GPO to block applications

[Harrison Midkiff]

Hello:

I need to block a set of applications for the users in one of my
departments. Luckily I have separated my users accounts into their own
OU's. I created a GPO and then under "User Configuration\Administrative
Templates\System\Don't run specified Windows applications" I enabled it and
added the application executables. The application I am trying to block is
"sol.exe". Yep solitaire... After doing this and allowing replication to
happen and doing a "gpupdate /force" and rebooting, I can still open the
application. I thought perhaps this had to be at the domain level so I
added it there for testing but it still does not work.

Anyone have any advice on this? Thanks.

Harrison Midkiff

 

[Mark Heitbrink [MVP]]

Hi,

I need to block a set of applications for the users in one of my
departments. Luckily I have separated my users accounts into their own
OU's. I created a GPO and then under "User Configuration\Administrative
Templates\System\Don't run specified Windows applications" I enabled it and
added the application executables. The application I am trying to block is
"sol.exe".

Even if you get it to run, it makes no sense.
copy sol.exe to %temp%\solit.exe or just rename it to sol1.exe
(if you have write permissions in %systemroot%) ... see what happens.

Working with NTFS permissions is much more efective. -> deny read

Mark

 

[Harrison Midkiff]

Mark:

Thanks for replying to my post.

Yes you are exactly right. NTFS permissions would be a good way to do this.
This is just a temporary block. Most all my users are novice at best. I
think the problem is at the domain level I have a GPO which blocks a series
of bad apps. Common virus executables and so forth. That policy is set to
"No Override". Since that is set to "No Override" it is not letting lower
GPO's combine. If I could make that work it would make things much easier
for me. To get this work right now I created a batch file to update the
registry to restrict the executable. However this only runs when they log
in.

Your suggestions are welcomed. Thanks again for replying.

Harrison

 

[Mark Heitbrink [MVP]]

Hi,

I think the problem is at the domain level I have a GPO which blocks a series
of bad apps. Common virus executables and so forth. That policy is set to
"No Override".

Why? Makes no sense either to me.
"No overide" is only an option if you have a problem in your company
hirarchy, e.g. an OU-Admin set´s different permissions than you, but you
want to have your domain-level settings always win.
If there is no problem like this: Use the default inheritance!

Take a look at rsop.msc, is your policy
"User Configuration\Administrative Templates\System\Don't run specified
Windows applications" applied?

Mark

 

[Darren Mar-Elia]

Just to add to this, I think that using Software Restriction Policy to block
an executable is much more effective than this Admin. Template policy. Admin
Template policies are just shell obfuscation and as Mark has already pointed
out, they are relatively easy to foil.

In terms of why the policy isn't applying, Mark's advice about checking RSOP
is a good one.

Darren

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy

Script Group Policy Settings with the GPExpert Scripting Toolkit for
PowerShell!
Find out more at http://www.sdmsoftware.com/products2.php

Visit the GPOGUY: http://www.gpoguy.com -- The Windows Group Policy
Information Hub:
FAQs, Training Videos, Whitepapers and Utilities for all things Group
Policy-related

 

[cixxtynine]

The best way to block any file in a domain environement is to create a rule in your current default domain group policy :

1. Edit yours.
2. Go in User configuration -> Policies -> Windows Settings -> Security Settings -> Software Restriction Policies -> Additional Rules
3. Create a new Hash Rule.