Running a Domain

A guide for domain administrators

Running a Domain?

As a domain administrator, you may want to restrict the permissions that domain users have on their local machines. In these cases, it can be difficult to manage installation and updates for software that you want to allow users to run. When dezrez deploy an update, end users may not be able to fully install them due to these account restrictions.

You may have to link the GPO to multiple Organisational Units (OUs) in order to achieve this.

  • Firstly, open the Group Policy Editor, and edit the Group Policy you wish to change. Please note, this setting needs to be changed in two places in order to take effect for users – One setting in “Computer Configuration” and another in “User Configuration”.
  • Expand “Computer Configuration” > “Administrative Templates” > “Windows Components” and select “Windows Installer”. Locate the setting called “Always install with elevated privileges” and choose Enable.
  • Expand “User Configuration” > “Administrative Templates” > “Windows Components” and select “Windows Installer”. Locate the setting called “Always install with elevated privileges” and choose Enable.

IMPORTANT: This guide covers making changes to a Group Policy Object (GPO) – If you use the domain default GPO, all machines and users in the domain will be affected.

Software Restriction Policy

The first step is to use the Software Restriction Policy in your domain to allow MSIs to run, provided they are signed with the dezrez software publishing certificate. Also change the Windows Installer setting to allow approved MSIs to be run in elevated mode.

Path Rule: Disallow *.MSI Certificate Rule: Dezrez Services Ltd. Certificate – Unrestricted.

NOTE: If you do not want this setting to apply to local administrators, select “Software Restriction Policy” in the tree view, and select the “Enforcement” option. Change the setting “Apply software restriction policies to the following users” to “All users except local administrators”.

Windows Installer Service

The Windows Installer Service must be run in an elevated state. This GPO change must be applied to both User and Computer objects in order to be effective. You may have to link the GPO to multiple Organisational Units (OUs) in order to achieve this.

  • Firstly, open the Group Policy Editor, and edit the Group Policy you wish to change. Please note, this setting needs to be changed in two places in order to take effect for users – One setting in “Computer Configuration” and another in “User Configuration”.
  • Expand “Computer Configuration” > “Administrative Templates” > “Windows Components” and select “Windows Installer”. Locate the setting called “Always install with elevated privileges” and choose Enable.
  • Expand “User Configuration” > “Administrative Templates” > “Windows Components” and select “Windows Installer”. Locate the setting called “Always install with elevated privileges” and choose Enable.

Folder & Registry Permissions

Some folders, registry keys require certain permissions in order for the software to function. Take a look below at the specific areas and their exceptions:

Folder Access (Full Control required)

  • %HOMEDRIVE%\Program Files\DezRez OffLine Editor
  • %HOMEDRIVE%\ProgramData\Dezrez
  • %HOMEDRIVE%\ProgramData\DezrezEAssistData
  • The “Dezrez” subfolder of the My Documents location

Folder Access (Read Execute required)

  • %HOMEDRIVE%\Windows\System32
  • %HOMEDRIVE%\Windows\SysWOW64

Registry Access (Read Write required)

  • HKEY_CURRENT_USER\Software\VB and VBA Program Settings (including subkeys)
DISCLAIMER: The information in this article and download guide is provided without any warranty of any kind whatsoever. By accessing / downloading this service, you agree that Dezrez Services Ltd. will not be liable for any expenses, losses or costs that may be incurred by the interpretation and use of the information in this article, nor as a result of the information in this article being inaccurate or incomplete in any way.

Learn More About Rezi!

Talk to us today to get started.