Software restriction policy not working

I just opened Gpedit and set the security levet to unrestricted and created an additional rule to disallow a certain app. I provided the UNC path (%programfiles%\foldername\app.exe) and ran gpupdate.

After logging back in, the policy still doesn't apply.
I have tried everything that I know of. Any ideas?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Smallguy

well first of all where did you create the policy??

also it is better to use a hash than a path because if the program is moved the policy no longer works

look at

http://support.microsoft.com/kb/324036

also since it is a computer setting there needs to be computers in the OU your applying the policy to.

w^rl0rd

Figured it out.

Apparently, since my machine is a member of a domain. If I create it offline while logged on w/ a cached network acct, it will not apply until it checks the domain policy.

Once I set it back to a workgroup it started working fine.

Smallguy

w^rl0rd wrote:

Figured it out.

Apparently, since my machine is a member of a domain. If I create it offline while logged on w/ a cached network acct, it will not apply until it checks the domain policy.

Once I set it back to a workgroup it started working fine.

what did u set to a workgroup??

when u r an gpupdate did u use the /force switch.

if your computer is a member of the domain the polciy should have applied after runing gpupdate /force.... by default think polices ae updated ever 90 mins(pretty sure) so doing the force should have force that to happen and once u logged off and logged back in the system should check for updated policies and find them.

I'm not sure why u went ot a workgroup seems like it's defeating the purpose of using a domain policy (maybe I mis understood you)

FYI depending on how concerend oyu are about security it is a good idea to disable cached logons

w^rl0rd

According to MS

http://technet2.microsoft.com/WindowsServer/en/library/0cbad90e-df80-4ee7-8f0f-ff38005e2dca1033.mspx?mfr=true

If your computer is a member of a domain, local software restriction policies are not applied unless the computer can contact the domain controller to ensure that network policy does not override local policy.

I just wanted to see if software restriction works. Since my computer is part of a domain, the local policy will not apply until the domain policy is checked.

Smallguy

ok you weren't actually conected to the domain I see why now