Location of Software Restriction Policies

G

Guest

Can anyone tell me where in the registry Group Policy Software Restriction
Policies are stored?

I'm having a problem where admin users are getting SRS policies even though
no policies applied to them have these in them. The only thing I can think of
is that they are in the Default User profile which was created to provide a
common profile for all users.
 
S

Steven L Umbach

What you suspect would not be the problem. If SRP is applied to local
administrators in a non domain computer then you need to configure
enforcement to exclude local administrators in Local Security Policy
[secpol.msc] - Software Restriction Policies. If it is a domain computer
then that needs to be checked in the Group Policy applying to the computer
or user for the same. Running rsop.msc on a domain computer will be helpful
in determining the GPO applying settings.

Steve
 
G

Guest

I've run RSOP and the correct policies are listed (i.e no SRP at all and any
restrictive polices for other uses are 'reversed')

Why I suspect the registry is because as soon as I copy across the
NTUSER.dat from a working PC, then the failing PC works OK. We use the
Default User NTUSER.DAT files to create a standard printer etc for all PCs in
one particular room.

Its almost as if the previous user leaves behind their SRP settings, and as
there is no GPO way of forcing no SRP then they are being applied to the
admin user, who otherwise gets the full admin policy as normal.


Steven L Umbach said:
What you suspect would not be the problem. If SRP is applied to local
administrators in a non domain computer then you need to configure
enforcement to exclude local administrators in Local Security Policy
[secpol.msc] - Software Restriction Policies. If it is a domain computer
then that needs to be checked in the Group Policy applying to the computer
or user for the same. Running rsop.msc on a domain computer will be helpful
in determining the GPO applying settings.

Steve


A Lake said:
Can anyone tell me where in the registry Group Policy Software Restriction
Policies are stored?

I'm having a problem where admin users are getting SRS policies even
though
no policies applied to them have these in them. The only thing I can think
of
is that they are in the Default User profile which was created to provide
a
common profile for all users.
 
S

Steven L Umbach

For machine level SRP the settings are under the
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer key if that
helps. So you may want to check under user registry for something similar.

Steve


A Lake said:
I've run RSOP and the correct policies are listed (i.e no SRP at all and
any
restrictive polices for other uses are 'reversed')

Why I suspect the registry is because as soon as I copy across the
NTUSER.dat from a working PC, then the failing PC works OK. We use the
Default User NTUSER.DAT files to create a standard printer etc for all PCs
in
one particular room.

Its almost as if the previous user leaves behind their SRP settings, and
as
there is no GPO way of forcing no SRP then they are being applied to the
admin user, who otherwise gets the full admin policy as normal.


Steven L Umbach said:
What you suspect would not be the problem. If SRP is applied to local
administrators in a non domain computer then you need to configure
enforcement to exclude local administrators in Local Security Policy
[secpol.msc] - Software Restriction Policies. If it is a domain computer
then that needs to be checked in the Group Policy applying to the
computer
or user for the same. Running rsop.msc on a domain computer will be
helpful
in determining the GPO applying settings.

Steve


A Lake said:
Can anyone tell me where in the registry Group Policy Software
Restriction
Policies are stored?

I'm having a problem where admin users are getting SRS policies even
though
no policies applied to them have these in them. The only thing I can
think
of
is that they are in the Default User profile which was created to
provide
a
common profile for all users.
 
G

Guest

Thank you, that was it exactly!

The SRP settings were in the LOCAL_MACHINE hive of the default user profile,
hence the Admin user was picking them up on first login.

Removed them from default user profile and it works OK now, as users with
SRP get the policy on login.

Thanks for your help.

Steven L Umbach said:
For machine level SRP the settings are under the
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer key if that
helps. So you may want to check under user registry for something similar.

Steve


A Lake said:
I've run RSOP and the correct policies are listed (i.e no SRP at all and
any
restrictive polices for other uses are 'reversed')

Why I suspect the registry is because as soon as I copy across the
NTUSER.dat from a working PC, then the failing PC works OK. We use the
Default User NTUSER.DAT files to create a standard printer etc for all PCs
in
one particular room.

Its almost as if the previous user leaves behind their SRP settings, and
as
there is no GPO way of forcing no SRP then they are being applied to the
admin user, who otherwise gets the full admin policy as normal.


Steven L Umbach said:
What you suspect would not be the problem. If SRP is applied to local
administrators in a non domain computer then you need to configure
enforcement to exclude local administrators in Local Security Policy
[secpol.msc] - Software Restriction Policies. If it is a domain computer
then that needs to be checked in the Group Policy applying to the
computer
or user for the same. Running rsop.msc on a domain computer will be
helpful
in determining the GPO applying settings.

Steve


Can anyone tell me where in the registry Group Policy Software
Restriction
Policies are stored?

I'm having a problem where admin users are getting SRS policies even
though
no policies applied to them have these in them. The only thing I can
think
of
is that they are in the Default User profile which was created to
provide
a
common profile for all users.
 
S

Steven L Umbach

Cool. Glad you got it sorted out and thanks for reporting back what worked.

Steve


A Lake said:
Thank you, that was it exactly!

The SRP settings were in the LOCAL_MACHINE hive of the default user
profile,
hence the Admin user was picking them up on first login.

Removed them from default user profile and it works OK now, as users with
SRP get the policy on login.

Thanks for your help.

Steven L Umbach said:
For machine level SRP the settings are under the
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer key if that
helps. So you may want to check under user registry for something
similar.

Steve


A Lake said:
I've run RSOP and the correct policies are listed (i.e no SRP at all
and
any
restrictive polices for other uses are 'reversed')

Why I suspect the registry is because as soon as I copy across the
NTUSER.dat from a working PC, then the failing PC works OK. We use the
Default User NTUSER.DAT files to create a standard printer etc for all
PCs
in
one particular room.

Its almost as if the previous user leaves behind their SRP settings,
and
as
there is no GPO way of forcing no SRP then they are being applied to
the
admin user, who otherwise gets the full admin policy as normal.


:

What you suspect would not be the problem. If SRP is applied to local
administrators in a non domain computer then you need to configure
enforcement to exclude local administrators in Local Security Policy
[secpol.msc] - Software Restriction Policies. If it is a domain
computer
then that needs to be checked in the Group Policy applying to the
computer
or user for the same. Running rsop.msc on a domain computer will be
helpful
in determining the GPO applying settings.

Steve


Can anyone tell me where in the registry Group Policy Software
Restriction
Policies are stored?

I'm having a problem where admin users are getting SRS policies even
though
no policies applied to them have these in them. The only thing I can
think
of
is that they are in the Default User profile which was created to
provide
a
common profile for all users.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top