How Can I prevent a specific application from being run on a specific machine using Group Policy?
I know this is possible to do and I am working on it with limited success. I believe the Group Policy I want is "Do Not Run Specified Windows Applications" - I can enable this and add the .exe I want to the list of programs not to be run.
I have tried this on my local machine by running gpedit.msc going to User Config > Admin Templates > System and then choosing that policy and editing and enabling it. Doing it this way verifies that it works as I could then not run the specified .exe (XenAppWeb.exe) So this is great.
I have created a GPO to do the same thing in GP Management on my domain controller where we centralize this, enforced it, applied it to an OU, and put one of our machines into this OU to test it. I have let it sit there for 3 days, run gpupdate /force, and when I try to run XenAppWeb.exe on this machine, it still lets me run it fine.
What can I look at to troubleshoot this?
I should note that I am trying to enact this policy on Windows XP machines (Virtual Machines)
Thanks, Mike
Solution 1:
One alternative would be to use Software Restriction Policies (Computer Configuration -> Windows Settings -> Security Settings) rather than the "Do Not Run Specified Windows Applications" user policy. This will also give you more flexibility around how you select the application to be blocked.
Keep in mind that any blacklisting approach can be worked around. If you want to ensure that the restriction can't be bypassed, you'll need to use Software Restriction Policies in whitelist mode, i.e., specify those applications that are allowed to run rather than those that are not.
Solution 2:
If you're setting the restriction policy on the User Configuration
section of the GPO then this will have no effect unless the user account objects are in the OU that you've applied the policy to (or if you enable loopback processing).
Shift the settings to the Computer Configuration
section of the policy, assuming you want the policy to apply regardless of who logs on to those systems.