+ Post New Thread
Results 1 to 8 of 8
Windows Thread, Software Restriction in Technical; I'm having a spot of bother with this. I'm trying to create a whitelist of allowed software and it's not ...
  1. #1

    Join Date
    Jun 2008
    Posts
    731
    Thank Post
    118
    Thanked 66 Times in 54 Posts
    Rep Power
    31

    Software Restriction

    I'm having a spot of bother with this. I'm trying to create a whitelist of allowed software and it's not working. Basically I have set the disallowed as the default and I find staff and pupils are still able to run bat, msi, exe files happily.

    I've forced a gpupdate to no avail.

    Typing in something like %Homeshare%\*.bat works but not at sub levels.

    How has everybody else got the SRPs set up?

  2. #2
    flyinghaggis's Avatar
    Join Date
    Jan 2006
    Posts
    1,048
    Thank Post
    105
    Thanked 76 Times in 59 Posts
    Rep Power
    116
    One thing that caught us out the last time we looked at software restriction policies was that they don't nest together well if you have the software restriction GPO enabled on several policies that all take effect on a particular user.

    Ie. If you have a whole school all users software restrionion policy and one in a subfolder further down the tree where a PC is then you'll get very unpredictable results when policy is applied and the machine tries to combine both.

    Don't know if this is something you've got setup in your AD which might be the cause of the weirdness you're noticing?

    PS I'm not 100% sure SRP's can accept variablenames by the way ? We got all ours blocked on UNC paths and drive letters?
    Last edited by flyinghaggis; 17th June 2009 at 04:45 PM.

  3. Thanks to flyinghaggis from:

    Chuckster (17th June 2009)

  4. #3

    Join Date
    Jun 2008
    Posts
    731
    Thank Post
    118
    Thanked 66 Times in 54 Posts
    Rep Power
    31
    Thanks for the reply flyinghaggis.

    I've got the SRP working now. It would seem there was a line in there called %SafeLocation0%\* which allowed users to bypass the filtering.


    Out of curiosity, is anybody's SRP GPO assigned to the users OU or to the OU where all the workstations are kept? Also, are any of your SRPs in the computer configuration as well as the user configuration, or just the user part?

  5. #4
    User3204's Avatar
    Join Date
    Aug 2006
    Location
    Wirral
    Posts
    769
    Thank Post
    55
    Thanked 66 Times in 62 Posts
    Rep Power
    34
    We have four SRPs on the student network (the staff network machines are trusted...hmmm).
    1. Admin user OU (ICT Support staff, and a few trusted teachers).
    2. Staff user OU
    3. Student user OU
    4. Programmers (applied to the Student user OU, but with permissions to only allow certain groups to use it).


    These are GPOs with nothing in them except for the SRP definitions. The programmers one, allows them to run software from their home drive.

  6. Thanks to User3204 from:

    Chuckster (18th June 2009)

  7. #5

    Join Date
    May 2008
    Posts
    28
    Thank Post
    9
    Thanked 2 Times in 2 Posts
    Rep Power
    13
    We just have the one restriction policy assigned to all workstations. it is its own group policy object with no other settings

  8. Thanks to madcyryl from:

    Chuckster (18th June 2009)

  9. #6

    Join Date
    Jun 2008
    Posts
    731
    Thank Post
    118
    Thanked 66 Times in 54 Posts
    Rep Power
    31
    ^Is your SRP created under the computer configuration level or at user level?

  10. #7

    Join Date
    May 2008
    Posts
    28
    Thank Post
    9
    Thanked 2 Times in 2 Posts
    Rep Power
    13
    Quote Originally Posted by Chuckster View Post
    ^Is your SRP created under the computer configuration level or at user level?
    Computer config level, i have disabled user config.

  11. #8
    ricki's Avatar
    Join Date
    Jul 2005
    Location
    uk
    Posts
    1,475
    Thank Post
    20
    Thanked 164 Times in 157 Posts
    Rep Power
    52
    HI

    I had the same thing to get it to do subfolders you have to put in many restrictions like
    d:\*bat
    d:\*\*.bat
    d:\*\*\*.bat
    you get the idea
    I dont know why but it does work.

    Also beware if students are getting at documents through other paths say my documents or mapped drives you have to do the same thing

    Richard

SHARE:
+ Post New Thread

Similar Threads

  1. Software Restriction Policies - Allow ONLY certain software
    By link470 in forum Wireless Networks
    Replies: 28
    Last Post: 9th July 2010, 04:29 PM
  2. Software Restriction policy
    By mcloum in forum Windows Server 2000/2003
    Replies: 7
    Last Post: 22nd March 2009, 11:36 AM
  3. Software restriction policies
    By DMcCoy in forum Windows
    Replies: 0
    Last Post: 2nd November 2008, 08:38 PM
  4. Software Restriction Policy
    By cookie_monster in forum Windows
    Replies: 2
    Last Post: 27th November 2007, 12:54 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •