Announcement

Collapse
No announcement yet.

Software restriction???

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Software restriction???

    Hi guy's

    I've been searching on this but can't seem to find anything.

    I'd like to create 1 ghost image with all the software that we use, this image owuld be use on hundreds of pc i would then like to restric the access to certain software depending if the user has a licence or not.

    I dont know if it's clear,

    If anyone has done this or know if it can be done and can help me or point me to where i should look it would be really appreicated.

    Thanks

    Rafale

  • #2
    Re: Software restriction???

    Originally posted by rafale View Post
    Hi guy's

    I've been searching on this but can't seem to find anything.

    I'd like to create 1 ghost image with all the software that we use, this image owuld be use on hundreds of pc i would then like to restric the access to certain software depending if the user has a licence or not.

    I dont know if it's clear,

    If anyone has done this or know if it can be done and can help me or point me to where i should look it would be really appreicated.

    Thanks

    Rafale
    Is this an Active Directory environment? I imagine that you could create a rather circuitous way of doing that with application restriction rules using paths or hashes, global groups, and "Apply Group Policy" permissions, but that could get messy quickly.

    The question "Why are you trying to do this?" comes to my mind. Is it just to make image management or software deployment easier? If it's the former, look into better imaging software. If it's the latter, look into using Active Directory to deploy software or SCCM (Either the leaner "Essentials" version or the full product). If this is a business that has 100s of computers, surely they can budget for a serious systems management suite... unless it's a school.

    Can you give us some more information about your situation?
    Wesley David
    LinkedIn | Careers 2.0
    -------------------------------
    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
    Vendor Neutral Certifications: CWNA
    Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
    Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

    Comment


    • #3
      Re: Software restriction???

      Hi Nonapeptide

      Thanks for your answer.

      I guess i forgot to say that all pc are winxp sp2 connecting to winserv er 2003

      I said hundreds just as a ball park figure but it's more like 3000 pc...

      I'm new with AD, GPO etc but i think i read somewhere awhile back that this is something that can be done, but i can be wrong.

      Having over 3000 pc with different software install on it, what i would like to do, let me know if i am dreaming.

      I would like to create only 1 image for all of the pc with all of the most use software we have.

      Here's where i dont know if it can be done, i would like to create different group in AD with different access right, example when a user from GROUP A login on a pc he has access to software 1,2 and 3 when another user who is in GROUP B login on the same pc he has access to software 1,4,5,6

      There is many reason why i think it would be good to do this like not having to install software after the pc is ghosted, it would also makes it easier to control our software licence inventory, etc

      Thanks for the help

      Rafale

      Comment


      • #4
        Re: Software restriction???

        The short story: Yes, it is theoretically possible.

        The long story: You're asking for trouble.

        Seriously, with 3,000 PCs (and I'm assuming an equal number of users) you're going to run into some scaling issues. Is this one domain or multiple domains? Are we talking multiple forests as well?

        Off the top of my head: You could create a default software restriction policy to deny all software. Then create hash rules for each software title. Allow each software title to be used on a user's computer by creating a GPO with that Allow Hash rule and then only granting a certain global group (presumable given the name of the software title, like 'GGPhotoshopCS3") the Allow Read and Allow Apply rights to the GPO itself. At least, I think that would work.

        However, that would create quite a quagmire of groups and GPOs. You would definitely want to make sure you have a very, very good documentation system and train your staff to make use of it. I prefer to use a wiki.

        I know that the idea of having one image is quite alluring and the need to track licenses is paramount. However, I'm certain that there are better ways of managing software licenses that will save you time and headaches. Take a look at SCCM 2007, HP OpenView, or some other major technology management system (ZenWorks and Tivoli come to my mind as well). FYI, if you ever get audited by the Software Piracy Association (or something similar) they won't care one bit about your Active Directory scheme. They need hard evidence... the kind that you can only get from a system like OpenView's Asset Management system.
        Last edited by Nonapeptide; 9th July 2008, 04:30.
        Wesley David
        LinkedIn | Careers 2.0
        -------------------------------
        Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
        Vendor Neutral Certifications: CWNA
        Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
        Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

        Comment


        • #5
          Re: Software restriction???

          If you MUST go the "Ghost Image" route, make absolutely sure that your base PC, the one you image from, is SYSPREPped before you image it... otherwise you will have an absolute NIGHTMARE when you restore a few hundred machines on different subnets all with the same SID. This has the added advantage that different hardware will to an extent be supported.

          Also, never, EVER, under ANY circumstances, GHOST a server - use a server image management product like Altiris or Windows' own built in deployment services. It may sound theoretically OK, but believe me you are buying trouble with a capital TROUBLE if you ghost servers.


          Tom
          For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

          Anything you say will be misquoted and used against you

          Comment


          • #6
            Re: Software restriction???

            You could have a look at the Altiris Deployment Solution
            We are going to start using it through the summer. It'll mean a lot of prep work to create all the application layers using SVS for the software deployment side, but once it's done you can assign a specific package to a specific desktop through a management console and completely detach the application layers from the OS.
            Originally posted by Nonapeptide View Post
            If this is a business that has 100s of computers, surely they can budget for a serious systems management suite... unless it's a school.
            Quite fortunate to work in a school!!!

            Cheers
            Caesar's cipher - 3

            ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

            SFX JNRS FC U6 MNGR

            Comment


            • #7
              Re: Software restriction???



              Originally posted by Stonelaughter View Post
              Also, never, EVER, under ANY circumstances, GHOST a server - use a server image management product like Altiris or Windows' own built in deployment services. It may sound theoretically OK, but believe me you are buying trouble with a capital TROUBLE if you ghost servers.
              Now you tell me.
              Wesley David
              LinkedIn | Careers 2.0
              -------------------------------
              Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
              Vendor Neutral Certifications: CWNA
              Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
              Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

              Comment

              Working...
              X