Active X controls cause us loads of pain in large scale deployment scenarios. The primary reason is that it we cannot lock down the enterprise PC's and still have users activate the Active X controls in their browsers, even if the Active X component is signed.

We can easily make a site a "trusted site" (group policy), but this does not ensure that users have the access they need to make the registry entries in HKLM or put files in C:\WINDOWS\DOWNLOADED PROGRAM FILES. We could try to hack this by opening write access to HKLM/Classes and to the downloaded program files folder, but this is not good.

Is there a reliable way of doing this? A way where I can perhaps sign the controls I approve and have active directory install it in system context on all domain computers? This must be a problem that several corporations are dealing with.
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

0
Here is a solution that I had to use to allow several intranet applications to install ActiveX controls for our users. The whole package process takes only like 10 minutes using these instructions, even though they look more involved. Getting the ActiveX controls probably takes longer.

HTH,
Nate


How To Install ActiveX Controls in Internet Explorer Using the Active Directory

Article ID : 280579
Last Review : July 1, 2004
Revision : 3.1
This article was previously published under Q280579

On this Page

SUMMARY <http://support.microsoft.com/kb/280579/EN-US/#kb1> SUMMARY <http://support.microsoft.com/kb/280579/EN-US/#kb1>
MORE INFORMATION <http://support.microsoft.com/kb/280579/EN-US/#kb2> MORE INFORMATION <http://support.microsoft.com/kb/280579/EN-US/#kb2>
REFERENCES <http://support.microsoft.com/kb/280579/EN-US/#kb3> REFERENCES <http://support.microsoft.com/kb/280579/EN-US/#kb3>

SUMMARY

By design in Windows 2000, members of the Users group cannot install ActiveX controls from the Internet without modifying the rights of the group. However, some administrators may want to allow the Users group to install some ActiveX controls. This article describes how to publish a control in the Active Directory to facilitate this functionality.

MORE INFORMATION


Preparing the Control

The ActiveX control must be packaged as an Installer Package (.msi) file instead of as a standard Internet Explorer cabinet (.cab) file. The .msi file can be created by using Visual Studio Installer. For the ActiveX control to be listed properly in the Active Directory, it must be set up to register through the .msi file instead of registering automatically.

To create the installation package, follow these steps:
1. Add the control to the Visual Installer package. To do this, click Add Files on the Project menu, and add your compiled control file to the project.
2. Determine the CLSID. To do this, either use the OLE View tool that ships with Microsoft Visual Studio, or look it up in the registry.
3. Open the Target Machine/Associations section of the project.
4. Under COM Object, add the control CLSID.
5. Under Type Libraries, add the control type library ID. If you are using a Microsoft Visual Basic (VB) control, it is the same as the CLSID by default.
6. Continue packaging the control as you normally would (that is, add any additional files and registry entries) by using Visual Installer.
7. Place the .msi file for the control on a public share on the network.

Publishing the Control

After the MSI has been created, the Active Directory must be made aware of the control. The control must be added as a published control in the user portion of a policy for the appropriate Organizational Unit (OU). After the control has been published properly, you should see it in Add/Remove programs for any of the users in the OU.

After you have prepared the control and confirmed that the control can be seen in Add/Remove programs, you need to set up a registry entry in Windows 2000 that causes Internet Explorer to check the Active Directory for an installation package for the control. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
241163 <http://support.microsoft.com/kb/241163> How to publish ActiveX controls in Windows 2000 using IntelliMirror After the registry changes are made, Internet Explorer installs the control from the Active Directory under the permissions of the Administrator who published the control. The control is installed when the user visits a Web page that contains the control. The method that is described works based on the CLSID of the control as referenced on the Web page that hosts the control. This solution works no matter what the codebase refers to. Because most Web pages that use ActiveX controls on the Internet already have a codebase that clearly cannot be modified to point to a local installation location, this method makes controlled installation possible in the environment. No changes are necessary for the Web page itself.

REFERENCES

To download Visual Studio Installer 1.1, visit the following Microsoft Developer Network (MSDN) Web site:
http://msdn.microsoft.com/vstudio/downloads/tools/vsi11/download.aspx
For more information about how to inspect COM components by using the TypeLib Information Object Library (TLI), visit the following MSDN Web site:
http://msdn.microsoft.com/msdnmag/issues/1200/TypeLib/default.aspx
For more information about developing Web-based solutions for Microsoft Internet Explorer, visit the following Microsoft Web sites:
http://msdn.microsoft.com/workshop/entry.asp

http://msdn.microsoft.com/ie/
Answered 11/04/2004 by: nmead
Senior Yellow Belt

Please log in to comment
0
Or you do this.

Create a batch file that will install the ActiveX control locally.

Then do a capture of the batch file running the install. Most ActiveX controls only need to run regsvr32 on a DLL and copy a file to Downloaded Programs.

Package it as an msi and install it workstation deployed to your users via GPO.

This is how I do it currently for all users where I work.
Answered 11/05/2004 by: MSIMaker
Second Degree Black Belt

Please log in to comment
0
We are using SMS Installer to create some snapshot. How do you get the activex to integrate it in a batch file?

In my snapshot, I usually found many registry key was changed some files in the download and thats it.
Answered 11/05/2004 by: Francoisracine
Third Degree Blue Belt

Please log in to comment
0
In most cases the ActiveX is either an OCX file or a DLL.

By using the batch file to run regsvr32.exe [ActiveX control] you can capture the install.

You can of course run it straight from a command line as well during the capture. I only suggested the batch file to save typing.
Answered 11/05/2004 by: MSIMaker
Second Degree Black Belt

Please log in to comment
0
This is what we did for an ActiveX plug-in we deployed via AD to over 1000 seats:

http://www.appdeploy.com/packages/detail.asp?id=285
Answered 11/05/2004 by: pjohnson
Orange Belt

Please log in to comment
0
let see.
You go to a website and at a moment it is asking to install an activex. Where will you find this activex?

Which commandline will you run to install this activex?
Answered 11/06/2004 by: Francoisracine
Third Degree Blue Belt

Please log in to comment
0
Most ActiveX controls have an inf file which specifies such things as files to copy and dll's to register. Most ActiveX controls copy files to C:\WINNT\Downloaded Program Files.

If you capture this process and package it....you can deliver it to users so that once the user hits the webpage.....the page will see the control loaded and not reload it.
Answered 11/06/2004 by: MSIMaker
Second Degree Black Belt

Please log in to comment
0
So what you are suggesting is to make a snapshot.
The first time, we packaged an activex, we were using SMS to start IE under the sms local admin profile to the exact location where the activex was attempting to install itself. Then we were closing IE after a few seconds and the activex was install.

Now we want to make it completely unattended and we need to use a snapshot to do the job.

Personnally, I would prefer a setup and then making it running like anyother software installation.

A big problem with activex is peoples will replace the activex and they will never let you know as they are from others organisations or they know nothing about you.
Answered 11/07/2004 by: Francoisracine
Third Degree Blue Belt

Please log in to comment
0
Can you speak to the developer of the ActiveX control and ask him to make a small setup program for you to distribute via SMS?

Either that or package it as an SMS install and send it down to the user.
Answered 11/08/2004 by: MSIMaker
Second Degree Black Belt

Please log in to comment
0
No, it is nearly impossible because mostly they are from others organisation. As an example, a director was going to the MS site and was trying to take a reservation for a seminary. The MS website was trying to install an activex... Will I asked MS for a setup for that activex?

Another example, was an organization part of us was asking an external firm to develop a website to see acrobat documents. The external firm took an activex from Adobe to do the job. The activex has no setup... I called the external firm and ask them about that activex and they knew nearly nothing about it.

So the problem with activex will be a snapshot will do the trick but as soon as the website developper will change the activex, you will learn that when it will stop to work. And it will be an emergency...

Damn, I love my job! :)
Answered 11/08/2004 by: Francoisracine
Third Degree Blue Belt

Please log in to comment
0
I am trying to package the Crystal reports active x viewer that installs off one of our production servers on the LAN.
Its a 800k cab file that runs with a setup inf file that calls the download of 2 other cab files that are also installed if some dll components are missing on the client machine. version 8.5

Its damn impossible, ive tried wise snapshots - only works on somemachines
Ive built it manually with visual studio installer.
And i have no clue how to use merge modules.

has anyone successfully installed the crystal reports active x control for IE using an MSI ?
and how did they do it?
we will not be updating the control any time soon, so I just want a solid installer.
Answered 10/11/2005 by: ancientcontra
Senior Yellow Belt

Please log in to comment
0
The problem is that i need to know how to run the inf files from within the cab file, as well as call the other cab files inf files

cryviewer.inf calls atl.ing calls mfc42.inf

I need an msi that has all of the possible dependent files and knows how to regester them with clsid's
using wise package studio and I also have visual studio installer (vb6)
I understand i can use regsrv32.dll to run the inf files in an msi context. can anyone tell me how to run these inf files from within an MSI created with wise packge studio ??



[version]
; version signature (same for both NT and Win95) do not remove
signature="$CHICAGO$"
AdvancedINF=2.0

[Add.Code]
swebrs.dll=swebrs.dll
sviewhlp.dll=sviewhlp.dll
CRViewer.dll=CRViewer.dll
reportparameterdialog.dll=reportparameterdialog.dll
crsmarttag.dll=crsmarttag.dll
atl.dll=atl.dll
mfc42.dll=mfc42.dll
msvcrt.dll=msvcrt.dll
olepro32.dll=olepro32.dll
cselexpt.ocx=cselexpt.ocx

; These are the necessary supporting DLLs for MFC 4.2 ActiveX Controls
; thiscab is a keyword which, in this case, means that Spindial.ocx
; can be found in the same .cab file as this .inf file
; file-win32-x86 is an x86 platform specific identifier
; See the ActiveX SDK - ActiveX Controls - Internet Component Download -
; Packaging component code for automatic download

[swebrs.dll]
file-win32-x86=thiscab
; *** add your controls CLSID here ***
CLSID={F2CA2115-C8D2-11D1-BEBD-00A0C95A6A5C}
; Add your ocx's file version here.
FileVersion=8,6,1,758
RegisterServer=yes

[sviewhlp.dll]
file-win32-x86=thiscab
; *** add your controls CLSID here ***
CLSID={BD10A9C1-07CC-11D2-BEFF-00A0C95A6A5C}
; Add your ocx's file version here.
FileVersion=8,6,1,758
RegisterServer=yes

[CRViewer.dll]
file-win32-x86=thiscab
; *** add your controls CLSID here ***
CLSID={C4847596-972C-11D0-9567-00A0C9273C2A}
; Add your ocx's file version here.
FileVersion=8,6,1,758
RegisterServer=yes

[reportparameterdialog.dll]
file-win32-x86=thiscab
; *** add your controls CLSID here ***
CLSID={B9BE4CB0-3A20-11D3-A5F0-00A0C9A40F1D}
; Add your ocx's file version here.
FileVersion=8,5,0,1314
RegisterServer=yes

[crsmarttag.dll]
file-win32-x86=thiscab
; *** add your controls CLSID here ***
CLSID={34C28AD5-A1A6-4674-A5A6-D0ADDAC476A5}
; Add your ocx's file version here.
FileVersion=8,6,1,758
RegisterServer=yes

[atl.dll]
; This is the version of atl.dll that shipped with VS 6.0 SP3
; If a newer version is available, update the version number here
FileVersion=3,0,8168,0
; This is an example of conditional hook. The hook only gets processed
; if atl.dll of the specified version is absent on client machine.
hook=ATLinstaller

[ATLinstaller]
file-win32-x86=http://activex.microsoft.com/controls/vc/atl.cab
; The atl.cab file actually contains a self extracting executable.
; In this case we specify a run= command
run=%EXTRACT_DIR%\atl.exe

[msvcrt.dll]
; This is an example of conditional hook. The hook only gets processed
; if msvcrt.dll of the specified version is absent on client machine.
FileVersion=4,20,0,6164
hook=mfc42installer

[mfc42.dll]
FileVersion=4,2,0,6256
hook=mfc42installer

[olepro32.dll]
FileVersion=4,2,0,6068
hook=mfc42installer

[mfc42installer]
file-win32-x86=http://activex.microsoft.com/controls/vc/mfc42.cab
; If dependent DLLs are packaged directly into the above cabinet file
; along with an .inf file, specify that .inf file to run as follows:
;InfFile=mfc42.inf
; The mfc42.cab file actually contains a self extracting executable.
; In this case we specify a run= command.
run=%EXTRACT_DIR%\mfc42.exe

[cselexpt.ocx]
file-win32-x86=thiscab
; *** add your controls CLSID here ***
CLSID={5C9EA134-127A-11D1-BFB4-00A0C936E6F9}
; Add your ocx's file version here.
FileVersion=8,6,1,221
RegisterServer=yes

; ====================== end of crviewer.inf =====================

;==========================atl.inf==============================
;This file controls the installation of the ansi version of atl.dll.


[version]
; version signature (same for NT and Win95) do not remove
signature="$CHICAGO$"
AdvancedINF=2.0

[SourceDisksNames]
;This section specifies that all sources are in the "default" location
1="default",,1

[SourceDisksFiles]
atl.dll=1

;install section for WinNT
[DefaultInstall.NT]
Copyfiles=atldllfilesNT
RegisterOCXs=atldllregister

;install section for Win95
[DefaultInstall]
Copyfiles=atldllfiles
RegisterOCXs=atldllregister

[DestinationDirs]
; Destination directory for CopyFiles Sections.
atldllfiles=11
atldllfilesNT=11

[atldllfilesNT]
atl.dll,atlw.dll,,32

[atldllfiles]
atl.dll,atla.dll,,32

[atldllregister]
%11%\atl.dll
;==========================atl.inf==============================


; ========================= Mfc42.inf =========================

; This file will control the download of the MFC 4.2 DLLs
; that MFC controls depend on.

[version]
; version signature (same for both Nt and Win95) do not remove
signature="$CHICAGO$"
AdvancedINF=2.0

[SourceDisksNames]
; This section specifies that all sources are in the "default" location.
1="default",,1

[DefaultInstall]
; Default section to process and copy all files under the section
; mfcdllsx.files and Register DLLs under the section mfcdllsx.register.
CopyFiles=mfcdllsx.files
RegisterOCXs=mfcdllsx.register

[DestinationDirs]
; Destination Directories for CopyFiles Sections.
; 11 indicates LDID_SYS - system directory
mfcdllsx.files=11

[mfcdllsx.files]
; ,,,32 - Suppress version conflict dialog and don't overwrite newer
; DLLs
msvcrt.dll,,,32
mfc42.dll,,,32
olepro32.dll,,,32

[mfcdllsx.register]
; msvcrt.dll is not self registering
%11%\mfc42.dll
%11%\olepro32.dll
Answered 10/12/2005 by: ancientcontra
Senior Yellow Belt

Please log in to comment
0
Hello,
We have a company web app that uses Cystral Reports 2008 to generate reports. Users are prompted with the following msg when printing a report: “This website wants to run the following add-on: ‘Crystal Print Control’ from ‘Business Objects Americas’. If you trust the website and the add-on and want to allow it to run, click here….” Run ActiveX Control. Others never see this message, print process just hangs.
My objective is to automate a process that will eliminate this prompt from the locked-down end users, running Win XP, IE7. I have placed the related dll files from ActiveXViewer.cab and PrintControl.cab in c:\windows\activexviewer and created the following batch file that registers each dll file:

%echo off
regsvr32 /s %windir%\Activexviewer\CRViewer.dll
regsvr32 /s %windir%\Activexviewer\PrintControl.dll
regsvr32 /s %windir%\Activexviewer\swebrs.dll
regsvr32 /s %windir%\Activexviewer\sviewhlp.dll
regsvr32 /s %windir%\Activexviewer\csprintdlg.dll
regsvr32 /s %windir%\Activexviewer\pvlocale-1-0.dll
regsvr32 /s %windir%\Activexviewer\xerces-c_2_7.dll

The problem is that this does not always work. Wondering if anyone has a dependable method of achieving this issue?
Thank you in advance for your suggestions……
Answered 11/16/2011 by: rmstech
Senior Yellow Belt

Please log in to comment
0
Use Group Policy to add the URL to your list of Trusted Sites.
Answered 11/16/2011 by: VBScab
Red Belt

Please log in to comment
0
Thank you for the great reply, VBScab.
This works if I make the change manually. We were planning on deploying the change via kbox, unfortunately I don’t have any experience with Group Policies. I noticed that there are two entries made to the registry when adding the url to the trusted site list, one to the HKCU and HK_USERS (which will be a unique key on every machine). This will make it difficult to deploy as a registry import.
Would you have any other suggestions on this?
Thanks again…..
Answered 11/16/2011 by: rmstech
Senior Yellow Belt

Please log in to comment
0

I have a similar situation as a few others here as the Active X is provided by a vendor and changes sporadically. Currenlty our user have admin rights to allow for the install of this. As we all know to well this can be a big no no in the wrong hands. i was hoping to be able to modify access rights using GPO to allow "users" to install any active x coming from the trusted site. Any help would allow me to sleep at night :)

Answered 08/16/2012 by: jkilgas
White Belt

Please log in to comment
0

@jkilas

   If your clients are Vista\Win7\Win8 just use the Microsoft ActiveX Installer Service to do your install. AXIS (Microsoft ActiveX Installer Service) was designed to perform ActiveX installs for non-admin users

 

 You will need still need to do a little work nothing is THAT easy. You need to setup a few GPOs for the ActiveX installer service. (here is microsofts guide: http://technet.microsoft.com/en-us/library/dd631688(v=WS.10).aspx)

 If you are looking for a much easier to follow explanation you can read this guide: https://secure.codebasesearch.com/knowledge-base/3-how-does-the-microsoft-activex-installer-service-really-work.html

 

  At the end of the day AXIS is really the way to go for most admins. I hope this helps you and others.

 

Answered 12/05/2012 by: otg
White Belt

Please log in to comment
Answer this question or Comment on this question for clarity