Could anybody tell me if there is any difference in enforcing this via Computer Configuration as opposed to User Configuration on the default Domain Policy? I have just seen this is possible to configure in both sections (?). All previous GPO settings have been in the User Configuration section as all restrictions, mapped drives and printers need to be on a per user basis regardless of what computer they are sitting at.
I jumped on the bandwagon (and rightly so) due to the Cryptolocker thread and added all the relevant path rules to the Computer section of the default Domain Policy, but it hasn't worked so far, as dragging an exe file into APPDATA still executes when clicked (do you need to reboot the server to enable these?).
I'm a bit of a GPO newbie, so please be as basic as possible.
Also, if anyone could help with blocking .exe, .bat, .vbs and so on running from the home drive mapped H:\ drive I'd be grateful. Mapped as home drive by AD in a vanilla Windows network i.e. \\server\pupildata$\class
I'm not sure it's best practise to actually use the default domain policy for anything other than password policies (which only work when set here). Makes it harder to manage in the long run. It's usually better to keep your AD organised in an OU tree an apply GPO's to OU, you get greater control that way.
In terms of using the default domain policy, no it would make absolutely no difference since is applies to everyone anyway. Computer policies apply while Windows is booting up, User policies apply while users are logging in.
You should never need to reboot the server for policies to apply. However policies don't apply to machines automatically. They run a random update system. Something like every 4hours +/- a random number of minutes. If you want to force a policy you need to run this command on the client computer:
Yes I really must sit down and look at organising my AD but it's structure is old and intertwines with logon scripts (.bat and .vbs), home folders, mandatory profiles, GPO's and GPP's, I'm not sure I'd know where to start!
Ok, so do these additional path rules only get enforced if the (Software Restriction Policies) Security Level is set to Disallowed, as it's on Unrestricted at the moment, or should the (Software Restriction Policies) Additional Rules work as stand alone blockers?
Anyone help with what I need to put in to block from the Home Folders? Path = \\server\pupildata$\class or just H:\
Set in User Configuration on a policy applied to the Students Users OU (only students are restricted by the policy, staff are not restricted).
Default security level is "Unrestricted"
Additional Path E: (USB pen sticks) Disallowed
Additional Path N: (Home drives) Disallowed
Additional Path P: (old - needs updating, student accessible public drive) Disallowed
Designated File Type Properties include .BAT, .CMD, .EXE, etc.
Thanks for that, I shall clear out the default domain policy and apply it to my user OU's as appropriate, I'm much more comfortable with that, I must have misread the other thread.
Ours is set the same with the default security level as 'unrestricted', do I take it the 'path' entered for your home drive is just the mapped letter? Or did you use %HOMEPATH% %HOMESHARE% path as per the post above.
Also how do you restrict Designated File Type properties whilst keeping the Default security level 'unrestricted' I thought they would only be enforced if the default was 'disallowed' ? Do you have a seperate path rule for each file type on each drive?