+ Post New Thread
Results 1 to 7 of 7
Windows Server 2008 Thread, Software Restriction Policy - GPO in Technical; Hi All, Could anybody tell me if there is any difference in enforcing this via Computer Configuration as opposed to ...
  1. #1
    Koldov's Avatar
    Join Date
    May 2011
    Location
    Bedfordshire
    Posts
    505
    Thank Post
    101
    Thanked 50 Times in 46 Posts
    Rep Power
    39

    Software Restriction Policy - GPO

    Hi All,

    Could anybody tell me if there is any difference in enforcing this via Computer Configuration as opposed to User Configuration on the default Domain Policy? I have just seen this is possible to configure in both sections (?). All previous GPO settings have been in the User Configuration section as all restrictions, mapped drives and printers need to be on a per user basis regardless of what computer they are sitting at.

    I jumped on the bandwagon (and rightly so) due to the Cryptolocker thread and added all the relevant path rules to the Computer section of the default Domain Policy, but it hasn't worked so far, as dragging an exe file into APPDATA still executes when clicked (do you need to reboot the server to enable these?).

    I'm a bit of a GPO newbie, so please be as basic as possible.

    Also, if anyone could help with blocking .exe, .bat, .vbs and so on running from the home drive mapped H:\ drive I'd be grateful. Mapped as home drive by AD in a vanilla Windows network i.e. \\server\pupildata$\class

    Kol.

  2. #2

    tmcd35's Avatar
    Join Date
    Jul 2005
    Location
    Norfolk
    Posts
    5,665
    Thank Post
    850
    Thanked 893 Times in 738 Posts
    Blog Entries
    9
    Rep Power
    328
    I'm not sure it's best practise to actually use the default domain policy for anything other than password policies (which only work when set here). Makes it harder to manage in the long run. It's usually better to keep your AD organised in an OU tree an apply GPO's to OU, you get greater control that way.

    In terms of using the default domain policy, no it would make absolutely no difference since is applies to everyone anyway. Computer policies apply while Windows is booting up, User policies apply while users are logging in.

    You should never need to reboot the server for policies to apply. However policies don't apply to machines automatically. They run a random update system. Something like every 4hours +/- a random number of minutes. If you want to force a policy you need to run this command on the client computer:

    Code:
    gpupdate /force

  3. #3
    Koldov's Avatar
    Join Date
    May 2011
    Location
    Bedfordshire
    Posts
    505
    Thank Post
    101
    Thanked 50 Times in 46 Posts
    Rep Power
    39
    Yes I really must sit down and look at organising my AD but it's structure is old and intertwines with logon scripts (.bat and .vbs), home folders, mandatory profiles, GPO's and GPP's, I'm not sure I'd know where to start!

    Sorry the Default Domain Policy came from here:

    Domain Policy SRP.jpg

    Maybe I read it wrong...

    Ok, so do these additional path rules only get enforced if the (Software Restriction Policies) Security Level is set to Disallowed, as it's on Unrestricted at the moment, or should the (Software Restriction Policies) Additional Rules work as stand alone blockers?

    Anyone help with what I need to put in to block from the Home Folders? Path = \\server\pupildata$\class or just H:\

    Can I just say AAAAAAARGH!

    Kol.

  4. #4

    Join Date
    Sep 2012
    Location
    Nottingham
    Posts
    36
    Thank Post
    1
    Thanked 4 Times in 4 Posts
    Rep Power
    4
    If you're default action for SRP is unrestricted, then yes, they won't become effective until selected to disallowed.

    To block executables here, I have disallowed the U:\ drive (H:\ in your case) as well as %HOMESHARE% and %HOMEPATH%

  5. #5

    tmcd35's Avatar
    Join Date
    Jul 2005
    Location
    Norfolk
    Posts
    5,665
    Thank Post
    850
    Thanked 893 Times in 738 Posts
    Blog Entries
    9
    Rep Power
    328
    Ok, I've just looked over our policies here...

    Set in User Configuration on a policy applied to the Students Users OU (only students are restricted by the policy, staff are not restricted).
    Default security level is "Unrestricted"
    Additional Path E: (USB pen sticks) Disallowed
    Additional Path N: (Home drives) Disallowed
    Additional Path P: (old - needs updating, student accessible public drive) Disallowed
    Designated File Type Properties include .BAT, .CMD, .EXE, etc.

    Think that's it. Seem to work for the most part.

  6. Thanks to tmcd35 from:

    Koldov (2nd December 2013)

  7. #6
    Koldov's Avatar
    Join Date
    May 2011
    Location
    Bedfordshire
    Posts
    505
    Thank Post
    101
    Thanked 50 Times in 46 Posts
    Rep Power
    39
    Hmmm....

    Thanks for that, I shall clear out the default domain policy and apply it to my user OU's as appropriate, I'm much more comfortable with that, I must have misread the other thread.

    Ours is set the same with the default security level as 'unrestricted', do I take it the 'path' entered for your home drive is just the mapped letter? Or did you use %HOMEPATH% %HOMESHARE% path as per the post above.

    Also how do you restrict Designated File Type properties whilst keeping the Default security level 'unrestricted' I thought they would only be enforced if the default was 'disallowed' ? Do you have a seperate path rule for each file type on each drive?

    Kol.

    Kol.

  8. #7

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    It's a very bad idea to use the Default Domain Policy for this. You risk blocking yourself with these rules too.

    Generally speaking, you should create a new GPO and apply restrictions on a user basis. You can then link this GPO where required in your AD structure.

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 11
    Last Post: 20th April 2007, 06:38 PM
  2. Software Restriction Policies
    By wesleyw in forum Windows
    Replies: 14
    Last Post: 12th December 2006, 11:35 AM
  3. Software Restriction Policy (w2k3) - path question
    By indiegirl in forum How do you do....it?
    Replies: 5
    Last Post: 19th October 2006, 05:05 PM
  4. Software Restriction Policy (w2k3) - path question
    By indiegirl in forum How do you do....it?
    Replies: 0
    Last Post: 19th October 2006, 10:11 AM
  5. GPo - Software Restriction Policy
    By Gatt in forum Wireless Networks
    Replies: 26
    Last Post: 23rd January 2006, 01:53 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •