Win2003 ad, getting rid of that pesky msnmessenger.

[MoonWolf]

am doing an Information an Communications study(4 years). Very interesting and all.

At the moment I am in one of two periods of 20 weeks where i get to put theory to practice. i my case I am employed in an umbrella of 5 schools. (age group 3 to 13) with none of them more then 100 attendants.

I found AO at the start of my study. And it has been a wonderful place to be. Now that I am "doing" things a also find all the nice/strange/stupid problems a admin faces everyday. I am learning more then I ever would think I would. But I'm also running into things I can't fix.

One of those is MSN messenger. All the schools have a policy that there will be no chatting allowed. But the damn thing keeps getting installed and used. I can't figure out who is doing it because the login for everybody is exactly the same.

Leerling(student)

Sometimes not even a password has to be provided. But lets not discuss the security practices. Believe me when I say i would like to change it but because of the situation can't.

The ad luckily allows me to disable the default messenger in windows but the students don't care about that anyway. I can however not find an option to disallow the use of MSN messenger. Blocking ports on the very limited NAT of the router to the isp for the service did not help. I think it creates a HTTP tunnel but I am not sure. Anyway I don't think that with my resources I can block or redirect that tunnel.

A crude hack for login scripts that i thought up didn’t help either. The program starts before the script gets executed. So the automated deinstall wont help. Nor can't i simply delltree the folder. Trying to stop the program before deinstalling gets me a RPC error.

I'm sure one of you guy's has had some xp with this. and i would really like some help now.

----

On all the locations the setup is comparable to this:

A win 2000 or 2003 server provides file and printer sharing. It holds an AD with only a very simple login system for the students. Somewhere else in the network and Alcatel speed touch 510 provides internet access. The DNS runs through there. At first the DHCP server was located there too but in two cases I moved it to the servers. (A whole new story in itself)

there are no subnets in place. Its actually all plugged in a central switch and people hope it works and if it doesn't I get to fix it. When thing's get out of hand a support company can come in.

-----

P.s.

In light of this huge post I made. In two (soon to be three) locations I have replaced old servers with new ones. (2003 server) I know the setup of those locations very well now. The others are more ore less unknown but from what I have seen its the same. The schools run on a minimal budget and none of that budget is in my hands. The computers differ from top of the line stuff to old Pentium pro's that are on their last legs. The networks are complete crap at times. When installing the new servers the support company (who also provide the computers now which I am damn grateful for) got someone to help me out. He had some more experience with the network and showed me what was hidden in some of the patch closets. They had connected two pc's through one patch cable. I have no problem in telling you I'm only 18 and admitting that I am only beginning to get my ears wet but I had on idea that was even possible and I am still wondering what that will do to network performance.\

Anyway’s are there any nice things I could try out implementing or experimenting with on these networks. (spare pc's and the such are no problem)


(edited for spelling and grammer)

[nihil]

This might be relevant, be sure to read it all the way through

http://forums.betarun.net/showthread-18.html

Remember that the messenger service and MSN Messenger are different.

Good luck

[thehorse13]

We use an enterprise protocol analyzer to nuke the chat mediums we don't want used. In my case, I use Websense.

If you have AD, you can certainly carve up a few policies to deter most people. The problem with this approach is that if you block the MSN Messenger exe, all I have to do is rename it to an allowed exe and I'm right back in business.

[MoonWolf]

Shameless bump.

Yust today did I get enough time away from pressing matters to play with the group policy.

Worked like a charm. TheHorse may be right about renaming the .exe to something that is allowed but these kids dont know that.... YET anyway.

(I know the difference between messenger and messenger service, good old net send I wrote a spoof for that once.)

----
Small HowTo Blocking and Deinstalling MSN messenger trough Group policies and startup scripts
----

1. Open Active Directory Users and Computers.

2. In the console tree, right-click the Group Policy object (GPO) that you want to open software restriction policies for.

3. Click Properties, and then click the Group Policy tab.

4. Click Edit to open the GPO that you want to edit. You can also click New to create a new GPO, and then click Edit.

5. In the console tree, click Software Restriction Policies.

6. In either the console tree or the details pane, right-click Additional Rules, and then click New Path Rule.

7. In Path type or copy paste the following without qoutes :"%programfiles%\MSN Messenger\*.exe"

8. In Security level, click Disallowed.

9. In Description, type a description for this rule, and then click OK.

No more msn messenger starting from the default msn messenger folder. This does mean when the folder name is changed msn will hapely start running.

Also to deinstall msn messenger from the pc completly I wrote the following batch lines wich if you do use a batch startup script can easely be appended to said script.

Code:

if exist "C:\Program Files\MSN Messenger" RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnmsn.inf,BLC.Remove

if exist "C:\Program Files\MSN Messenger" rd /s /q "C:\Program Files\MSN Messenger"

This checks for an msn messenger folder in program files and if it finds one runs the msn messenger deinstaller.

After that has been done it checks to see if the folder is gone and if not removes it and it contents all togheter.

Use this script at your own risk since the rd command can cause serieus havok if use wrong.

[edit]Steb by step instructions jaked shamelesly from Microsoft site here :http://www.microsoft.com/technet/pro...fea19ed9b.mspx
[/edit]