HELP NEEDED: Applocker Policy

[peterp]

We have implemented a GPO with Applocker configured.
On the whole it is working just fine, allowing login scripts to run, blocking exe's from memory sticks etc.

However we have 2 shares where we put programs that run from the network e.g.

\\svr-app1\public\
\\svr-app2\public\networkprograms\

each of these shares has a mapped drive on the windows 7 client computers. (O:\ = \\svr-app1\public\, P:\ = \\svr-app2\public\)

Try as I might, I cannot get a rule to allow executeables to run from either of these locations.
I have created rules such as
Allow Everyone O:\*
Allow Everyone O:\*.*
Allow Everyone O:\*\
Allow Everyone \\svr-app1\public\*
Allow Everyone \\svr-app1\public\*.*
Allow Everyone \\svr-app1\public\*\*

but none of these work. When trying to run something we get an error like
P:\VPLab9\VPLab9.exe This program is blocked by group policy, blah blah blah

Anyone have any ideas what I am doing wrong? (looking at the event log, the program was blocked because it didnt match any rule)

[TheMan100]

Have you tried with just *.exe?

[Cache]

Our App locker policy for the shared program drive is just configured as a Allow Everyone path of \\server03\apps\*

You haven't got a deny rule in there somewhere in the Applocker policy have you that might be claiming precedence?

[deano]

Our App locker policy for the shared program drive is just configured as a Allow Everyone path of \\server03\apps\*

You haven't got a deny rule in there somewhere in the Applocker policy have you that might be claiming precedence?

We have the exact same policy as you.describe and encountered a few issues similar to you. I forgot to check the public files so will test that tomorrow.

To help fault find the issue, have you.checked the event viewer to see what applocker is doing? Logs can be found in Microsoft/windows/applocker

[peterp]

Thank you for the replies.
Seems that I was too eager to test, came in this morning and the rules work.
I must not have waited long enough for the policy to refresh (seems that gpupdate /force doesnt make it work much quicker)

[Duke5A]

Thank you for the replies.
Seems that I was too eager to test, came in this morning and the rules work.
I must not have waited long enough for the policy to refresh (seems that gpupdate /force doesnt make it work much quicker)

If you multiple domain controllers in the domain you can force the policy changes to replicate between them using Active Directory Sites and Services. Once every DC has an up to date copy of the policy you can force update on the client. It's either that or wait for the policy to replicate itself amongst the DCs (default is 15 minutes I think).