Allow or prevent the installing of a RIS image by a user or group

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To allow or prevent the installing of a RIS image by a user or group

  1. Open Active Directory Users and Computers.

  2. On the View menu, ensure that Advanced Features is checked.

  3. In the console tree, right-click the applicable Remote Installation Services (RIS) server.

    Where?

    • Active Directory Users and Computers/Applicable domain/Applicable organizational unit (such as Computers)/Applicable RIS server
  4. Click Properties.

  5. In the Properties dialog box, click the Remote Install tab, and then click Advanced Settings.

  6. In the Remote Installation Services Properties dialog box, click the Images tab.

  7. In the Images dialog box, click the installation image that you want to add or remove from the choices available to a user or group, and then click Properties.

  8. Click Permissions.

  9. Click the Security tab and do one of the following:

    • To make this installation image available to a group or user that does not appear in the Group or user names box, click Add. In Select Users, Computers, or Groups, type the name of the group or user, click OK, and then click the name of the group you just added.

    • To check or change the permissions of this installation image for an existing group or user, click the name of the group or user.

    Important

    • The Group or user names box always includes SYSTEM. Do not remove this entry, and do not change the permissions on it. This entry is necessary for RIS.
  10. Do one of the following:

    • To prevent the selected group or user from installing this image, click Remove.

    • To allow the selected group or user to install this image, under Allow, ensure that Read & Execute and Read are selected.

Notes

  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. For information about assigning appropriate permissions so that a RIS administrator who is not a member of these groups can perform this procedure, see Related Topics.

  • This topic does not apply to Windows Server 2003, Web Edition.

  • To open Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then click OK. For information about creating a shortcut so you can easily open Active Directory Users and Computers with runas, see Related Topics.

  • For information about creating new installation images, see Related Topics.

  • Authenticated Users appears by default in Group or user names. This means that all authenticated users can install a RIS image. To allow a more limited group (instead of all authenticated users) to install a RIS image, add the appropriate group and allow the permissions described in this procedure. Click Authenticated Users, and then click Remove.

  • With products in the Windows Server 2003 family, Authenticated Users does not by default contain anonymous users or guests. The Everyone group contains guests. As described in this procedure, it is recommended that you exclude Everyone from the list of groups for which permissions are assigned on the RIS image, and use Authenticated Users or a more restricted group for assigning these permissions. For more information about differences in default security settings for groups such as Authenticated Users (as compared to the settings in earlier operating systems), see Related Topics.

  • If you leave SYSTEM but remove all other names from Group or user names, no one will be able to perform remote installations with this image.

  • If you previously restricted permissions on the folder and subfolders containing the image, you must adjust those permissions, not just the permissions described in this procedure, to allow intended users to install the image. For instructions on how to do this, see the topic about allowing the viewing and installing of a RIS image in Related Topics.

  • Setting permissions as described in this procedure affects the user's ability only to install a particular RIS image. For information about how to exert greater control and affect not only the user's ability to install a particular RIS image, but also the user's ability to see the files in that image, see Related Topics. To prevent confusion, once you have chosen a particular approach, it is recommended that you continue to use that approach whenever modifying permissions for images.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Add RIS Client Installation Images
Create a Remote Installation Preparation Wizard image
Choosing appropriate group memberships for RIS administrators
Manage Security for Remote Installation Services
Allow or prevent the viewing and installing of a RIS image by a user or group
Differences in default security settings
Create a shortcut using the runas command