Software restriction policy not working

w^rl0rdw^rl0rd Member Posts: 329
in Off-Topic
I just opened Gpedit and set the security levet to unrestricted and created an additional rule to disallow a certain app. I provided the UNC path (%programfiles%\foldername\app.exe) and ran gpupdate.

After logging back in, the policy still doesn't apply.
I have tried everything that I know of. Any ideas?
· Share on FacebookShare on Twitter

Comments

  • SmallguySmallguy Member Posts: 597
    well first of all where did you create the policy??

    also it is better to use a hash than a path because if the program is moved the policy no longer works

    look at

    http://support.microsoft.com/kb/324036

    also since it is a computer setting there needs to be computers in the OU your applying the policy to.
    · Share on FacebookShare on Twitter
  • w^rl0rdw^rl0rd Member Posts: 329
    Figured it out.

    Apparently, since my machine is a member of a domain. If I create it offline while logged on w/ a cached network acct, it will not apply until it checks the domain policy.

    Once I set it back to a workgroup it started working fine.
    · Share on FacebookShare on Twitter
  • SmallguySmallguy Member Posts: 597
    w^rl0rd wrote:
    Figured it out.

    Apparently, since my machine is a member of a domain. If I create it offline while logged on w/ a cached network acct, it will not apply until it checks the domain policy.

    Once I set it back to a workgroup it started working fine.


    what did u set to a workgroup??

    when u r an gpupdate did u use the /force switch.

    if your computer is a member of the domain the polciy should have applied after runing gpupdate /force.... by default think polices ae updated ever 90 mins(pretty sure) so doing the force should have force that to happen and once u logged off and logged back in the system should check for updated policies and find them.

    I'm not sure why u went ot a workgroup seems like it's defeating the purpose of using a domain policy (maybe I mis understood you)

    FYI depending on how concerend oyu are about security it is a good idea to disable cached logons
    · Share on FacebookShare on Twitter
  • w^rl0rdw^rl0rd Member Posts: 329
    According to MS

    http://technet2.microsoft.com/WindowsServer/en/library/0cbad90e-df80-4ee7-8f0f-ff38005e2dca1033.mspx?mfr=true

    If your computer is a member of a domain, local software restriction policies are not applied unless the computer can contact the domain controller to ensure that network policy does not override local policy.


    I just wanted to see if software restriction works. Since my computer is part of a domain, the local policy will not apply until the domain policy is checked.
    · Share on FacebookShare on Twitter
  • SmallguySmallguy Member Posts: 597
    ok you weren't actually conected to the domain I see why now
    · Share on FacebookShare on Twitter
Sign In or Register to comment.