Managing ActiveX Components within an enterprise sometimes can be a pain. Users with standard user privileges by default can’t install ActiveX components, hence whenever a larger group of users require an ActiveX component you usually end up creating a software package and distribute it via Software Distribution or you provide them with temporary Administrative rights. But if the clients are running Windows Vista or Windows 7 there is another solution available I noticed many people aren’t aware of, hence that’s why I am writing this article.
The Solution is the Windows ActiveX Installer Service. Using the Windows ActiveX Installer Service allows Enterprise Administrators to manage the deployment of ActiveX controls through Group Policy Settings. On Windows Vista the ActiveX Installer Service is not installed by default but can be added as a feature. On Windows 7 the Service is installed by default.
Configuring the ActiveX Installer Service through Group Policy can be done in two ways. Either by specifying the ActiveX Control installation URL or by configuring trusted sites. I am going to use the first option to demonstrate the configuration and behavior of the ActiveX Installer Service.
Most of you will be familiar with the Microsoft Connect, MSDN Subscriber Download or TechNet subscriber download Site that uses the File Transfer Manager for downloading content. When trying to download content from one of the above mentioned web sites for the first time with a standard user you will be prompted with a message as shown in the picture below.
But as soon as you allow the Add-on to be installed, you will be prompted to provide a user name and password of a user that has administrative privileges to allow the installation to continue.
This is what would happen in an enterprise environment where users access a website that requires the installation of an ActiveX control. So let’s create a Group Policy that allows the installation of the Microsoft File Transfer Manager through the ActiveX Installer Service.
First we need to know the URL that points to the ActiveX Control installation file, which is usually a CAB file but can be an OCX or DLL file as well. To find out the URL of the Microsoft File Transfer Manager I open the web site’s source and search for the word “CODEBASE”.
Now that I know the location that points to the CAB file, I open the Group Policy Management Console and create a new GPO called GPO_ActiveX_Management. Within the new created GPO I navigate to the ActiveX Installer Service which is located under Computer Configuration, Policies, Administrative Templates, Windows Components.
I then enable the "Approved Installation Sites for ActiveX Controls” setting and add the Site name https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab and set the Installation control value to 2,1,1,0.
To ensure that the GPO settings is applied to my client I run GPUPDATE at the command prompt. Now when i launch the website again that tries to install the Microsoft File Transfer Manager there is no User Account Control prompt anymore, this because i have now configured this site as an approved site to install an ActiveX control.
When opening the Services list within the Microsoft Management Console, I can see that the Service has been started and looking at the Windows Application log I can see that the URL was identified as a secure location.
So after a few seconds, the Microsoft File Transfer Manager is successfully installed without having to provide administrative privileges.
If you’re interested in using the ActiveX Installer Service in your environment I recommend that you also read the below referenced articles.
Additional Resources
The ActiveX Installer Service in Windows Vista
Microsoft TechNet – ActiveX Installer Service
NirSoft – ActiveXHelper
Good article. Thanks for writing.
-Trevor
Real usefull information.
nice post. i have a question..
as for this part “I then enable the “Approved Installation Sites for ActiveX Controls” setting and add the Site name https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab and set the Installation control value to 2,1,1,0. ”
how do i determine the URL, for example Java updates or adobe flash /reader updates?
I had some Approved Sites listed with wildcard definitions in the GPO like:
http://*.webex.com
which seem to have worked for a while but it suddenly stopped working last week.
There is a hotfix for Vista which enables this behaviour too.
Did MS released a patch for IE8 and Windows 7 which disables this.
The docs at MS do not mention this option, but I’m certain that it worked for a while.
Any clues?
Fantastic. Solved a major issue with reporting services print control instalation. I have linked your article to my issue here http://social.msdn.microsoft.com/Forums/en/sqlreportingservices/thread/73a5142a-268a-4f98-8043-ec94814c15ce hope thats ok.
Cheers
Dave
Hi Dave, always glad to see when my post help.
Cheers
Alex
Hi,
I am confused how I find where Microsoft SQL Server Reporting Services 2008 is downloaded from for the activex RSPrintClient when clicking print from an application.
Anyone able to help please?
Take care
the cab file is stored under program files \ SQL …. (depends on your installation directory). For the GPO I would suggest to just allow http://….. < address of your server > that should do it.
hope that helps