[RESOLVED] Win 2000 Group Policy - Restrict Users Running Particular Application

[TomGibbons]

I have the name of the EXE file that I wish to prohibit the users from running. Is it possible to do this using Windows Server 2000 Group Poilcies? If so, how?

Thanks

[dorbian]

I know that it's possible to outlaw people from running program's trough windows 2003 server, but then again the policy's changed a bit, if ur in the active directory users and groups console, go to the domain controller where the users are placed, right click on the domain and check the preferences, there should be a policy option somewhere round there, you should be able to disable some exe files there.

-Dorbian

[Ideas Man]

I know that it's possible to outlaw people from running program's trough windows 2003 server, but then again the policy's changed a bit, if ur in the active directory users and groups console, go to the domain controller where the users are placed, right click on the domain and check the preferences, there should be a policy option somewhere round there, you should be able to disable some exe files there.

-Dorbian

NO!!! NONONONONONONO!!!!!!!!!

Do NOT do it that high, it will affect everybody, including administrators.

The domain policy is one that you definatly should not touch, I've seen admins lock themselves completly outta Windows by doing that.

Anyway, there are two methods of doing it, the first one is in the User Configuration for a policy, goto Administrative Templates -> System -> Don't run specified Windows applications. Add the name of the program to the list.

The second method is to create an application hash of the program, I've never actually done this but it's apparently more reliable.

You can create a software hash by clicking Software Restriction Policies in the Security Settings node.
Click the Action menu and the item in the menu (Can't recall it because I've already activated it) and the rest of the tree should appear.
Go into Additional Rules -> Action -> New Hash Rule...
Select the file and type a description if you wish and click OK.

[TomGibbons]

NO!!! NONONONONONONO!!!!!!!!!

Do NOT do it that high, it will affect everybody, including administrators.

The domain policy is one that you definatly should not touch, I've seen admins lock themselves completly outta Windows by doing that.

Anyway, there are two methods of doing it, the first one is in the User Configuration for a policy, goto Administrative Templates -> System -> Don't run specified Windows applications. Add the name of the program to the list.

The second method is to create an application hash of the program, I've never actually done this but it's apparently more reliable.

You can create a software hash by clicking Software Restriction Policies in the Security Settings node.
Click the Action menu and the item in the menu (Can't recall it because I've already activated it) and the rest of the tree should appear.
Go into Additional Rules -> Action -> New Hash Rule...
Select the file and type a description if you wish and click OK.

And this works in Server 2000? Because I've not noticed any Software Restriction Policies in the Group Policy editor :-/

[dorbian]

replying to you post, Ideas Man.

Do NOT do it that high, it will affect everybody, including administrators.

if you create several policys, and you give yourself a policy where you don't add the exlusion there is no problem, and it is farmost the safest way to exlude applications.

[TomGibbons]

replying to you post, Ideas Man.

Do NOT do it that high, it will affect everybody, including administrators.

if you create several policys, and you give yourself a policy where you don't add the exlusion there is no problem, and it is farmost the safest way to exlude applications.

I'll try that on Monday when I go into work. Thanks, Dorbian

[Ideas Man]

if you create several policys, and you give yourself a policy where you don't add the exlusion there is no problem, and it is farmost the safest way to exlude applications.

If you apply it at domain level, it will affect administrators. It affects everybody and everything in the domain.

To do this effectivly, create required organisational units and keep the administrators separate from the normal users.

[Ideas Man]

And this works in Server 2000? Because I've not noticed any Software Restriction Policies in the Group Policy editor :-/

It should, It's in the Windows XP security permissions. Try Computer Configuration (Keep in mind, Computer configuration has to be applied to computers, not users).

Like I said, I've never used it, I use the other one. It works pretty well, only you can use VB or the command line to bypass it.

[TomGibbons]

only you can use VB or the command line to bypass it.

Ah that shouldn't be a problem. I can't think of a single one of our employees who would know what the command prompt is

I'll give this all a whirl on Monday. Thanks everyone.

[TomGibbons]

Perfect! Got it working nicely!

Thank you both Dorbian and Ideas Man. Your help is appreciated