+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 27
Wireless Networks Thread, GPo - Software Restriction Policy in Technical; I am working on setting up software restriction for the pupils here, currently this is being done in a Test ...
  1. #1

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,644
    Thank Post
    858
    Thanked 645 Times in 428 Posts
    Rep Power
    498

    GPo - Software Restriction Policy

    I am working on setting up software restriction for the pupils here, currently this is being done in a Test OU and a Test Pupil user which was copied from an existing user.

    Up until yseterday things were going fine with it set to only allow the applications that I explicitly specified - down to the actual filename, or to a group of files in a folder.

    But now I am having problems in that when I add a new "allowed" application to the list and then login with the test user, it is refusing to acknowledge that the program is now trusted for use.

    the settings thus far are:

    Disallow by default

    =======
    WORKING
    =======
    Name Type Security Level
    C:\program files\microsoft office\office\*.exe Path Unrestricted
    C:\program files\internet explorer\iexplore.exe Path Unrestricted
    C:\program files\Crocodile Clips\Crocodile Technology 1.6\*.exe Path Unrestricted
    \\mhs-pdc\NETLOGON\*.bat Path Unrestricted
    C:\Windows\explorer.exe Path Unrestricted
    C:\windows\system32\winlogon.exe Path Unrestricted
    C:\windows\system32\userinit.exe Path Unrestricted
    C:\windows\system32\rundll32.exe Path Unrestricted
    \\mhs-pdc\kudos\kudos.exe Path Unrestricted
    C:\Program Files\Grisoft\AVG7\*.exe Path Unrestricted
    ==========
    NOT WORKING
    ==========
    C:\program files\Corel\Corel Graphics 11\Programs\*.exe Path Unrestricted
    C:\Program Files\Adobe\Photoshop 7.0\*.exe Path Unrestricted
    C:\Program Files\Adobe\Acrobat 7.0\Reader\*.exe Path Unrestricted
    C:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\*.exe Path Unrestricted
    C:\Program Files\Winzip\*.exe Path Unrestricted
    C:\Pogram Files\Macromedia\Dreamweaver MX\Dreamweaver.exe Path Unrestricted
    C:\Pogram Files\Macromedia\Dreamweaver MX\JVM\bin\*.exe Path Unrestricted
    C:\windows\system32\*.exe Path Unrestricted

    -

    Is there something I'm doing wrong?

  2. #2

    Join Date
    Aug 2005
    Location
    Birmingham, UK
    Posts
    490
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: GPo - Software Restriction Policy

    did you wait for the policies to update or do a gpupdate /force (xp only) or a secedit /refreshpolicy machine_policy /enforce and secedit /refreshpolicy user_policy /enforce (2000) to make sure the policies were updated?

  3. #3

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,644
    Thank Post
    858
    Thanked 645 Times in 428 Posts
    Rep Power
    498

    Re: GPo - Software Restriction Policy

    Using 2k3 server, and ran gpupdate after changing the settings , the user is logged out unless I am testing policy changes, so when i log iin it picks up the new policies - just not the new program restrictions anymore - which it used to do

  4. #4

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,644
    Thank Post
    858
    Thanked 645 Times in 428 Posts
    Rep Power
    498

    Re: GPo - Software Restriction Policy

    Still not getting this to work
    Checked the event log of the target machine, and I am getting the following error.

    Event Type: Error
    Event Source: Userenv
    Event Category: None
    Event ID: 1054
    Date: 17/01/2006
    Time: 09:44:47
    User: NT AUTHORITY\SYSTEM
    Computer: IT-TESTBED
    Description:
    Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    Any suggestions?

  5. #5

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,802
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: GPo - Software Restriction Policy

    run 'netdiag' on the server and post the results.

  6. #6

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,644
    Thank Post
    858
    Thanked 645 Times in 428 Posts
    Rep Power
    498

    Re: GPo - Software Restriction Policy

    here's the results of NETDIAG...
    Attached Files Attached Files

  7. #7

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,590
    Thank Post
    109
    Thanked 762 Times in 593 Posts
    Rep Power
    180

    Re: GPo - Software Restriction Policy

    I can get in before Dos_Box and say... "it's a DNS issue!"

    If you look at the part that reads:
    DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server '10.4.28.200' and other DCs also have some of the names registered.
    [WARNING] The DNS entries for this DC are not registered correctly on DNS server '10.1.198.65'. Please wait for 30 minutes for DNS server replication.
    PASS - All the DNS entries for DC are registered on DNS server '10.4.24.200' and other DCs also have some of the names registered.
    It looks like you have a DNS replication problem which can cause problems like this to occur. Check that zone transfers are allowed between servers and try forcing a manual replication to see if that helps.

  8. #8

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,644
    Thank Post
    858
    Thanked 645 Times in 428 Posts
    Rep Power
    498

    Re: GPo - Software Restriction Policy

    Yeah was finding replication errors all over the place, found out why..
    the RJ45 wall socket for the BDC had failed, and no one had noticed!
    dont know hwen it was but was at leasat 60 days ago, so the PDC was not wanting to talk to the BDC anymore - spent ages trying to get the replications back up and running - hopefully cracked it - AD-UC is now replicating over, will check DNS, etc tomorrow...

  9. #9
    fooby's Avatar
    Join Date
    Dec 2005
    Posts
    351
    Thank Post
    0
    Thanked 5 Times in 4 Posts
    Rep Power
    19

    Re: GPo - Software Restriction Policy

    You are going to have problems with the macromedia suite. In the college i administer i found that dreamweaver spawns a process in the users temp folder, called something similar to (random each time) ~edb112.tmp

    Currently this means students can write to this folder and run anything. :'(

  10. #10

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,644
    Thank Post
    858
    Thanked 645 Times in 428 Posts
    Rep Power
    498

    Re: GPo - Software Restriction Policy

    anyway of changing where this file is stored?

  11. #11
    fooby's Avatar
    Join Date
    Dec 2005
    Posts
    351
    Thank Post
    0
    Thanked 5 Times in 4 Posts
    Rep Power
    19

    Re: GPo - Software Restriction Policy

    As far as I explored, there wasn't. I have taken the "security through obscurity" approach and ignored the problem and not talked about it .

    The director of ICT here has said any problems from it and its an admin thing (get parents in etc) we can reclone a pc using symantec ghost (that was fun gettin it set up ) so its not a major problem.

  12. #12
    fooby's Avatar
    Join Date
    Dec 2005
    Posts
    351
    Thank Post
    0
    Thanked 5 Times in 4 Posts
    Rep Power
    19

    Re: GPo - Software Restriction Policy

    It stores the files wherever the TEMP environment variable is set to, if you can change this to a place less obvious, or that is cleared out often or a network share where EXE's are disabled to be stored (file screening on a hp nas or windows server R2's file screening) this will obviously add network traffic, and slow down dreamweaver as its accessing a network place.

    Thinking about it you could set the temp folder to their document or profile folder with the file screening on, however 16bit or some older software will become affected by this change... not good. i remember now i tried changing it and lots of our maths software stopped working.

  13. #13

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,272
    Thank Post
    614
    Thanked 1,567 Times in 1,407 Posts
    Rep Power
    412

    Re: GPo - Software Restriction Policy

    I would really advise against fiddling with the temp environment variables unless you really need to as I've had lots of problems with it.

    Ben

  14. #14
    fooby's Avatar
    Join Date
    Dec 2005
    Posts
    351
    Thank Post
    0
    Thanked 5 Times in 4 Posts
    Rep Power
    19

    Re: GPo - Software Restriction Policy

    Yeah good plan

  15. #15

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,644
    Thank Post
    858
    Thanked 645 Times in 428 Posts
    Rep Power
    498

    Re: GPo - Software Restriction Policy

    OK, deleted the GPO and recreated it
    all ok with the stuf on the desktop (eg word & IE-)
    however.. launch them from the start menu - disallowed!!
    using local paths as the rules. pupil using a mandatory profle..

    any ideas?

    wondering if its cos of the local links but not sure how to use the registry as the links..

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Software restriction policy, half working?
    By FN-GM in forum Windows
    Replies: 13
    Last Post: 10th December 2007, 12:22 PM
  2. Software Restriction Policy
    By cookie_monster in forum Windows
    Replies: 2
    Last Post: 27th November 2007, 12:54 PM
  3. CC3 Software Restriction Policy
    By cookie_monster in forum Network and Classroom Management
    Replies: 8
    Last Post: 12th June 2007, 10:28 AM
  4. Software Restriction Policy (w2k3) - path question
    By indiegirl in forum How do you do....it?
    Replies: 5
    Last Post: 19th October 2006, 05:05 PM
  5. Software Restriction Policy (w2k3) - path question
    By indiegirl in forum How do you do....it?
    Replies: 0
    Last Post: 19th October 2006, 10:11 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •