+ Post New Thread
Results 1 to 10 of 10
Windows Thread, Help with "user software restriction policy" in Technical; I am trying to test a very basic software restriction policy. I want it to do the following: 1. Restrict ...
  1. #1
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,285
    Thank Post
    80
    Thanked 45 Times in 31 Posts
    Rep Power
    30

    Help with "user software restriction policy"

    I am trying to test a very basic software restriction policy.

    I want it to do the following:

    1. Restrict any software from running on drives which I specify.

    I can't seem to get it to work, here are my settings:

    Enforcement:
    Apply software restriction policies to the following : All software files except libraries
    Apply software restriction policies to the following users : All users

    Security Levels:
    Set to "Unrestricted"

    Additional Rules:
    R:\ Disallowed



    I have disabled ALL other GPO's whilst I test.....

    Yet still the test user can run software on the R:\ drive...

    What am I doing wrong?

  2. #2
    cromertech's Avatar
    Join Date
    Dec 2007
    Location
    Cromer by the coast
    Posts
    731
    Thank Post
    177
    Thanked 109 Times in 97 Posts
    Rep Power
    54
    Have you run a gpresult or rsop.msc on the computer after logging in to see if it is applied

  3. #3
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,285
    Thank Post
    80
    Thanked 45 Times in 31 Posts
    Rep Power
    30
    Group Policy Management
    body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; } .head { font-weight:bold; font-size:160%; font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding-left:8px; height:24px; } .path { margin-left: 10px; margin-top: 10px; margin-bottom:5px;width:100%; } .info { padding-left:10px;width:100%; } table { font-size:100%; width:100%; border:1px solid #999999; } th { border-bottom:1px solid #999999; text-align:left; padding-left:10px; height:24px; } td { background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; } .btn { width:100%; text-align:right; margin-top:16px; } .hdr { font-weight:bold; border:1px solid #999999; text-align:left; padding-top: 4px; padding-left:10px; height:24px; margin-bottom:-1px; width:100%; } .bdy { width:100%; height:182px; display:block; overflow:scroll; z-index:2; background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; border:1px solid #999999; } button { width:6.9em; height:2.1em; font-size:100%; font-family:MS Shell Dlg; margin-right:15px; } @media print { .bdy { display:block; overflow:visible; } button { display:none; } .head { color:#000000; background:#FFFFFF; border:1px solid #000000; } }
    Setting Path:
    Explanation
    Print
    Close
    No explanation is available for this setting.
    Supported On:
    Not available
    Group Policy Results
    CURRICULUM\5510
    Data collected on: 01/02/2011 10:04:54 hide all

    Summaryhide
    Computer Configuration Summaryhide
    No data available.
    User Configuration Summaryhide
    Generalhide
    User name CURRICULUM\5510
    Domain curriculum.local
    Last time Group Policy was processed 01/02/2011 09:57:14

    Group Policy Objectshide
    Applied GPOshide
    Name Link Location Revision
    7-Software Restriction Policy User Based curriculum.local/Balcarras School/Users AD (14), Sysvol (14)

    Denied GPOshide
    Name Link Location Reason Denied
    Local Group Policy Local Empty
    Default Domain Policy curriculum.local False WMI Filter
    WSUS Machines curriculum.local/Balcarras School False WMI Filter
    {28EB32FA-50D9-4A08-90F6-AB9F7EDA653B} curriculum.local/Balcarras School/Users Disabled Link
    {055935C7-0B11-47F0-B4AA-A836D152D042} curriculum.local/Balcarras School/Users Disabled Link
    {EC0DC296-D643-418C-B8A1-07C0D8294CB3} curriculum.local/Balcarras School/Users Disabled Link
    {46FA9C27-ABEF-42FF-9ABF-2959C08B9BF1} curriculum.local/Balcarras School/Users Disabled Link
    Office2010 curriculum.local/Balcarras School/Users False WMI Filter
    30minsscreensavelock curriculum.local/Balcarras School/Users False WMI Filter
    Do not track Shell shortcuts during roaming curriculum.local/Balcarras School/Users False WMI Filter
    PreventRemovableMedia curriculum.local/Balcarras School/Users False WMI Filter
    Office 2003 Policy curriculum.local/Balcarras School/Users False WMI Filter
    Desktop Redirection - All Users curriculum.local/Balcarras School/Users False WMI Filter
    Lockdown - Staff, Pupils, Finance &GLOSCAT curriculum.local/Balcarras School/Users False WMI Filter
    Browser Settings & Startup Programs - All Users curriculum.local/Balcarras School/Users False WMI Filter
    Moodle curriculum.local/Balcarras School/Users False WMI Filter

    Security Group Membership when Group Policy was appliedhide
    CURRICULUM\Domain Users
    Everyone
    BUILTIN\Users
    NT AUTHORITY\INTERACTIVE
    CONSOLE LOGON
    NT AUTHORITY\Authenticated Users
    NT AUTHORITY\This Organization
    LOCAL
    CURRICULUM\CAGPupils
    CURRICULUM\Pupils
    Mandatory Label\Medium Mandatory Level
    WMI Filtershide
    Name Value Reference GPO(s)
    W7 True 7-Software Restriction Policy User Based
    XP False 30minsscreensavelock, Browser Settings & Startup Programs - All Users, Default Domain Policy, Desktop Redirection - All Users, Do not track Shell shortcuts during roaming, Lockdown - Staff, Pupils, Finance &GLOSCAT, Moodle, Office 2003 Policy, Office2010, PreventRemovableMedia, WSUS Machines

    Component Statushide
    Component Name Status Last Process Time
    Group Policy Infrastructure Success 01/02/2011 09:57:16
    Registry Success 01/02/2011 09:57:16

    Computer Configurationhide
    No data available.
    User Configurationhide
    Policieshide
    Windows Settingshide
    Security Settingshide
    An error has occurred while collecting data for Software Restriction Policies.

    This error impacts the following settings:
    Software Restriction Policies
    Software Restriction Policies/Security Levels
    Software Restriction Policies/Additional Rules
    The following errors apply to all of the above settings:
    An unknown error occurred while data was gathered for this extension. Details: Unable to cast object of type 'System.String[]' to type 'Microsoft.GroupPolicy.Reporting.Extensions.Regist ry.UnknownType'.
    Public Key Policies/Certificate Services Client - Auto-Enrollment Settingshide
    Policy Setting Winning GPO
    Automatic certificate management Enabled [Default setting]
    Option Setting
    Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates Disabled
    Update and manage certificates that use certificate templates from Active Directory Disabled

    Show certificate expiry notifications Disabled [Default setting]

    Administrative Templateshide
    Policy definitions (ADMX files) retrieved from the central store.Extra Registry Settingshide
    Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management.

    Setting State Winning GPO
    Software\Policies\Microsoft\Windows\Safer\CodeIden tifiers\0\Paths\{fcc636a4-7d56-4439-8085-7e479e736cd1}\Description 7-Software Restriction Policy User Based
    Software\Policies\Microsoft\Windows\Safer\CodeIden tifiers\0\Paths\{fcc636a4-7d56-4439-8085-7e479e736cd1}\ItemData R:\ 7-Software Restriction Policy User Based
    Software\Policies\Microsoft\Windows\Safer\CodeIden tifiers\0\Paths\{fcc636a4-7d56-4439-8085-7e479e736cd1}\LastModified 129409553165392874 7-Software Restriction Policy User Based
    Software\Policies\Microsoft\Windows\Safer\CodeIden tifiers\0\Paths\{fcc636a4-7d56-4439-8085-7e479e736cd1}\SaferFlags 0 7-Software Restriction Policy User Based
    Software\Policies\Microsoft\Windows\Safer\CodeIden tifiers\262144\Paths\{191cd7fa-f240-4a17-8986-94d480a6c8ca}\Description 7-Software Restriction Policy User Based
    Software\Policies\Microsoft\Windows\Safer\CodeIden tifiers\262144\Paths\{191cd7fa-f240-4a17-8986-94d480a6c8ca}\ItemData %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% 7-Software Restriction Policy User Based
    Software\Policies\Microsoft\Windows\Safer\CodeIden tifiers\262144\Paths\{191cd7fa-f240-4a17-8986-94d480a6c8ca}\LastModified 129409493361966070 7-Software Restriction Policy User Based
    Software\Policies\Microsoft\Windows\Safer\CodeIden tifiers\262144\Paths\{191cd7fa-f240-4a17-8986-94d480a6c8ca}\SaferFlags 0 7-Software Restriction Policy User Based
    Software\Policies\Microsoft\Windows\Safer\CodeIden tifiers\262144\Paths\{d2c34ab2-529a-46b2-b293-fc853fce72ea}\Description 7-Software Restriction Policy User Based
    Software\Policies\Microsoft\Windows\Safer\CodeIden tifiers\262144\Paths\{d2c34ab2-529a-46b2-b293-fc853fce72ea}\ItemData %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\ProgramFilesDir% 7-Software Restriction Policy User Based
    Software\Policies\Microsoft\Windows\Safer\CodeIden tifiers\262144\Paths\{d2c34ab2-529a-46b2-b293-fc853fce72ea}\LastModified 129409493361966070 7-Software Restriction Policy User Based
    Software\Policies\Microsoft\Windows\Safer\CodeIden tifiers\262144\Paths\{d2c34ab2-529a-46b2-b293-fc853fce72ea}\SaferFlags 0 7-Software Restriction Policy User Based
    Software\Policies\Microsoft\Windows\Safer\CodeIden tifiers\DefaultLevel 262144 7-Software Restriction Policy User Based
    Software\Policies\Microsoft\Windows\Safer\CodeIden tifiers\ExecutableTypes WSC
    VB
    URL
    SHS
    SCR
    REG
    PIF
    PCD
    OCX
    MST
    MSP
    MSI
    MSC
    LNK
    ISP
    INS
    INF
    HTA
    HLP
    EXE
    CRT
    CPL
    COM
    CMD
    CHM
    BAT
    BAS
    ADP
    ADE 7-Software Restriction Policy User Based
    Software\Policies\Microsoft\Windows\Safer\CodeIden tifiers\PolicyScope 0 7-Software Restriction Policy User Based
    Software\Policies\Microsoft\Windows\Safer\CodeIden tifiers\TransparentEnabled 1 7-Software Restriction Policy User Based

  4. #4
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,285
    Thank Post
    80
    Thanked 45 Times in 31 Posts
    Rep Power
    30
    hopefully that means something to someone

    as an aside - part of this policy is working correctly as it prevents me from saving files with the restricted extensions to the users H:\ drive.
    ie I cannot copy an *.exe to the users H:\ drive....

    However I have put notepad.exe on the R:\ drive which should be restricted and it still runs....

    Maybe I am not setting it up right?

    Is it possible to restrict executables from running on certain drives/root folders?

  5. #5
    chazzy2501's Avatar
    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,774
    Thank Post
    212
    Thanked 263 Times in 213 Posts
    Rep Power
    67
    This is a USER GPO? have you have also enabled some kind of WMI filtering?, try removing that WMI and see if it works.
    Last edited by chazzy2501; 1st February 2011 at 10:37 AM. Reason: I can't Punctuate

  6. #6
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,285
    Thank Post
    80
    Thanked 45 Times in 31 Posts
    Rep Power
    30
    Yes I want the software restrictions to be user based - is that incorrect?

    Yes WMI filtering enabled as I am testing W7 in a WinXP environment and need to be able to do so without affecting my current users.

  7. #7
    chazzy2501's Avatar
    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,774
    Thank Post
    212
    Thanked 263 Times in 213 Posts
    Rep Power
    67
    User is correct, I've not tested Software Restrictions in Vista/7. I assumed it would work fine.

    Now furiously digging around for 7 laptop!

    Maybe make a new OU for testing, copy the GPO and remove WMI?

  8. #8
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,285
    Thank Post
    80
    Thanked 45 Times in 31 Posts
    Rep Power
    30
    Ah......

    The reason the exe could not be saved to the users H:\ drive is due to File Server Resource Manager running on the students file server. File Screening Management does not permit the saving of "executable files"....

    Nothing to do with the software restiction policy....which I still cannot get my head round....

  9. #9
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,285
    Thank Post
    80
    Thanked 45 Times in 31 Posts
    Rep Power
    30
    OK.
    Disabled ALL GPO's on my windws 7 test PC.
    Created a software restriction policy that was blank.

    Logged in to the test PC and saw using GPResult that the only policy being applied was the software restriction policy.

    So far so good!

    Edited the policy thus:
    Default security level - disallowed!

    Left all other settings as default.

    Tested on w7 pc.

    Checked event viewer:
    SoftwareRestrictionPolicies : Warning.
    Access to \\fp2\netlogon\setup.bat has been restricted by your Administrator by the default software restriction policy level.

    I then edited the policy:
    Additional rules -> New path fule and added in the netlogon folder for each DC.

    Rebooted test PC after running GPupdate /force.

    All good - no software restriction policy errors....

    And if I try to run a program from any network shares it fails.....

    I think all I need to do now is edit the policy to allow software to run from;
    1. Locally on the C:\
    2. From allowed network resource areas

    and it should be sorted.....

  10. Thanks to kennysarmy from:

    greenfieldsupport (11th January 2013)

  11. #10
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,285
    Thank Post
    80
    Thanked 45 Times in 31 Posts
    Rep Power
    30
    update:

    If I create a disallow software restriction policy and then create exception rules for drives V:\ and N:\ it does nt allow software to run over the network.
    HOWEVER

    If I create a disallow software restriction policy and then create exception rules for the full UNC paths ie \\fp2\Shapps and \\fp4\Shapps it does allow software to run over the network


  12. Thanks to kennysarmy from:

    greenfieldsupport (11th January 2013)

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 0
    Last Post: 23rd August 2010, 12:02 PM
  2. Replies: 1
    Last Post: 20th July 2010, 11:36 AM
  3. Replies: 3
    Last Post: 29th March 2010, 01:01 PM
  4. Replies: 3
    Last Post: 11th September 2009, 09:01 AM
  5. Replies: 6
    Last Post: 28th September 2006, 07:06 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •