Software Restriction Policies

[wesleyw]

I've set a software restriction policy up and I'm testing it out at present. By default I've banned all exes then setup the allowed list. The following shows the settings I have changed, the rest of the settings haven't been changed.

[Geoff]

Very nice, now call me stupid, but you didn't actually ask a question?

[wesleyw]

Patience Geoff lol I was just trying to post the rest of the pics and the site has slowed to a snails pace!

Wes

[wesleyw]

Here are the rest of the pics:

[wesleyw]

Right the question is:

I can't actually run any of the software whatsoever everytime I click on a shortcut it bring up the error cannot run due to software restrictions?

Wes

[Geoff]

Where is the GPO linked in?

[Norphy]

You need to add the location of your shortcuts to the allowed list. I'd add %allusersprofile% for simplicity.

[wesleyw]

Top level of the students OU as the third priority GPO

Wes

[Norphy]

If it's any help, I've attached the SRP we use

[wesleyw]

Thanks Guys it's now working the way I want it to!


Wes

[sidewinder]

Norphy thanks for that, I was having the same problems as wesleyw

Also, the way you have done it seems a lot simpler, just allow everything from the file server.
I was just going to go through every single exe and create a hash rule, which is why Ive put this off for so long

And suely I can allow everything from Program files as well, instead of creating a hash rule for each app? Because if the students cant execute anything, they cant install anything

Only problem Im having is that vb scripts wont run on logon or logoff, despite me putting, like you have, \\mydomain\netlogon\*.vbs

[wesleyw]

Yuu shouldn't even need the *.vbs for that it should just allow any exe file from that location?

Wes

[Norphy]

And suely I can allow everything from Program files as well, instead of creating a hash rule for each app? Because if the students cant execute anything, they cant install anything

Indeed, yes. The hash rules I have in place are deny rules restricting things like games, command lines and other dodgy apps. Putting in

Code:

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%

as an unrestricted rule allows everything in Program Files to be run, that is a default rule.

Only problem Im having is that vb scripts wont run on logon or logoff, despite me putting, like you have, \\mydomain\netlogon\*.vbs

Yeah, that didn't work for me either, I just didn't get around to taking it out ops: It was the %userdnsdomain%\netlogon rule which let the logon/off scripts run.

[sidewinder]

Thanks, thats worked now

Although %userdnsdomain% didnt work for me, I had to use the actual paths for the sysvol and netlogon shares

[Geoff]

Try %LOGONSERVER%\netlogon