PDA

View Full Version : Remotely remove programs from PCs on domain, non-interactively?



Chilling_Silence
14-10-2010, 03:07 PM
Hi all,

So far as part of a clean-up of software on the domain, we've been using VNC to login to a users workstation and Add / Remove programs.

It's not bad, but it's not ideal. It means they're off their machine for XYZ amount of time while we operate, we've got to have them stop doing what they're doing and close everything down to log off...

Is there a way to remotely administer and remove applications, mostly from XP machines, with a sprinkling of Windows 7?

It's just we're now getting users watching us remotely and they ring us and say "Hey why are you removing that"
"Because, it's not a standard piece of software"
"But it's free?!"
"But we don't care ..."

Unfortunately is the stance we've had to take with some software.

Any thoughts / comments / suggestions appreciated.

Thanks


Chill.

1101
14-10-2010, 03:45 PM
If you use RDC they cant watch what you're up to.

interesting
http://community.spiceworks.com/how_to/show/179
http://msforums.ph/forums/t/48673.aspx

You will need to lock down the Workstations after, as they will just re-install.
I would also print out a Computer Usage Policy, get them all to read & sign it(will need management approval) You need this to deal with employees who continue to treat the PC as a toy.

wainuitech
14-10-2010, 04:37 PM
print out a Computer Usage Policy, get them all to read & sign it(will need management approval) You need this to deal with employees who continue to treat the PC as a toy. Good Idea there. While doing the clean out, change the permissions so they can t install programs, only people with Full admin rights can.

As for people watching --- Some places do it in OT when the users are not there.

Several years ago we had 5 of us doing a few tasks on a Saturday - around 50 PC's needed changing / upgrading. Even got free KFC from the boss for lunch, dont know if that was a reward or punishment :lol:

Battleneter2
14-10-2010, 04:38 PM
Hi all,

So far as part of a clean-up of software on the domain, we've been using VNC to login to a users workstation and Add / Remove programs.

It's not bad, but it's not ideal. It means they're off their machine for XYZ amount of time while we operate, we've got to have them stop doing what they're doing and close everything down to log off...

Is there a way to remotely administer and remove applications, mostly from XP machines, with a sprinkling of Windows 7?

It's just we're now getting users watching us remotely and they ring us and say "Hey why are you removing that"
"Because, it's not a standard piece of software"
"But it's free?!"
"But we don't care ..."

Unfortunately is the stance we've had to take with some software.

Any thoughts / comments / suggestions appreciated.

Thanks


Chill.




You could use psexec tool from sysinternals to trigger a msiexec /x silent remote un-install AS LONG as the app was packaged as a MSI.

It boils down to the Apps and there is some poorly written junk out there, some you can do a silent install or un-install others you cant. Some apps are profile specific and need the user logg off to complete etc.

Common Corporate tools I have used include SMS,SCCM and Altiris, All are very powerful fleet managers.

Also there is a few XP/Win7 hacks you can do to log on as a second user in a "separate session" leaving the user unaware you are on doing stuff, not sure about this solution in a business environment :P



.

SolMiester
14-10-2010, 04:49 PM
workstations arent setup for multiple connection such as terminal services, so unless you use RDP and swipe the session, them yeah, they get to see AFIAK!

Battleneter2
14-10-2010, 04:53 PM
workstations arent setup for multiple connection such as terminal services, so unless you use RDP and swipe the session, them yeah, they get to see AFIAK!

You can make modifications to any Windows XP or Windows7/Vista OS to allow multi session, out of the box definitely not.

Deimos
14-10-2010, 07:08 PM
Windows vista/7 has powershell which can do anything (as far as I know), how to use it remotely and to install/uninstall apps is a mystery to me (never really looked in to it), but AFAIK it can be done.

fred_fish
14-10-2010, 09:53 PM
ssh root@userbox aptitude purge badapp
Oh...windows...bugger :)

Chilling_Silence
15-10-2010, 07:08 AM
Haha yeah it'd be so much easier in Linux ...

I wondered about configuring RDP so that it locks the screen and logs me in, though it'd be nice if they were able to continue working.

This is all in preparation for removing a lot of administrative rights. Almost all staff have installed something on their machines (Myself included, but when you work in IT, you get to bend the IT rules a little ... like Chrome!), even though it's in the IT Policy everybody signs when they join the company saying they won't install apps. It's just easier not have to go over all that with a few hundred people again. A mass-email would help, but we've found mostly people *know* what's going on, they just want to vent :p

inphinity
15-10-2010, 07:15 AM
Powershell is your friend, though if you don't have powershell 2.0 installed on the XP machines already, then the above-mentioned psexec is probably your best bet.

If you do have psh though, you can just write a little script to grab the UninstallString from HKLM:\Software\Microsoft\Windows\CurrentVersion\Un install for any apps you want to uninstall, and execute that string remotely.

Some apps, though, may not support silent uninstalls, so it's going to vary a little depending on what specifically you're uninstalling.

SolMiester
15-10-2010, 07:17 AM
You can make modifications to any Windows XP or Windows7/Vista OS to allow multi session, out of the box definitely not.

Yes, I did so recently with Vista Premium with a staff members home PC, they wanted remote desktop. It did work to a point, but the hack doesn't change the registry for multi user hive and keys and therefore isn't as stable, certainly not a business production solution and most certainly not supported by MS

Chilling_Silence
15-10-2010, 08:48 AM
Yeah I've gotta wonder about the legalities of it, that's my issue now I guess :(

Found which bytes to patch in the termsrv.dll file, did that, made a couple of registry changes on a test machine and pushed out the dll. It let me login remotely via RDP which would disconnect the user from their session on the console, which I guess is ideal. Means that the user wouldn't have to shut down all their work / email / documents / browsers etc, and I could login as an administrative user, do my thing, then they log back in.

Thing is with VNC right now, if they were clever, they'd just yank the cable outta the back of the PC while we're logged in as an administrative user. Nothing we can do to prevent that, and it means if they plug in their machine an hour or two later when we're off having lunch / coffee, they've got access to do whatever the hell they like ... So yeah, RDP certainly seems like the more appropriate way to go ;)

SolMiester
15-10-2010, 09:15 AM
Yeah I've gotta wonder about the legalities of it, that's my issue now I guess :(

Found which bytes to patch in the termsrv.dll file, did that, made a couple of registry changes on a test machine and pushed out the dll. It let me login remotely via RDP which would disconnect the user from their session on the console, which I guess is ideal. Means that the user wouldn't have to shut down all their work / email / documents / browsers etc, and I could login as an administrative user, do my thing, then they log back in.

Thing is with VNC right now, if they were clever, they'd just yank the cable outta the back of the PC while we're logged in as an administrative user. Nothing we can do to prevent that, and it means if they plug in their machine an hour or two later when we're off having lunch / coffee, they've got access to do whatever the hell they like ... So yeah, RDP certainly seems like the more appropriate way to go ;)

Yeah, but if they have limited access, any work you do will be ran as administrator, so they cant undo the work anyway. I dont use VNC that much, is there not a setting which blanks for local user while you are connected?

Chilling_Silence
15-10-2010, 09:46 AM
Yeah but we have to log them out in order to login as Administrator and access the Control Panel --> Add / Remove Programs. So, if they pull the LAN cable while we're logged in as Administrator, that releases the "block local input" restriction and they're free to do as they like :D

SolMiester
15-10-2010, 10:00 AM
Yeah but we have to log them out in order to login as Administrator and access the Control Panel --> Add / Remove Programs. So, if they pull the LAN cable while we're logged in as Administrator, that releases the "block local input" restriction and they're free to do as they like :D

OMG, you have users that would pull the LAN cable?....LMAO....Not sure how to reply to that.....To what end, if the plug it back in, you could easily throw them off the network, you just fire their sorry ass!

Chilling_Silence
15-10-2010, 10:11 AM
Yeah I know it's not likely, but it's still a security issue nonetheless ;)

Plausible, not probable...

SolMiester
15-10-2010, 10:56 AM
Yeah I know it's not likely, but it's still a security issue nonetheless ;)

Plausible, not probable...

Im actually CNE for Novell, well, I was about 8 yrs ago. Back then we had DNS (original AD) and a great app called ZEN ( Zero Effort Networking). From within NDS you could great deliverable apps which you could simply associate with various users\groups, they would refresh the delivery shell and hey presto, new app, double click and it installs the file and reg setting etc, all from the IT helpdesk. As we didnt use domains, the local administrator account logged in with the Novell client and we control the NT right and control panel etc thru ZEN....
In all my time with AD since, I have yet to come across such a great tool for networks....

Chilling_Silence
15-10-2010, 12:04 PM
Ghost Corporate was able to do stuff like that. I used it when I was working at PCWorld some 8 years ago now in a trial / testing phase, though I'm not sure it was ever commissioned.

It was great, it would snap-shot your PC and the files / registry, and allow you to do remote deployment by simply assigning a whole lot of groups to the PC within its own admin utility. Didn't require you to touch the machine, ever, you could deploy the tiny 'agent' remotely as well.
Best part was it packaged everything as standalone .exe files which could manually be copied / run anywhere if you so-desired. They could also be removed remotely too... Completely non-interactively!

It was so freakin cool!!

SolMiester
15-10-2010, 12:08 PM
Ghost Corporate was able to do stuff like that. I used it when I was working at PCWorld some 8 years ago now in a trial / testing phase, though I'm not sure it was ever commissioned.

It was great, it would snap-shot your PC and the files / registry, and allow you to do remote deployment by simply assigning a whole lot of groups to the PC within its own admin utility. Didn't require you to touch the machine, ever, you could deploy the tiny 'agent' remotely as well.
Best part was it packaged everything as standalone .exe files which could manually be copied / run anywhere if you so-desired. They could also be removed remotely too... Completely non-interactively!

It was so freakin cool!!

Yes, ZEN did exactly that back in 98..very cool product....AD is a very poor substitute!

Chilling_Silence
15-10-2010, 12:43 PM
Indeed :(

ronyville
15-10-2010, 03:01 PM
Does your workplace have a domain? if you do than by default users should not have admin rights to install anything on the computers. I had a similar experience when I started work at my current work place. All computers are part of the domain but users had admin rights and install watever they wanted. So during Xmas that year, i went around to all the 120 pcs and removed everyone from admin group and uninstalled all the crapware, now when they call us to install any software on the computers, we ask them if it work related. 99.99% of the time its not so we just tell them. Sorry cant do.

Chilling_Silence
15-10-2010, 03:22 PM
yeah that's what's going on right now, removing admin rights ... It's a long process though, we don't wanna break any of their required business applications, not to mention as you mentioned there's a ton of crapware on peoples PCs :D