+ Post New Thread
Results 1 to 6 of 6
Windows Server 2008 R2 Thread, HELP NEEDED: Applocker Policy in Technical; We have implemented a GPO with Applocker configured. On the whole it is working just fine, allowing login scripts to ...
  1. #1

    Join Date
    Jan 2009
    Location
    Burton On Trent
    Posts
    144
    Thank Post
    24
    Thanked 30 Times in 22 Posts
    Rep Power
    17

    HELP NEEDED: Applocker Policy

    We have implemented a GPO with Applocker configured.
    On the whole it is working just fine, allowing login scripts to run, blocking exe's from memory sticks etc.

    However we have 2 shares where we put programs that run from the network e.g.

    \\svr-app1\public\
    \\svr-app2\public\networkprograms\

    each of these shares has a mapped drive on the windows 7 client computers. (O:\ = \\svr-app1\public\, P:\ = \\svr-app2\public\)

    Try as I might, I cannot get a rule to allow executeables to run from either of these locations.
    I have created rules such as
    Allow Everyone O:\*
    Allow Everyone O:\*.*
    Allow Everyone O:\*\
    Allow Everyone \\svr-app1\public\*
    Allow Everyone \\svr-app1\public\*.*
    Allow Everyone \\svr-app1\public\*\*

    but none of these work. When trying to run something we get an error like
    P:\VPLab9\VPLab9.exe This program is blocked by group policy, blah blah blah

    Anyone have any ideas what I am doing wrong? (looking at the event log, the program was blocked because it didnt match any rule)

  2. #2
    TheMan100's Avatar
    Join Date
    Dec 2010
    Posts
    156
    Thank Post
    8
    Thanked 15 Times in 15 Posts
    Rep Power
    10
    Have you tried with just *.exe?

  3. Thanks to TheMan100 from:

    peterp (22nd August 2012)

  4. #3
    Cache's Avatar
    Join Date
    Apr 2008
    Location
    Cumbria
    Posts
    1,269
    Thank Post
    473
    Thanked 186 Times in 181 Posts
    Blog Entries
    3
    Rep Power
    67
    Our App locker policy for the shared program drive is just configured as a Allow Everyone path of \\server03\apps\*

    You haven't got a deny rule in there somewhere in the Applocker policy have you that might be claiming precedence?

  5. Thanks to Cache from:

    peterp (22nd August 2012)

  6. #4

    Join Date
    Feb 2007
    Location
    Wolverhampton
    Posts
    331
    Thank Post
    18
    Thanked 35 Times in 33 Posts
    Rep Power
    21
    Quote Originally Posted by Cache View Post
    Our App locker policy for the shared program drive is just configured as a Allow Everyone path of \\server03\apps\*

    You haven't got a deny rule in there somewhere in the Applocker policy have you that might be claiming precedence?
    We have the exact same policy as you.describe and encountered a few issues similar to you. I forgot to check the public files so will test that tomorrow.

    To help fault find the issue, have you.checked the event viewer to see what applocker is doing? Logs can be found in Microsoft/windows/applocker

  7. Thanks to deano from:

    peterp (22nd August 2012)

  8. #5

    Join Date
    Jan 2009
    Location
    Burton On Trent
    Posts
    144
    Thank Post
    24
    Thanked 30 Times in 22 Posts
    Rep Power
    17
    Thank you for the replies.
    Seems that I was too eager to test, came in this morning and the rules work.
    I must not have waited long enough for the policy to refresh (seems that gpupdate /force doesnt make it work much quicker)

  9. #6
    Duke5A's Avatar
    Join Date
    Jul 2010
    Posts
    819
    Thank Post
    84
    Thanked 136 Times in 116 Posts
    Blog Entries
    8
    Rep Power
    32
    Quote Originally Posted by peterp View Post
    Thank you for the replies.
    Seems that I was too eager to test, came in this morning and the rules work.
    I must not have waited long enough for the policy to refresh (seems that gpupdate /force doesnt make it work much quicker)
    If you multiple domain controllers in the domain you can force the policy changes to replicate between them using Active Directory Sites and Services. Once every DC has an up to date copy of the policy you can force update on the client. It's either that or wait for the policy to replicate itself amongst the DCs (default is 15 minutes I think).



SHARE:
+ Post New Thread

Similar Threads

  1. Help.........e-safety policy needed!!
    By elloyd69 in forum School ICT Policies
    Replies: 13
    Last Post: 15th December 2012, 01:22 AM
  2. Replies: 8
    Last Post: 22nd February 2008, 01:34 PM
  3. Help! Need a BIOS re-flashed
    By ajbritton in forum Hardware
    Replies: 2
    Last Post: 28th December 2006, 01:16 PM
  4. Help needed to reconfig my DC's
    By tosca925 in forum Windows
    Replies: 16
    Last Post: 20th November 2006, 11:45 PM
  5. Help needed creating a DMZ
    By pooley in forum Wireless Networks
    Replies: 12
    Last Post: 11th January 2006, 11:42 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •