yes RSOP have been used just to tell me what I already knew.
> >
> > Thanks for the link. One of the tools is regarding GPO logging. Not sure
> > it
> > will help me but worth a try. I also found other interesting tools that
> > will
> > be helpful eventually so even if it doesn't help me on this particular
> > problem, it will help me with others.
> >
> > I have seen somewhere a tool that does just that....tells you what process
> > the GPO is blocking. I don't remember the company and the name of the tool
> > though and not free. I was sure I was going to find a free tool so didn't
> > bother to take notes of this tool. I'm sure I'll remember and will
> > probably
> > go there.
> >
> > Thanks again for your time and for the free gpo tools link.
> >
> > Regards
>
> I remember something about that tool too, but I can't remember it's name.
> When you remember, let me know.
>
> And you're welcome for the links.
>
> Ace
>
>
>
>
Re: gpo - run only allowed windows applications [message #163814 is a reply to message #163810] Mon, 08 June 2009 10:28 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Sleb" <Sleb@discussions.microsoft.com> wrote in message
news:13E27137-BF67-4114-9AD3-834A9604BF80@microsoft.com...
>I got it. It is part of the troubleshooting pack of gpexpert. Here is the
>link;
>
> http://www.sdmsoftware.com/products.php.
>
> It is called group policy spy. I found it here;
>
> http://x220.minasi.com/forum/topic.asp?TOPIC_ID=24179
>
> Regards

Ahh yes, by Mark Minasi! Thanks, Sleb!

Ace
Previous Topic:Server Roles & Office Split
Next Topic:sys log
Goto Forum:
  


Current Time: Tue Aug 22 03:13:10 EDT 2017

Total time taken to generate the page: 0.04894 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software